What We Do
How we do it
Resources
SECURITY ADVISORIES
Jul 26, 2021
PetitPotam NTLM Relay Attack
THE THREAT PetitPotam is a variant of NTLM Relay attacks discovered by security researcher Gilles Lionel. Proof of Concept code released last week [1] relies on the Encrypting File System Remote (EFSRPC) protocol to provoke a Windows host into performing an NTLM authentication request against an attacker-controlled server, exposing NTLM authentication details or authentication certificates.…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Jul 12, 2021
Tecala and eSentire Partner to Protect Enterprises across APAC from Business-Disrupting Cyber Attacks
Sydney, 12 July, 2021 - Tecala, Australia’s award-winning technology services and IT consulting provider, today announced it has chosen eSentire, the global Authority in Managed Detection and Response (MDR) cybersecurity services, as their exclusive MDR solution provider in Australia and New Zealand. This partnership will enable Tecala to augment its cybersecurity practice and offer enterprises…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Resources
Blog — May 21, 2020

How Current Ransomware Tactics Look
a Lot Like Smoking a Brisket

3 min read

You can’t rush the process of smoking a brisket, what I consider the peak of BBQ prowess.

For a 15-pound brisket, it generally takes over 14 hours of smoking at 225 degrees F to push through the “stall” … after which it requires another couple of hours to “rest.” This process is referred to as “low-and-slow” because it takes time and patience to proceed through each of the smoke phases.

Cyberattackers are just as patient when it comes to following their plan and achieving their goals.

In information security, we often describe attackers in terms of their tools, tactics, and process (TTP). One that we don’t often discuss is TIMING. One recent development in the use of ransomware involves choosing the most appropriate time to initiate the actual encryption. By appropriate, I mean the most inopportune time to strike a target in an effort to hamper recovery.

Let’s first take a step back though. When ransomware first burst broadly into the public view a few years ago, it was very simple: someone opens malicious content which downloads an encryption key and immediately begins to encrypt that single computer’s files (and all others to which they have access, including network shares). The next generation of ransomware started attacking databases directly, encrypting their contents.

A further evolution of a separate ransomware family focused on exploiting the software that manages workstation images (e.g. Kaseya), thereby unwittingly enlisting it to spread unwanted code. This tactic is not necessarily specific to ransomware but also was used for undesired rogue cryptocurrency mining.

The current, most popular methodology within ransomware deployment couples the popular “low-and-slow” tactics of yesteryear (very much like smoking a delicious brisket). Also known as advanced persistent threat (APT) methodology, the attacker initially gains a toehold into an environment, then quietly spreads laterally from this “beachhead” to establish multiple points of presence within the organization. Once many systems are infected, the attacker is free to take their time to embed themselves and begin a more rigorous campaign to examine all accessible files (including email), gather information, pivot to other connected systems, gain administrator access (if possible) and exfiltrate interesting or sensitive data to resell or hold hostage.

The newest ransomware tactic couples the low-and-slow APT method, but once the interesting data is taken, the attacker at the right time initiates the encryption on all infected systems. The extra spin? Timing. This type of attack offers the attacker the best chance for payoff when initiated at a particularly inopportune time, when the victim isn’t expecting it and is less likely to be able to respond quickly. As such, the first night of a weekend (especially a long weekend!) provides an ideal point for a devastating malicious campaign to be launched.

It is critical to continue to watch for the early indicators. It takes time for the attacker to distribute the malicious code throughout the environment and wait for the most inopportune time to start the encryption phase. This permits the defender a wider window of opportunity to prematurely short-circuit and evict the attacker.

No doubt tactics will continue to evolve. Attackers will continue to hone and improve their methods; likely by better automating the “spread malware internally phase” and with better obfuscation to reduce the chances of detection. Given the significant recent changes due to COVID-19 with more people working from home, it is possible that depending on remote access implementation, it may be more difficult for attackers to move laterally, from endpoint to endpoint. However, this possible mitigation aspect is likely overridden by more atomic endpoints running outside the safety of a corporate firewall and other corporate security infrastructure.

With this in mind, we highly recommend that you continue to watch for unusual indicators of inappropriate access, especially when they make themselves manifest early on a weekend. Ensure that your incident response playbooks are updated, with contacts updated. Perform tabletop exercises with this updated scenario to prepare for this.

While you might be looking at the start of a long weekend as a welcome break from work (or a chance to demonstrate your BBQ skills), attackers might just be thinking about getting started.

Eldon Sprickerhoff
Eldon Sprickerhoff Founder and Chief Innovation Officer

In founding eSentire, Eldon Sprickerhoff responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over twenty years of tactical experience, he is acknowledged as a subject matter expert in information security analysis.