Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT On October 23rd, Fortinet disclosed an actively exploited critical zero-day vulnerability impacting multiple versions for FortiManager. The vulnerability, tracked…
Oct 09, 2024THE THREAT Beginning in early September 2024, eSentire observed an increase in the number of incidents involving Lumma Stealer malware; this activity has remained common leading into…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Ransomware is a form of malware, which is software used to get unrestricted access to a victim computer or device. Ransomware is a type of malware which is used by cyber criminals to hold their victims’ important data hostage in order to extort money. Typically, this is done by encrypting the victims' data so that they cannot access it again until they pay the cybercriminals for a decryption key. Over the past few years, there have been various strains of ransomware in use by cybercrime groups. They have varied in the details, but their overall approach has generally stayed consistent over time.
Ransomware has become more advanced over the years. The earlier implementations (e.g. Cryptolocker) were good but ransomware as a whole has increased its effectiveness and complexity over time. The most recent variants have the ability to encrypt more file types, utilize stronger and proper encryption implementations, delete system restore content, and have the ability to propagate via multiple channels (e.g USB Keys) within an environment.
Malware infection is typically attributed to drive-by downloads and/or social engineering.
A drive-by download is the unintentional download of computer software from the internet. This includes activity where the user’s browser downloads and installs content without their knowledge or results in unintentional actions. With a drive-by download, the download and installation of the malicious software often happens invisibly in the background, so the user is not even aware of it. The following are some examples of drive-by download scenarios which result in the download of unintentional software:
Social engineering is the manipulation of people to perform actions or divulge confidential information. Ransomware is most commonly delivered via email attachments (Office documents, ZIP archives, etc.), often referred to as spear-phishing. The aim of the social engineering is to entice the victim to click on a link, open an attachment, or perform some other action that will result in the installation and execution of malicious software on their machine. Social engineering is the most widespread method used by cybercrime groups to deliver ransomware to a large number of victims.
As most security professionals understand, there is no specific technology that is the silver bullet to stopping all malware-related incidents. Each technology, platform, and implementation has its own weaknesses and strengths. For the purposes of this blog, there are three main layers that should have some protection mechanisms associated with them:
The network security layer is an ideal option because it’s a pro-active solution that protects the whole network when deployed properly. It does not utilize any agents and usually intercepts or has visibility into the traffic. The weakness of the network layer protection is apparent when cryptography is used to encrypt identifiable information, limiting the layer’s capability to detect and interrupt based on the characteristics of an attack.
Host-based protection is equally important but often requires an attack hitting the host or originating from the host itself. While it’s ideal to stop an attack from reaching the host altogether, in some cases this cannot be prevented. If it’s assumed the network layer will be bypassed, it’s ideal to layer the host level with additional protection.
The human layer is the most susceptible layer to attack. But it’s not always the fault of the person who ends up compromised. When a user is browsing the web and hits a site that is legitimate but hosts bad ad content, resulting in a malicious redirection, this ends in compromise. In that case, the Network Layer / Host Layer should be responsible for interrupting and defending against attacks. Social engineering is the greatest threat to the human layer. When exploited, it results in the execution of malicious code.
One main method of preventing malicious content from being download or executed within a corporate environment is through content filtering.
Content filtering is defined as a program/appliance that is used to screen and exclude anything that is not deemed to fit a specific security policy. At the network level, this can be applied to specific traffic or a relay system such as a mail server. At the host level, there are many ways to apply specific controls that prevent the execution of undesired content.
Content filtering includes but is not limited to:
Email filtering can be done at a high level utilizing content inspection as it relates to attachments that are included within a message. The recommended action is to block anything that is not strictly required by the company. As threat actors generally need to deliver a malicious file to the end user, the easiest method is to attach it to a fake email. If that file does not meet a specific, and strict, policy it will be blocked before reaching the end user.
Recommended attachments that should be blocked include:
Ad blocking is one of the best ways to prevent malicious advertising that can lead to end user compromise. Implementing ad blocking at the network-level generally utilizes a proxy or next-gen firewall. Often, this can make webpages appear broken but that is due to the web browser expecting ad content which has been blocked. If you can forego aesthetically pleasing webpages, you gain the reassurance of not being redirected to bad content via rogue advertisements.
This can also be accomplished at the host-level by utilizing browser plugins. Browser plugins have the ability to block ad content on load. They also have the ability to give you control by dynamically blocking content with a simple right click.
Application control from a network perspective is key to limiting applications that are called through the browser. Proxies are probably the best technology that provide ways to filter based on the application that is being requested. This effectively stops malicious code from targeting vulnerable applications that are run within browsers. eSentire recommends blocking all flash-related content as it is prone to exploitation.
Controlling applications that are called through the browser can also be implemented at the host level. All major browsers support a feature called ‘click to play’ which prevents applications from auto-executing. This stops random attacks from landing as it requires the user to click the application in order to run the content. As recommended above, flash content should be both disabled and blocked in exchange for HTML5.
Executable control at the network layer is key to limiting what is downloaded. In most cases, these types of features are available on inline devices and allow you to control what files can be downloaded onto the network. It is important to remember that these controls can be bypassed if someone has encrypted or encoded the specific content that they are attempting to download.
Execution control at the host layer is very important for stopping code that is not authorized to run in an environment. This relates directly to threat actors who bypass specific network controls and get some form of malicious code onto the victim's machine. Stopping the execution of this code will prevent an attack from getting unrestricted access to that host. Recommended actions include:
SSL visibility is required to protect against threats that communicate and originate over encrypted channels. It provides context and identifiable characteristics that are needed for most security technologies to be effective. However, like most security technologies, it can be bypassed by encrypting the communications / malicious content via another encryption standard other than SSL. It also carries some potential regulatory issues for industries that deal with personally identifiable information (PII).
When technology and security controls fail, all that is left is the human layer. The human layer is the hardest layer to secure because it’s challenging to teach people the dangers of hackers. Education and training are the only ways to ensure users do not click and execute malicious content. But with changing attack methods, this still remains difficult. It is recommended that organizations continuously educate and test employees to harden them against these types of attacks. Security awareness training and phishing campaigns are great to keep employees educated and up-to-date on the latest attack techniques.
In conclusion, content filtering and configuration hardening are important components in the prevention of malicious code execution. The best way to protect against ransomware is to be proactive in your defense strategy. Utilizing technologies and processes at the network and host layers provide a defense in depth strategy which will be more resilient to attack. Educating your users to prevent the initial chain of potentially malicious events is just as key as layered technology. As the security is ever changing eSentire will continue to publish related content via web series and security advisories.