Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Join us for a live security brefing with (ISC)2 members.
Join Tim Segato, Director, Product Management and Ryan Westman, Manager,…
Ask questions and hear from Cybersecurity experts from eSentire,…
Cybersecurity is not an IT problem to solve—it's a business risk to manage. In the Managing Cyber Risk podcast series, Mark Sangster, Vice President and Industry Security Strategist at eSentire, and Cybercrime Magazine’s Hillarie McClure lead conversations with cybersecurity experts, using the dollars-and-cents language of the C-suite to expose the issues, challenges and pitfalls which are often obscured by ones and zeroes.
Want to listen to the full episode instead? Click here.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
It’s unlikely that Sun Tzu was writing about cybersecurity, but he might as well havße been.
Today’s adversaries are well-organized, well-funded, and well-equipped, and they operate as structured enterprises—leading Mark Sangster, VP Industry Security Strategy at eSentire, to describe them as the “Misfortune 500.”
Knowing your adversary is an essential element of cyber warfare, which is why Mark and Cybercrime Magazine’s Hillarie McClure spoke to Col. (Ret.) Timothy Evans, SVP, Co-Founder and Chief of Strategy at Adlumin.
During the conversation, they touched on a wide range of topics, such as common misconceptions about cyberattacks, today’s adversaries and their goals, how cyberattacks are conducted, and spotting them before it’s too late.
Early in the conversation, Mark and Tim touch on three dangerous, and stubbornly persistent, misconceptions:
“We’re not a target”: No matter how big, how small, how ‘boring’ or how well-defended your organization is, cybercriminals can and will target you.
“Most cyberattacks are obvious, only a fool would fall for them”: We’re all accustomed to receiving obvious spam emails, and that can trick us into a state of overconfidence. But cyberattacks against corporations are very different. Phishing emails are often personalized, and they increasingly make use of public and private information to look legitimate. Assuming that cyber threats are obvious only increases the odds that an attack against your company will be successful.
“Well, I guess there’s nothing we can do if a sophisticated cybercriminalattacker targets us”: This one is closely related to the after-the-fact outcry of “there were no signs”. But the truth is that cyberattacks aren’t instantaneous and there are always signs. Your cybersecurity team just needs to know what to look for and more importantly, they need to have the security operations capabilities to do so.
Businesses are finally understanding that today’s cyber threat actors aren’t rogue individuals, but run highly sophisticated operations with many of the same functions (e.g., recruitment, R&D, operations, and business development) as modern enterprises. What’s more, they operate in a mature ecosystem complete with specialty services, marketplaces, channel, and affiliate programs, and so on.
Prosecution for ransomware gangs remain relatively rare, often due to the cross-border nature of the cybercrime. In fact, Tim also noted that he’s seen evidence of ransomware operators installing and maintaining backdoors for possible use in a wartime scenario.
Learning how today’s adversaries operate and their psyche can significantly help your team understand the best way to protect your organization and mitigate your cyber risk.
Cybercriminals are after money—the rewards of a successful cyberattack are high, especially when threat actors introduce multiple revenue streams by combining ransomware attacks with stealing and selling valuable information.
Although adversaries are motivated by stealing a company’s intellectual property or proprietary data, disabling systems and services and making crucial information unavailable continues to generate impressive returns for ransomware operators. The average ransom across all industries reached $570,000 in the first half of 2021, an 83% increase over 2020.
Additionally, cybercriminals routinely use double- and triple-extortion tactics to compel the victim to pay to recover access to systems, prevent the publication of protected health information (PHI) and personally identifiable information (PII), and avoid the potential regulatory fines.
The fact remains, whether the victim pays the ransom or not, ransomware groups may still sell stolen data in cybercrime marketplaces given the specific benefits associated with different types of data:
Financial information is used to compromise bank accounts and commit wire transfer frauds
Employee information can be used for identity theft, to commit fraud, and to engage in longer, more complex operations like business email compromise (BEC) and highly targeted phishing scams
Patient information can be used to blackmail individuals—PHI, in particular, is regarded as being much more valuable than credit card information, with each record worth anywhere from $10 to $1,000
The broad stages of a cyberattack are standardized—initial access is gained, intrusion actions are performed, and then malware is detonated—but the specifics of execution differ.
While staying up to date with the latest tactics, techniques and procedures (TTPs) can be challenging since they’re always evolving, Mark suggests that the corrective action plans (CAPs) prepared by the Office for Civil Rights (OCR) in response to HIPAA violations are a good source. Although they don’t spell out the details, it’s usually straightforward to determine how an organization succumbed to a cyberattack.
Sophisticated threat actors will target your company sooner or later and they’re very adept at gaining access into your environment. But cyberattacks—particularly ransomware attacks—don’t happen instantaneously.
Once inside an environment, cybercriminals engage in ‘intrusion actions’ like domain reconnaissance, creating new accounts, finding backups, exfiltrating data, harvesting credentials, creating backdoors, and identifying the systems and services that should be targeted to inflict maximum pressure on the victim.
These activities take time, and they create Indicators of Compromise (IoCs) that are detectable with the right tools.
“You have to know every time an account is created, and you have to be able to verify that we created that account…which is really hard for large organizations,” Tim stressed.
To underscore the point, Mark shared an example of a recent breach of a healthcare delivery organization (HDO) in which an IT technician noticed some strange account creation and reached out to HR, who subsequently escalated the matter to the IT manager. Unfortunately, it was a long weekend, the IT manager was busy and decided to look at things on Monday—by which point ransomware had shut down the organization.
Similarly, user behavior analytics can recognize strange file transfers, lateral movements and other unusual activities, like a user suddenly running PowerShell for the first time.
Fortunately, organizations don’t have to wait until they’re under attack to recognize and address their own vulnerabilities. At a minimum, Tim recommends looking for compromised accounts on the dark web and using tools like Shodan to understand what cybercriminals see when they look at your network.
You can also adopt a more proactive, risk-based approach to cybersecurity that leverages a comprehensive vulnerability management program, Phishing and Security Awareness Training (PSAT), engaging an Managed Detection and Response (MDR) provider, to identify and contain cyber threats that bypassed existing defenses, and Incident Response (IR).
Doing the basics—strong passwords, multi-factor authentication, controlled and encrypted access, least privilege, and network segmentation—is essential and while these countermeasures might not stop cybercriminals outright, they can slow down adversaries and give you the opportunity to detect their presence.
In fact, Tim reiterates the importance of monitoring for the telltale signs of intrusion: “There are certain things that you absolutely need to monitor. If you’re an organization of CISOs, you have to put this at the top of your agenda. You need to know what you need to be monitoring.”
Listen to the full Learning from the Adversary episode of the Managing Cyber Risk podcast series as Mark Sangster and Hillarie McClure interview Col. (Ret.) Timothy Evans what we can learn from the adversary, the evolution of ransomware, and more.
eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.