What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Nov 21, 2022
ProxyNotShell Exploit Released
THE THREAT eSentire is aware of public Proof-of-Concept (PoC) exploit code for the ProxyNotShell Exchange vulnerabilities (CVE-2022-41040 [CVSS:8.8], CVE-2022-41082 [CVSS:8.0]). The publication of…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Nov 07, 2022
Global Cybersecurity Leader eSentire Partners with InfoTrust to Deliver 24/7 Multi-Signal MDR and IR Services Across Australia
Waterloo, ON and Sydney, Australia – November 9, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), today announced it has expanded its presence in Australia via a strategic partnership with InfoTrust. InfoTrust is a leading specialized cybersecurity provider that combines next-generation security controls, with the InfoTrust “Connective Tissue” of customer success,…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Jan 05, 2022

MANAGING CYBER RISK PODCAST SERIES

Ep. 8: Learning from the Adversary

6 minutes read
Speak With A Security Expert Now

Cybersecurity is not an IT problem to solve—it's a business risk to manage. In the Managing Cyber Risk podcast series, Mark Sangster, Vice President and Industry Security Strategist at eSentire, and Cybercrime Magazine’s Hillarie McClure lead conversations with cybersecurity experts, using the dollars-and-cents language of the C-suite to expose the issues, challenges and pitfalls which are often obscured by ones and zeroes.

Want to listen to the full episode instead? Click here.

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

It’s unlikely that Sun Tzu was writing about cybersecurity, but he might as well havße been.

Today’s adversaries are well-organized, well-funded, and well-equipped, and they operate as structured enterprises—leading Mark Sangster, VP Industry Security Strategy at eSentire, to describe them as the “Misfortune 500.”

Knowing your adversary is an essential element of cyber warfare, which is why Mark and Cybercrime Magazine’s Hillarie McClure spoke to Col. (Ret.) Timothy Evans, SVP, Co-Founder and Chief of Strategy at Adlumin.

During the conversation, they touched on a wide range of topics, such as common misconceptions about cyberattacks, today’s adversaries and their goals, how cyberattacks are conducted, and spotting them before it’s too late.

What are some common misconceptions about cyberattacks?

Early in the conversation, Mark and Tim touch on three dangerous, and stubbornly persistent, misconceptions:

  1. “We’re not a target”: No matter how big, how small, how ‘boring’ or how well-defended your organization is, cybercriminals can and will target you.

  2. “Most cyberattacks are obvious, only a fool would fall for them”: We’re all accustomed to receiving obvious spam emails, and that can trick us into a state of overconfidence. But cyberattacks against corporations are very different. Phishing emails are often personalized, and they increasingly make use of public and private information to look legitimate. Assuming that cyber threats are obvious only increases the odds that an attack against your company will be successful.

  3. “Well, I guess there’s nothing we can do if a sophisticated cybercriminalattacker targets us”: This one is closely related to the after-the-fact outcry of “there were no signs”. But the truth is that cyberattacks aren’t instantaneous and there are always signs. Your cybersecurity team just needs to know what to look for and more importantly, they need to have the security operations capabilities to do so.

Who are today’s adversaries?

Businesses are finally understanding that today’s cyber threat actors aren’t rogue individuals, but run highly sophisticated operations with many of the same functions (e.g., recruitment, R&D, operations, and business development) as modern enterprises. What’s more, they operate in a mature ecosystem complete with specialty services, marketplaces, channel, and affiliate programs, and so on.

Prosecution for ransomware gangs remain relatively rare, often due to the cross-border nature of the cybercrime. In fact, Tim also noted that he’s seen evidence of ransomware operators installing and maintaining backdoors for possible use in a wartime scenario.

Learning how today’s adversaries operate and their psyche can significantly help your team understand the best way to protect your organization and mitigate your cyber risk.

What are threat actors’ goals?

Cybercriminals are after money—the rewards of a successful cyberattack are high, especially when threat actors introduce multiple revenue streams by combining ransomware attacks with stealing and selling valuable information.

Although adversaries are motivated by stealing a company’s intellectual property or proprietary data, disabling systems and services and making crucial information unavailable continues to generate impressive returns for ransomware operators. The average ransom across all industries reached $570,000 in the first half of 2021, an 83% increase over 2020.

Additionally, cybercriminals routinely use double- and triple-extortion tactics to compel the victim to pay to recover access to systems, prevent the publication of protected health information (PHI) and personally identifiable information (PII), and avoid the potential regulatory fines.

The fact remains, whether the victim pays the ransom or not, ransomware groups may still sell stolen data in cybercrime marketplaces given the specific benefits associated with different types of data:

How do threat actors conduct cyberattacks?

The broad stages of a cyberattack are standardized—initial access is gained, intrusion actions are performed, and then malware is detonated—but the specifics of execution differ.

While staying up to date with the latest tactics, techniques and procedures (TTPs) can be challenging since they’re always evolving, Mark suggests that the corrective action plans (CAPs) prepared by the Office for Civil Rights (OCR) in response to HIPAA violations are a good source. Although they don’t spell out the details, it’s usually straightforward to determine how an organization succumbed to a cyberattack.

How can you spot adversary activity before it’s too late?

Sophisticated threat actors will target your company sooner or later and they’re very adept at gaining access into your environment. But cyberattacks—particularly ransomware attacks—don’t happen instantaneously.

Once inside an environment, cybercriminals engage in ‘intrusion actions’ like domain reconnaissance, creating new accounts, finding backups, exfiltrating data, harvesting credentials, creating backdoors, and identifying the systems and services that should be targeted to inflict maximum pressure on the victim.

These activities take time, and they create Indicators of Compromise (IoCs) that are detectable with the right tools.

“You have to know every time an account is created, and you have to be able to verify that we created that account…which is really hard for large organizations,” Tim stressed.

To underscore the point, Mark shared an example of a recent breach of a healthcare delivery organization (HDO) in which an IT technician noticed some strange account creation and reached out to HR, who subsequently escalated the matter to the IT manager. Unfortunately, it was a long weekend, the IT manager was busy and decided to look at things on Monday—by which point ransomware had shut down the organization.

Similarly, user behavior analytics can recognize strange file transfers, lateral movements and other unusual activities, like a user suddenly running PowerShell for the first time.

Fortunately, organizations don’t have to wait until they’re under attack to recognize and address their own vulnerabilities. At a minimum, Tim recommends looking for compromised accounts on the dark web and using tools like Shodan to understand what cybercriminals see when they look at your network.

You can also adopt a more proactive, risk-based approach to cybersecurity that leverages a comprehensive vulnerability management program, Phishing and Security Awareness Training (PSAT), engaging an Managed Detection and Response (MDR) provider, to identify and contain cyber threats that bypassed existing defenses, and Incident Response (IR).

Moving forward

Doing the basics—strong passwords, multi-factor authentication, controlled and encrypted access, least privilege, and network segmentation—is essential and while these countermeasures might not stop cybercriminals outright, they can slow down adversaries and give you the opportunity to detect their presence.

In fact, Tim reiterates the importance of monitoring for the telltale signs of intrusion: “There are certain things that you absolutely need to monitor. If you’re an organization of CISOs, you have to put this at the top of your agenda. You need to know what you need to be monitoring.”

Learn more from your adversaries

Listen to the full Learning from the Adversary episode of the Managing Cyber Risk podcast series as Mark Sangster and Hillarie McClure interview Col. (Ret.) Timothy Evans what we can learn from the adversary, the evolution of ransomware, and more.

Skip To:

  • What are some common misconceptions about cyberattacks?
  • Who are today’s adversaries?
  • What are threat actors’ goals?
  • How do threat actors conduct cyberattacks?
  • How can you spot adversary activity before it’s too late?
  • Moving forward
  • Learn more from your adversaries
View Most Recent Blogs
eSentire
eSentire

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.