What We Do
How we do it
Jul 29, 2021
UPDATE: PetitPotam NTLM Relay Attack
THE THREAT PetitPotam is a variant of the NTLM Relay attack discovered by security researcher Gilles Lionel. It is tracked as an authentication bypass vulnerability in Active Directory (Certificate Services); currently no CVE identifier has been assigned to this vulnerability. Proof of Concept (PoC) code released last week [1] relies on the Encrypting File System Remote (EFSRPC) protocol to…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Jul 12, 2021
Tecala and eSentire Partner to Protect Enterprises across APAC from Business-Disrupting Cyber Attacks
Sydney, 12 July, 2021 - Tecala, Australia’s award-winning technology services and IT consulting provider, today announced it has chosen eSentire, the global Authority in Managed Detection and Response (MDR) cybersecurity services, as their exclusive MDR solution provider in Australia and New Zealand. This partnership will enable Tecala to augment its cybersecurity practice and offer enterprises…
Read More
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Blog — Mar 20, 2020

Pandemic Cybersecurity

5 min read

One of the more disturbing things about a pandemic is the sense of helplessness it creates. Even when we ourselves are not getting sick, isolation and social distancing leave us unable to escape the seriousness of the situation. We find ourselves sitting and worrying when normally we would be out and about, and all we hear are further stories about how this situation is overtaking society - steadily climbing numbers of infected, with more and more extreme measures being taken to try and contain the disease. We know that by isolating we are contributing to making things better in the long run, but actively doing nothing doesn’t feel like we are actively doing anything to help the situation.

As a cybersecurity professional, I am fortunate enough to be working in an industry where it is at least possible to do much of my work remotely. In light of the situation, I wanted to reflect on the meaning of that work, and do something to share what the pandemic looks like from our vantage point. My hope is that this work may help you better understand how cybersecurity can manifest effects and impacts in the real world and the role it can play in protection of your business and clients.

At eSentire, we offer Managed Detection and Response (MDR). Essentially, we monitor for threats that get through automated defenses and then step in to neutralize and contain them. Many of the clients we protect are organizations on the front lines of the battle against COVID-19 today, or delivering critical infrastructure to them. In the background somewhere, our work is helping keep hospitals and medical research labs online, protecting them and critical services they need from cybersecurity attacks that could disrupt or shut them down.

To illustrate visually, the datastudio display below shows some of the security incidents we’ve seen from critical service sectors that eSentire MDR has protected over the last year. The various interactive toggles allow drilling down and exploring meta data on real security incidents that have occurred over the period of the pandemic. Keep in mind, to keep these clients anonymized we’ve changed a few things [1]. Using this dashboard, you can drill down and interact with examples of real security incidents that have targeted healthcare services, medical research and critical infrastructure during this pandemic and see what we step in to prevent.

Click image to view

Exploit Attempts

By far, the most frequent type of attack we’ve observed is also the least significant - exploits coming through perimeter security and touching briefly on internal systems. Mostly, this is just background noise of the internet being let through a hole in the perimeter (often one intentionally made in the interests of availability), but we’re working to identify the known bad and act as a second line of active defense where clients have left gaps in their firewalls for whatever reason.

Suspicious Activity

The next most frequent type of incident we’ve seen is Suspicious Activity, which is when our Security Operations Center (SOC) investigations picked up something out of the ordinary that needed to be raised for additional investigation. These are usually benign, but a fair number of potentially serious problems are caught here and some preventable disasters averted.

Dangerous Incidents

Our continual investigations also regularly hit upon smaller numbers of other real, serious attacks in progress: events where someone is trying to brute force their way into sensitive systems, scam people into giving up their passwords, or deploying malicious code like ransomware or other payloads onto hospital systems. Our objective here is to contain and disrupt such incursions as we see them before the attacker can expand their toehold into a position where they can threaten to take an entire hospital or infrastructure system offline, and keep the cleanup to a manageable level for on-site IT.

In cybersecurity, these sorts of situations going undetected until it’s too late are the things we worry about constantly - imagine an already overloaded hospital in the middle of a pandemic suddenly losing computer powered diagnostic machines, test results, patient records, access to research - or even just the software helping with the logistics of organizing doctors to best effect. Today, that nightmare is an ever present possibility and we are all too often finding ourselves as the last line of defense in preventing it. After all, for some attackers, events today are being seen just as an opportunity - who wouldn’t pay up on a ransom if it keeps a hospital’s doors open during a pandemic?

Feel free to use this dashboard to look out on the fight against covid from our vantage point as events develop and get a sense for how we are working to help keep hospitals and infrastructure open and online during this emergency. If you drag over the pandemic timeline at the top, you can restrict the view to just a specific timeline (this will also resize and/or limit the dots shown based on activity), or you can drill down and explore on other properties by interacting with the map, pie charts, and tables.

At the end of the day, cybersecurity is helping to play its part in supporting reliable access to healthcare technologies. And when I consider that doctors and hospitals need those tools as they steer us through this pandemic, the knowledge that what we do helps allow them to focus on what matters makes me feel less helpless in this isolation.


[1] We’ve aggregated and altered things here slightly to avoid disclosing anything that could be used to identify our clients or help attackers: the actual locations attacked are moved and fuzzed to geolocations hundreds of miles away, the data is a cross section rather than a complete set, and we’re not disclosing any specifics about any of the incidents beyond a loose classification of what happened (and only after we've fully handled it)

Alexander Feick
Alexander Feick Technical Director, Security Services Architecture