What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Aug 17, 2022
Increase in Observations of Socgholish Malware
THE THREAT Starting in early August 2022 and continuing through the month, eSentire identified a significant increase in Socgholish (aka. FakeUpdates) malware incidents. Socgholish is a loader type…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Sep 20, 2022
eSentire Recognized as Top Global MDR Provider by MSSP Alert, CrowdStrike and G2
Waterloo, ON - September 21, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), celebrated multiple industry recognitions as the leading global MDR provider, over the last week: Named #9, and the top pure play MDR provider on MSSP Alert’s Top 250 MSSPs global rankingRecognized as the CrowdStrike 2022 Global MSSP Partner of the Year Earned G2’s industry-renowned status…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Nov 07, 2016

The enemy is inside the wire

5 minutes read
Speak With A Security Expert Now

Reprinted from the August 2016 issue of Cybersecurity Law & Strategy with permission.

By now you’ve likely read the headlines about the recent attacks on various Asian banks, resulting in cyber losses reported in the tens of billions. And if you’re really paying attention, you probably know these attacks have been linked to the Lazarus cybercrime organization, which has suspected ties to the North Korean government. Earlier this year, the Lazarus Group was also identified as the likely culprit behind the brazen attacks on Sony back in 2014. In all likelihood, you read the headlines, and then you moved on to read the latest sports scores. Why? Because it doesn’t relate to you. Or does it?

I often use this analogy when speaking with law firms about cyber risks: If I told you that thieves broke into a major bank in your town and stole cash, you wouldn’t care. If I told you that the same thieves broke into your neighbor’s house, you’d rush out and sign up for an alarm service and buy an intimidating watch dog. The point is, we only pay attention to that which we think relates to us.

And that’s the general problem with a security industry obsessed with big retail and entertainment brands splashed across headlines, and a paparazzi-like zeal for mega data breach and the resulting class action suits. Much like my analogy, most mid-market firms ignore the lesson learned by the big game bagged by cybercriminals. Smaller firms write off the cyber risk as hyperbole or misguided panic. Smaller firms don’t think they have anything worth stealing. The criminal actors use this blind spot as a way to freely move throughout the networks of modest investment funds and laws firms. They use low tech to infiltrate their victims to steal information they can resell or use to front run trades on the open stock markets. It’s a simple business model and it works: less hardened targets take less time and effort to attack, and often yield the same revenue as can be gained from larger victims.

So, let’s return to my analogy. What if the same criminal organization that robbed that major factory in your town, also broke into your neighbor’s house? They did. Lazarus, that bank swindling, Sony humiliating firm, has attacked a mid market U.S. financial company. Paying attention now?

The Enemy Is Inside the Wire

In August 2015, our Security Operations Center (SOC) detected suspicious activity originating from within a client’s network. We blocked the network transactions and alerted our client to the action, and then applied a rule across our entire security base to protect all clients from further attacks. We then submitted our rule through public forums to the broader security community.

Months later, the spate of Asian bank hacks provided evidence implicating Lazarus as the perpetrator. Television programs leave us with an inflated sense of certainty when it comes to forensic evidence left by the perpetrator at the scene of a crime. Yet, like its physical corollary, electronic crime leaves a form of DNA. This forensic fingerprint can be used to piece together common factors associated with specific criminal organizations. Think modus operandi. In this case, the August attack carried distinctive markers linking the attack to the Lazarus Group. Yes, the same Lazarus group that has taken on the South Korean government, Sony Pictures and a significant collection of Asian Banks.

We published the timeline on our blog and have subsequently briefed the FBI, U.S. District Attorney and the SEC to assist with ongoing investigations. Agencies of the U.S. government are concerned, so you should be, too.

Asset Management Funds and Law Firms: Small Companies with Big Company Problems

The client at the center of our Lazarus-based investigation is a New York-based asset management firm. The attackers didn’t target a mega-corporation, national retailer or restaurant chain. They didn’t target a prime broker or big investment bank. Instead, they focused on a mid- market company, which coincidentally offers the same profile as a law firm. And by profile, I mean that the firm holds high value assets, has a low tolerance to reputational risk and doesn’t operate a IT department the size of a national corporation or bank. Another way to summarize is to say, the targeted asset management firm, like many law firms, is a small company with big company problems.

So how does a small firm tackle the security challenges like a large firm? The first thing I tell clients is to recognize themselves as a target. You are a lucrative and soft target to smash-and-grab criminals looking for a quick profit through compromised wire transfer accounts or fraudulent invoices, or the more sophisticated criminal organizations like Lazarus.

The second thing I advise is to join the Legal Services Information Sharing & Analysis Organization (LS-ISAO). Sharing threat intelligence is one of the best defenses against cyber threats and attacks. LS-ISAO offers real-time alerts and advisories on new vulnerabilities, exploits and active attacks. With the LS-ISAO, when threats like those executed by the Lazarus Group happen, you’ll know about it. This actionable information is a critical element in your cyber defense posture, and should feed into your ongoing security awareness training.

And last, I tell clients to be vigilant. Start with a zero-trust model. Assume the bad guys are inside your network, and monitor traffic looking for indicators of compromise. When we think about the rash of mid-market bank hacks, third-party risk cannot be overlooked. It’s easy to assume that vendors would value cybersecurity just as you do, however that’s not always the case. In fact recognizing this, policy makers have placed heightened focus on third-party risk and cascading compliance requirements. Multiple banks affiliated with the string of Lazarus hacks suffered losses as a result of endpoint compromise related to their financial transaction vendor (namely SWIFT, which is a transaction vendor commonly used by financial institutions).

Conclusion

In an interconnected, cyber world, we need to abandon the false security based on the notion that we live in a safe neighborhood. Major organized hacks occur on native soil as frequently as they occur on the other side of the world. So, you can live in an affluent, gated community. Have no fear, the bad guys can trick you into a dark alley of their choosing. We all know that cyber threats aren’t going to go away. Cybercriminals will continue to seek out gateways into your firm’s network. With ever-increasing risk, industry borders are irrelevant. Law firms must pay attention to threats impacting all industries because while the cyberattackers may target the bank down the street this week, they could and likely will target your firm tomorrow.

Join 100,000+ Security Leaders

Get notified of the latest news, intel and helpful tools & assets. You can unsubscribe anytime.

By clicking the button below I confirm that I have read and agree to the eSentire privacy policy.

View Most Recent Blogs
eSentire
eSentire

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.