What We Do
How we do it
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
Jan 19, 2023
Increased Activity in Google Ads Distributing Information Stealers
THE THREAT On January 18th, 2023, eSentire Threat Intelligence identified multiple reports, both externally and internally, containing information on an ongoing increase in Google advertisements…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Dec 13, 2022
eSentire Named First Managed Detection and Response Partner by Global Insurance Provider Coalition
Waterloo, ON – December 13, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), today announced it has been named the first global MDR partner by Coalition, the world’s first Active Insurance provider designed to prevent digital risk before it strikes. Like Coalition, eSentire is committed to putting their customers’ businesses ahead of disruption by improving their…
Read More
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Nov 07, 2016

The enemy is inside the wire

5 minutes read
Speak With A Security Expert Now

Reprinted from the August 2016 issue of Cybersecurity Law & Strategy with permission.

By now you’ve likely read the headlines about the recent attacks on various Asian banks, resulting in cyber losses reported in the tens of billions. And if you’re really paying attention, you probably know these attacks have been linked to the Lazarus cybercrime organization, which has suspected ties to the North Korean government. Earlier this year, the Lazarus Group was also identified as the likely culprit behind the brazen attacks on Sony back in 2014. In all likelihood, you read the headlines, and then you moved on to read the latest sports scores. Why? Because it doesn’t relate to you. Or does it?

I often use this analogy when speaking with law firms about cyber risks: If I told you that thieves broke into a major bank in your town and stole cash, you wouldn’t care. If I told you that the same thieves broke into your neighbor’s house, you’d rush out and sign up for an alarm service and buy an intimidating watch dog. The point is, we only pay attention to that which we think relates to us.

And that’s the general problem with a security industry obsessed with big retail and entertainment brands splashed across headlines, and a paparazzi-like zeal for mega data breach and the resulting class action suits. Much like my analogy, most mid-market firms ignore the lesson learned by the big game bagged by cybercriminals. Smaller firms write off the cyber risk as hyperbole or misguided panic. Smaller firms don’t think they have anything worth stealing. The criminal actors use this blind spot as a way to freely move throughout the networks of modest investment funds and laws firms. They use low tech to infiltrate their victims to steal information they can resell or use to front run trades on the open stock markets. It’s a simple business model and it works: less hardened targets take less time and effort to attack, and often yield the same revenue as can be gained from larger victims.

So, let’s return to my analogy. What if the same criminal organization that robbed that major factory in your town, also broke into your neighbor’s house? They did. Lazarus, that bank swindling, Sony humiliating firm, has attacked a mid market U.S. financial company. Paying attention now?

The Enemy Is Inside the Wire

In August 2015, our Security Operations Center (SOC) detected suspicious activity originating from within a client’s network. We blocked the network transactions and alerted our client to the action, and then applied a rule across our entire security base to protect all clients from further attacks. We then submitted our rule through public forums to the broader security community.

Months later, the spate of Asian bank hacks provided evidence implicating Lazarus as the perpetrator. Television programs leave us with an inflated sense of certainty when it comes to forensic evidence left by the perpetrator at the scene of a crime. Yet, like its physical corollary, electronic crime leaves a form of DNA. This forensic fingerprint can be used to piece together common factors associated with specific criminal organizations. Think modus operandi. In this case, the August attack carried distinctive markers linking the attack to the Lazarus Group. Yes, the same Lazarus group that has taken on the South Korean government, Sony Pictures and a significant collection of Asian Banks.

We published the timeline on our blog and have subsequently briefed the FBI, U.S. District Attorney and the SEC to assist with ongoing investigations. Agencies of the U.S. government are concerned, so you should be, too.

Asset Management Funds and Law Firms: Small Companies with Big Company Problems

The client at the center of our Lazarus-based investigation is a New York-based asset management firm. The attackers didn’t target a mega-corporation, national retailer or restaurant chain. They didn’t target a prime broker or big investment bank. Instead, they focused on a mid- market company, which coincidentally offers the same profile as a law firm. And by profile, I mean that the firm holds high value assets, has a low tolerance to reputational risk and doesn’t operate a IT department the size of a national corporation or bank. Another way to summarize is to say, the targeted asset management firm, like many law firms, is a small company with big company problems.

So how does a small firm tackle the security challenges like a large firm? The first thing I tell clients is to recognize themselves as a target. You are a lucrative and soft target to smash-and-grab criminals looking for a quick profit through compromised wire transfer accounts or fraudulent invoices, or the more sophisticated criminal organizations like Lazarus.

The second thing I advise is to join the Legal Services Information Sharing & Analysis Organization (LS-ISAO). Sharing threat intelligence is one of the best defenses against cyber threats and attacks. LS-ISAO offers real-time alerts and advisories on new vulnerabilities, exploits and active attacks. With the LS-ISAO, when threats like those executed by the Lazarus Group happen, you’ll know about it. This actionable information is a critical element in your cyber defense posture, and should feed into your ongoing security awareness training.

And last, I tell clients to be vigilant. Start with a zero-trust model. Assume the bad guys are inside your network, and monitor traffic looking for indicators of compromise. When we think about the rash of mid-market bank hacks, third-party risk cannot be overlooked. It’s easy to assume that vendors would value cybersecurity just as you do, however that’s not always the case. In fact recognizing this, policy makers have placed heightened focus on third-party risk and cascading compliance requirements. Multiple banks affiliated with the string of Lazarus hacks suffered losses as a result of endpoint compromise related to their financial transaction vendor (namely SWIFT, which is a transaction vendor commonly used by financial institutions).


In an interconnected, cyber world, we need to abandon the false security based on the notion that we live in a safe neighborhood. Major organized hacks occur on native soil as frequently as they occur on the other side of the world. So, you can live in an affluent, gated community. Have no fear, the bad guys can trick you into a dark alley of their choosing. We all know that cyber threats aren’t going to go away. Cybercriminals will continue to seek out gateways into your firm’s network. With ever-increasing risk, industry borders are irrelevant. Law firms must pay attention to threats impacting all industries because while the cyberattackers may target the bank down the street this week, they could and likely will target your firm tomorrow.

View Most Recent Blogs

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.