What We Do
How we do it
Oct 18, 2021
Grief Ransomware Gang Claims 41 New Victims, Targeting Manufacturers; Municipalities; & Service Companies in U.K. & Europe
Grief Operators Earned an Estimated 8.5 Million British Pounds in Four Months Key Findings: The Grief Ransomware Gang (a rebrand of the DoppelPaymer Ransomware Group) claims to have infected 41 new victims between May 27, 2021—Oct. 1, 2021 with their ransomware.Over half the companies listed on Grief’s underground leak site are based in the U.K. and Europe. The Grief Ransomware Gang appears to…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Oct 12, 2021
eSentire Launches MDR with Microsoft Azure Sentinel Extending Response Capabilities Across Entire Microsoft Security Ecosystem
Waterloo, ON – Oct. 12, 2021 -- eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), today announced the expansion of its award-winning MDR services with Microsoft Azure Sentinel, as part of its integration with the complete Microsoft 365 Defender and Azure Defender product suites supporting Microsoft SIEM, endpoint, identity, email and cloud security services.…
Read More
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Apply today to partner with the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Nov 07, 2016

The enemy is inside the wire

Reprinted from the August 2016 issue of Cybersecurity Law & Strategy with permission.

By now you’ve likely read the headlines about the recent attacks on various Asian banks, resulting in cyber losses reported in the tens of billions. And if you’re really paying attention, you probably know these attacks have been linked to the Lazarus cybercrime organization, which has suspected ties to the North Korean government. Earlier this year, the Lazarus Group was also identified as the likely culprit behind the brazen attacks on Sony back in 2014. In all likelihood, you read the headlines, and then you moved on to read the latest sports scores. Why? Because it doesn’t relate to you. Or does it?

I often use this analogy when speaking with law firms about cyber risks: If I told you that thieves broke into a major bank in your town and stole cash, you wouldn’t care. If I told you that the same thieves broke into your neighbor’s house, you’d rush out and sign up for an alarm service and buy an intimidating watch dog. The point is, we only pay attention to that which we think relates to us.

And that’s the general problem with a security industry obsessed with big retail and entertainment brands splashed across headlines, and a paparazzi-like zeal for mega data breach and the resulting class action suits. Much like my analogy, most mid-market firms ignore the lesson learned by the big game bagged by cybercriminals. Smaller firms write off the cyber risk as hyperbole or misguided panic. Smaller firms don’t think they have anything worth stealing. The criminal actors use this blind spot as a way to freely move throughout the networks of modest investment funds and laws firms. They use low tech to infiltrate their victims to steal information they can resell or use to front run trades on the open stock markets. It’s a simple business model and it works: less hardened targets take less time and effort to attack, and often yield the same revenue as can be gained from larger victims.

So, let’s return to my analogy. What if the same criminal organization that robbed that major factory in your town, also broke into your neighbor’s house? They did. Lazarus, that bank swindling, Sony humiliating firm, has attacked a mid market U.S. financial company. Paying attention now?

The Enemy Is Inside the Wire

In August 2015, our Security Operations Center (SOC) detected suspicious activity originating from within a client’s network. We blocked the network transactions and alerted our client to the action, and then applied a rule across our entire security base to protect all clients from further attacks. We then submitted our rule through public forums to the broader security community.

Months later, the spate of Asian bank hacks provided evidence implicating Lazarus as the perpetrator. Television programs leave us with an inflated sense of certainty when it comes to forensic evidence left by the perpetrator at the scene of a crime. Yet, like its physical corollary, electronic crime leaves a form of DNA. This forensic fingerprint can be used to piece together common factors associated with specific criminal organizations. Think modus operandi. In this case, the August attack carried distinctive markers linking the attack to the Lazarus Group. Yes, the same Lazarus group that has taken on the South Korean government, Sony Pictures and a significant collection of Asian Banks.

We published the timeline on our blog and have subsequently briefed the FBI, U.S. District Attorney and the SEC to assist with ongoing investigations. Agencies of the U.S. government are concerned, so you should be, too.

Asset Management Funds and Law Firms: Small Companies with Big Company Problems

The client at the center of our Lazarus-based investigation is a New York-based asset management firm. The attackers didn’t target a mega-corporation, national retailer or restaurant chain. They didn’t target a prime broker or big investment bank. Instead, they focused on a mid- market company, which coincidentally offers the same profile as a law firm. And by profile, I mean that the firm holds high value assets, has a low tolerance to reputational risk and doesn’t operate a IT department the size of a national corporation or bank. Another way to summarize is to say, the targeted asset management firm, like many law firms, is a small company with big company problems.

So how does a small firm tackle the security challenges like a large firm? The first thing I tell clients is to recognize themselves as a target. You are a lucrative and soft target to smash-and-grab criminals looking for a quick profit through compromised wire transfer accounts or fraudulent invoices, or the more sophisticated criminal organizations like Lazarus.

The second thing I advise is to join the Legal Services Information Sharing & Analysis Organization (LS-ISAO). Sharing threat intelligence is one of the best defenses against cyber threats and attacks. LS-ISAO offers real-time alerts and advisories on new vulnerabilities, exploits and active attacks. With the LS-ISAO, when threats like those executed by the Lazarus Group happen, you’ll know about it. This actionable information is a critical element in your cyber defense posture, and should feed into your ongoing security awareness training.

And last, I tell clients to be vigilant. Start with a zero-trust model. Assume the bad guys are inside your network, and monitor traffic looking for indicators of compromise. When we think about the rash of mid-market bank hacks, third-party risk cannot be overlooked. It’s easy to assume that vendors would value cybersecurity just as you do, however that’s not always the case. In fact recognizing this, policy makers have placed heightened focus on third-party risk and cascading compliance requirements. Multiple banks affiliated with the string of Lazarus hacks suffered losses as a result of endpoint compromise related to their financial transaction vendor (namely SWIFT, which is a transaction vendor commonly used by financial institutions).


In an interconnected, cyber world, we need to abandon the false security based on the notion that we live in a safe neighborhood. Major organized hacks occur on native soil as frequently as they occur on the other side of the world. So, you can live in an affluent, gated community. Have no fear, the bad guys can trick you into a dark alley of their choosing. We all know that cyber threats aren’t going to go away. Cybercriminals will continue to seek out gateways into your firm’s network. With ever-increasing risk, industry borders are irrelevant. Law firms must pay attention to threats impacting all industries because while the cyberattackers may target the bank down the street this week, they could and likely will target your firm tomorrow.

Mark Sangster
Mark Sangster Vice President and Industry Security Strategist

Mark is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that legal firms integrate cybersecurity into their day-to-day operations.