What We Do
How we do it
Resources
SECURITY ADVISORIES
Jul 29, 2021
UPDATE: PetitPotam NTLM Relay Attack
THE THREAT PetitPotam is a variant of the NTLM Relay attack discovered by security researcher Gilles Lionel. It is tracked as an authentication bypass vulnerability in Active Directory (Certificate Services); currently no CVE identifier has been assigned to this vulnerability. Proof of Concept (PoC) code released last week [1] relies on the Encrypting File System Remote (EFSRPC) protocol to…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Jul 12, 2021
Tecala and eSentire Partner to Protect Enterprises across APAC from Business-Disrupting Cyber Attacks
Sydney, 12 July, 2021 - Tecala, Australia’s award-winning technology services and IT consulting provider, today announced it has chosen eSentire, the global Authority in Managed Detection and Response (MDR) cybersecurity services, as their exclusive MDR solution provider in Australia and New Zealand. This partnership will enable Tecala to augment its cybersecurity practice and offer enterprises…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Resources
Blog — Dec 28, 2020

The SolarWinds supply chain compromise:

We focused on customers first, and this is what we have learned so far

11 min read

Even in a year as eventful as 2020, the SolarWinds supply chain breach is making headlines around the world due to the organizations that were compromised and the number of organizations put at risk, as a result of being customers of SolarWinds and utilizing their popular Orion® IT monitoring and management software. This incident was discovered and revealed by the cybersecurity firm, FireEye, while investigating how their own Red Team tools had been stolen. This saga continues to unfold as additional information comes to light. But even as the story evolved and other companies rushed to comment, eSentire quietly went about what we always do: ensuring that our customers are prepared and protected.

In fact, within just a few hours of FireEye’s initial announcement on December 8th, we had already rolled out new esNETWORK detection rules and we were running esENDPOINT and esLOG queries against the CVEs targeted by FireEye’s stolen Red Team tools.

In this post we want to quickly run through:

Operationalizing threat intelligence is an everyday reality

Safeguarding our customers means keeping up with an endless stream of threat intelligence and turning that information into tangible assets and meaningful actions.

Sometimes that intel comes from threat feeds, sometimes it comes from advisories and often, it is gathered and processed automatically by our sensors and observed directly by one of our security analysts…you get the idea.

All day, every day, cybersecurity providers must grapple with new attack tools, new proof-of-concept (POC) exploits, new indicators of compromise (IOCs), and so on, and only a tiny fraction of these ever make the news.

Keeping up with this stream of information is a challenge—in fact, it is one of the biggest challenges all organizations and security service providers face —and doing so requires a synthesis of people and technology within a framework of operationalized processes. We have been doing Managed Detection and Response (MDR) for 20 years, and in that time, we have invested heavily in creating the necessary platform.

We were able to take such quick action because responding to events like this is what we do, all day, every day. Our Atlas Extended Detection and Response (XDR) Cloud platform, working in concert with security experts in our 24 x7 Security Operations Centers (SOC) and with members of our elite Threat Response Unit (TRU) security research team, detects and responds to the most mundane threat to the most lethal. And, we have two decades of muscle memory upon which to draw.

Threat Intelligence – Cybersecurity – MDR Managed Detection and Response

Detecting and containing threats requires keeping up with an endless stream of operational threat intelligence and turning it into meaningful action: in this case, FireEye’s initial announcement was reflected in esNETWORK, esENDPOINT, esLOG, and eSentire’s Managed Vulnerability Service (MVS) service—
within only a few hours

A quick recap: how we responded to the FireEye and SolarWinds news

By this point, responding quickly and effectively to an event like the FireEye breach or the SolarWinds Orion Trojan is reflexive.

And unfortunately, it is also all-too-common: for instance, it was only a few months ago that the Zerologon vulnerability took center stage. Notably, the behavioral detection capability we implemented in esLOG was the first detector to recognize the exploit/attack itself, rather than either the aftermath or the tools; this is a subtle-but-important difference that speaks to our ability to consume information, augment it with our own research and leverage our understanding to make a real difference in the security posture of our customers.

esNETWORK detection launched within four hours of FireEye breach notification

Why operationalize threat intelligence? Within four hours of FireEye revealing on December 8th that their Red Team tools had been stolen, eSentire’s customers were running new detection rules in esNETWORK.

In parallel:

We also scheduled a webinar for December 17th (which is available on-demand) in which we reviewed the situation with customers and allowed them to pose questions to several of our cybersecurity experts, including members of our elite Threat Response Unit (TRU) team. All this information was communicated in a Threat Intelligence Advisory on December 9th, along with recommended actions and links to additional information.

Behind the scenes, we were coordinating with our own partners, including CrowdStrike, Microsoft, Sumo Logic, Tenable, and VMware Carbon Black.

Keeping customers informed

On December 11th, we issued a second Threat Intelligence Advisory as we continued to monitor the situation. By this point, we had observed numerous routine penetration testing instances using FireEye’s Red Team tools (all of which alerted appropriately), but no malicious activity was detected, and MVS covered all 16 of the FireEye CVEs.

The story evolves into a supply chain attack

On December 13th, FireEye disclosed a widespread global intrusion campaign that exploited vulnerabilities within the SolarWinds® Orion® Platform. Essentially, the threat actors created a Trojan that masqueraded as an Orion software update and took advanced measures to evade detection.

We added new detection and protection content for this specific threat based on information and countermeasures disclosed by SolarWinds, the Cybersecurity & Infrastructure Security Agency (CISA) and FireEye, and we updated our customers in a third Threat Intelligence Advisory which also included a new list of actions pertaining to managing the SolarWinds risk.

Information sharing and live Q&A with customers

Threat intelligence is also about keeping customers informed. On December 17th, we hosted our webinar, which of course was now about both the FireEye breach and the SolarWinds exploitation. More than 200 customer attendees tuned in to hear a presentation by five of our threat intelligence security experts and ask important questions.

What we have observed so far

To this point, based both on active scans and retroactive examination of IOCs dating back many months (FireEye suggested that the attack might have begun as early as Spring 2020):

Looking ahead: the broader risk

The SolarWinds breach is significant and is deserving of the attention it has received. Part of the reason it has received so much attention is because of the nature and identity of the organizations that were compromised including government agencies and cybersecurity companies.

However, it must be dually noted that:

And herein lies the broader risk of not operationalizing threat intelligence: now that the main damage has been done (i.e., surreptitious access to sensitive information for many months) and the cat is out of the bag (i.e., the exploits and IOCs are known), there is a very real chance that access to many of those 18,000+ organizations—perhaps hundreds or even thousands—will be listed and sold on the dark markets that serve as the hub of the cybercrime economy.

As we explored in our recent Threat Intelligence Spotlight, Defending Against Modern Ransomware: Lessons from the SunWalker Incident, a well-structured and highly specialized cybercrime ecosystem has emerged in which Initial Access Brokers sell computer access to organizations.

In doing so, they have lowered the barrier to entry for others in the value chain, as no exploitation skills are required to gain access even to high-value targets (just think of the organizations named so far in the SolarWinds revelations). The average price to purchase such access runs between $1,000 to $10,000 USD, but access to high-value organizations can sell for upwards of $500,000. The buyer—often a ransomware gang—is then free to do whatever they want, unless and until they are detected.

The importance of multi-signal detection

Faced with such threats, multi-signal detection is an absolute requirement to threat intelligence. Just to drive home this point, here are a few other facts from the FireEye situation:

And, as noted earlier, the specifics of these incidents are unique, but the general nature is familiar. Many security professionals will recall the Citrix Netscaler vulnerability from December 2019, which also required network-based signals for detection.

Threat Intelligence – Cybersecurity – MDR Managed Detection and Response

Detecting the FireEye IOCs and performing retroactive analysis employs signals across endpoints, logs, and network traffic

In summary: protect what you can, detect what you cannot protect

eSentire is the leader in Managed Detection and Response (MDR). In fact, this type of incident is why we invented MDR.

We have been here before —that’s part of what you get when you become an eSentire customer: a security partner who responds quickly, effectively and communicates often.

We see an evolving story like the FireEye and SolarWinds saga as a powerful validation of MDR.

But in a way, we also see it as a bit of a distraction. This is one of those 1 in 10,000 events that really makes everyone sit up and take notice, but it is important not to overlook the 9,999 that are quietly out there—that is the reality we deal with on behalf of our customers.

We know from experience that there is a good chance that access to compromised networks will turn up for sale in cybercrime markets; we know from experience that adversaries continually tweak their tools, techniques and procedures (TTPs).

That is why we never let down our guard and why we continually— 24x7—operationalize threat intelligence and put it into action.

That is also why it is so important that organizations protect what they can—but some things cannot be sufficiently protected (whether because of zero-day attacks, resource limitations or simply the practical trade-off of security versus convenience). That is where detection and rapid time to containment becomes so critical, and where eSentire’s TRU team shines.

If you are not an eSentire customer, then we invite you to read about the SunWalker incident and ask yourself how you would have detected and responded to that attack—it is a worthwhile exercise that may prevent future disaster.

We encourage everyone to take this developing story as a reminder about:

eSentire Threat Intel
eSentire Threat Intel Threat Intelligence Research Group