What We Do
How we do it
Nov 22, 2021
Microsoft Exchange Vulnerability - CVE-2021-42321
THE THREAT eSentire has identified publicly available Proof-of-Concept (PoC) exploit code, for the critical Microsoft Exchange vulnerability CVE-2021-42321. CVE-2021-42321 was announced as part of Microsoft’s November Patch Tuesday release. Exploitation would allow a remote threat actor, with previous authentication, to execute code on vulnerable servers. Prior to the patch release, Microsoft…
Read More
View all Advisories →
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Oct 28, 2021
Telarus and eSentire Expand Partnership to Safeguard Enterprises Globally Against Business Disrupting Ransomware and Zero-Day Attacks
London, UK and Sydney, Australia– Oct. 28, 2021 - eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), today announces the expansion of its partnership with Telarus, the largest privately-held distributor of business cloud infrastructure and contact centre services. Building on their mutual success across North America, Telarus will bring eSentire’s Managed…
Read More
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Apply today to partner with the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Aug 26, 2019

Understanding the Attack Life Cycle

Speak With A Security Expert Now

Understanding the life cycle of an attack is a key component to being able to prevent, detect and respond. Depending on how attackers target an organization there are specific compensating controls and visibility that can be put in place. Verizon’s’ 2019 Data Breach Investigations Report does a good job of explaining this concept:

“In our world, you’ve put defenses and mitigations in place to deter, detect, and defend. And just like on the golf course, the attackers reach into their bag, pull out their iron, in the form of a threat action, and do everything they can to land on the attribute they want in the soft grass of the fairway.” – Page 20, 2019 Data Breach Investigations Report

The above statement relates to how companies practice defense in depth strategies. Even with all of the security investments that organizations put in place hackers have the ability pick a path that isn’t going to trigger any indicators. What is key for managed detection and response providers (MDR) in the security space is that they have the have the ability to collect data from any component of an attack life cycle. Examples of this can include network telemetry, endpoint telemetry, and log data. Being able to piece together what happened when an attacker breached the network, to being able to disrupt the initial access they have from multiple enforcement points is a key differentiator for an MDR provider.

Verizon’s Data Breach Investigations Report also explores (Figure 29 below) how detecting attack paths that are short is much more difficult than detecting longer attack paths. From eSentire’s perspective this makes a lot of sense. The hardest part for an attacker is the initial compromise. Once past the perimeter defenses of an organization it is really about completing the objective without triggering any additional alarms. The least number of steps within a compromise makes it more difficult for a security product or service to detect the threat actors.


Figures 31-33 from the same Verizon report also provides insight into the steps hackers take when an incident occurs. When looking at the results for the beginning (left image), middle (middle image) and end of an attack path (right image) it is important to note that the first step doesn’t generally originate with malware. This is common with what eSentire sees across its client base as well. Getting initial code execution within a target environment most commonly involves some sort of exploitation or social engineering. Once the initial code execution has occurred malware is generally used to gain persistence and a reliable connection into an environment. Malware is a reliable way for threat actors to keep access, load additional tools/capabilities and allows for pivoting to other machines from the compromise. In the later part of the attack stage pivoting to other machines often related to additional hacking techniques and deploying additional malware.

fig31 33

Defense strategies around being able to prevent, detect and respond to these types of events in the threat landscape is important. Utilizing known standards and industry supported techniques for covering these gaps within an organization is necessary to have any remote chance of detecting these various stages of an attack. An excerpt from the Center for Internet Security from the VDBIR report:

“Leveraging an attack path model is not only an important step towards formalizing our understanding of attacks, but also a means to understanding our defense.” – Page 23, 2019 Data Breach Investigations Report

MITRE ATT&CK is a great framework to leverage for creating coverage for attacks that have been seen in the wild. The tactics and techniques can be associated with specific attack paths for adversaries seen in previous incidents but at a higher level can be used to share commonalities and detection criteria. The key is to understand the different entry points in an attack and creating the capabilities to have visibility, prevention, detection and response actions tied to identifying a specific attack path.

Verizon’s Data Breach Investigations Report is a great yearly resource for companies to read and digest for trends of attacks. It should be used as an additional input (alongside resources like eSentire’s own Threat Intelligence Reports) into what an organization should focus on from a security strategy perspective.

View Most Recent Blogs
Kurtis Armour
Kurtis Armour Senior Security Strategist

Kurtis is a Senior Security Strategist at eSentire, where he focuses on securing client networks, vulnerability research and exploit development. In addition to ongoing research efforts, Kurtis regularly speaks at industry conferences.