What We Do
How we do it
Resources
SECURITY ADVISORIES
May 11, 2022
CVE-2022-26923 - Active Directory Domain Services Elevation of Privilege Vulnerability
THE THREAT Microsoft has disclosed a new vulnerability impacting Active Directory Certificate Services (ADCS) tracked as CVE-2022-26923 (Active Directory Domain Services Elevation of Privilege Vulnerability). If exploited successfully, an authenticated attacker can escalate privileges in environments where ADCS is running on the domain. eSentire is aware of technical details and tooling [2] for…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1200+ organizations in 75+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
May 17, 2022
Cybersecurity Leader eSentire Continues Its Commitment to Rigorous Security Standards Earning PCI DSS Certification
Waterloo, ON, May 17, 2022 — eSentire, the Authority in Managed Detection and Response (MDR), maintains one of the most secure and robust IT environments of any MDR provider in the industry. To that end, eSentire today announced that it has received the Payment Card Industry Data Security Standard (PCI DSS) certification, considered one of the most stringent and comprehensive payment card…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Aug 26, 2019

Understanding the Attack Life Cycle

Speak With A Security Expert Now

Understanding the life cycle of an attack is a key component to being able to prevent, detect and respond. Depending on how attackers target an organization there are specific compensating controls and visibility that can be put in place. Verizon’s’ 2019 Data Breach Investigations Report does a good job of explaining this concept:

“In our world, you’ve put defenses and mitigations in place to deter, detect, and defend. And just like on the golf course, the attackers reach into their bag, pull out their iron, in the form of a threat action, and do everything they can to land on the attribute they want in the soft grass of the fairway.” – Page 20, 2019 Data Breach Investigations Report

The above statement relates to how companies practice defense in depth strategies. Even with all of the security investments that organizations put in place hackers have the ability pick a path that isn’t going to trigger any indicators. What is key for managed detection and response providers (MDR) in the security space is that they have the have the ability to collect data from any component of an attack life cycle. Examples of this can include network telemetry, endpoint telemetry, and log data. Being able to piece together what happened when an attacker breached the network, to being able to disrupt the initial access they have from multiple enforcement points is a key differentiator for an MDR provider.

Verizon’s Data Breach Investigations Report also explores (Figure 29 below) how detecting attack paths that are short is much more difficult than detecting longer attack paths. From eSentire’s perspective this makes a lot of sense. The hardest part for an attacker is the initial compromise. Once past the perimeter defenses of an organization it is really about completing the objective without triggering any additional alarms. The least number of steps within a compromise makes it more difficult for a security product or service to detect the threat actors.

Fig29

Figures 31-33 from the same Verizon report also provides insight into the steps hackers take when an incident occurs. When looking at the results for the beginning (left image), middle (middle image) and end of an attack path (right image) it is important to note that the first step doesn’t generally originate with malware. This is common with what eSentire sees across its client base as well. Getting initial code execution within a target environment most commonly involves some sort of exploitation or social engineering. Once the initial code execution has occurred malware is generally used to gain persistence and a reliable connection into an environment. Malware is a reliable way for threat actors to keep access, load additional tools/capabilities and allows for pivoting to other machines from the compromise. In the later part of the attack stage pivoting to other machines often related to additional hacking techniques and deploying additional malware.

fig31 33

Defense strategies around being able to prevent, detect and respond to these types of events in the threat landscape is important. Utilizing known standards and industry supported techniques for covering these gaps within an organization is necessary to have any remote chance of detecting these various stages of an attack. An excerpt from the Center for Internet Security from the VDBIR report:

“Leveraging an attack path model is not only an important step towards formalizing our understanding of attacks, but also a means to understanding our defense.” – Page 23, 2019 Data Breach Investigations Report

MITRE ATT&CK is a great framework to leverage for creating coverage for attacks that have been seen in the wild. The tactics and techniques can be associated with specific attack paths for adversaries seen in previous incidents but at a higher level can be used to share commonalities and detection criteria. The key is to understand the different entry points in an attack and creating the capabilities to have visibility, prevention, detection and response actions tied to identifying a specific attack path.

Verizon’s Data Breach Investigations Report is a great yearly resource for companies to read and digest for trends of attacks. It should be used as an additional input (alongside resources like eSentire’s own Threat Intelligence Reports) into what an organization should focus on from a security strategy perspective.

View Most Recent Blogs
Kurtis Armour
Kurtis Armour Senior Security Strategist
Kurtis is a Senior Security Strategist at eSentire, where he focuses on securing client networks, vulnerability research and exploit development. In addition to ongoing research efforts, Kurtis regularly speaks at industry conferences.