Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Flexible MDR packages that enhance your cyber resilience and security operations.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Meet insurability requirements with MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
THE THREAT eSentire is aware of widespread exploitation attempts targeting the recently disclosed ownCloud vulnerability CVE-2023-49103. CVE-2023-49103 (CVSS: 10) is tracked as a disclosure of… READ NOW
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Waterloo, ON and GITEX GLOBAL 2023, Dubai, UAE – October 18, 2023 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), today announced that Inspira Enterprise Inc, (Inspira), a… READ NOW
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
For the Mr. Cooper Group, materiality may have reached its
“Taylor Swift” moment
On October 31, 2023, a mortgage and financial services company, Mr. Cooper Group (NASDAQ:COOP), experienced a cybersecurity incident severe enough to necessitate the lockdown of their systems. To comply with a recently adopted SEC rules on cybersecurity, Mr. Cooper Group filed an 8-K form, stating that an unauthorized third party gained access to Mr. Cooper Group’s technology systems.
The new SEC rules require publicly traded companies to disclose material cybersecurity incidents and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact within four business days of being deemed material. The new rule also requires affected companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects from cybersecurity threats and previous cybersecurity incidents.
In compliance with the rule, Mr. Cooper Group reported that they initiated response protocols following the detection of the incident. The mortgage company, however, did not indicate when the unauthorized third party originally gained access to its systems. Mr. Cooper Group also reported that the containment protocol was launched as a precautionary measure to protect the sensitive data of the organization and its clients. This protocol included a complete shutdown of the company’s systems.
Mr. Cooper Group then launched a formal investigation and notified law enforcement. While the investigations were ongoing, the mortgage company shared that based on the available information, they did not believe this incident would adversely affect its business, operations, or financial results, deeming it non-material.
In the meantime, dozens of people have been posting on social media — including Reddit, TikTok and X (formerly Twitter) — that they’re unable to access the information in their mortgage account, their transactions haven’t been posted, and so on. Some people are hoping that this is a Mr. Robot/Elliot Alderson event and that their mortgages have been dissolved by “friendly” hackers.
All of this begs the question - Given that people appear to have been adversely affected, how can the company claim that there is no materially adverse effect? How can this happen?
Let’s start from from the beginning...Due to the nature of the attack, the most likely attack vector is ransomware. However, ransomware deployed to gain access into Mr. Cooper Group’s environment most likely used sophisticated tactics which are a distant relative to the methodology employed by opportunistic actors in the past.
Any ransomware typically demands some remote attacker to gain access to an internal machine. This is typically through malicious code received via email attachment or website download. Ransomware deployed in 2017 would typically compromise one machine. Then, acting as a toehold into the environment, the attacker immediately initiated the encryption process and demanded the equivalent of $500 in Bitcoin (BTC) to obtain a key to unlock it.
Today’s ransomware uses tactics known best as APTs: Advanced Persistent Threats. Once a single machine has been compromised, the attacker gains a toehold into the environment, quickly spreading the same malicious content throughout every system they can reach. This could include multiple offices and geographies.
The attacker then waits for an especially critical time when it is unlikely that IT staff are likely to rapidly detect the attack. Usually this happens on a weekend or, even better, a long holiday weekend.
But October 31, 2023, wasn’t a weekend, it was a Tuesday!
Since Mr. Cooper Group is a mortgage servicer and mortgage payments are typically made on the first day of the month, October 31 and November 1 are particularly critical dates.
The hypothesis of ransomware causing the incident is supported by the fact that many of Mr. Cooper Group’s essential systems were locked down (ostensibly by design) on an auspicious date. The breadth of this incident points to the criticality of 24/7 security monitoring, incident handling and incident response to identify and contain targeted attacks.
The definition of materiality may be somewhat nebulous. There is no single variable that could adequately create a definition. In the context of a cybersecurity incident, the term itself is used to assess the impact of the incident on many parties: the affected organization and its stakeholders, but also customers, shareholders, and regulatory bodies.
When an affected organization states that an attack does not attain materiality, it means that the organization believes the attack does not impart a significant or substantial impact on the organization, its stakeholders, customers, or investors.
There are several reasons why a specific cybersecurity incident may not attain materiality. Note that this list is not exhaustive:
If the cybersecurity incident did not result in the unauthorized access or exposure of sensitive or financial information, it is less likely to be deemed material. The extent of data lost has not yet been disclosed.
If the incident did not significantly disrupt the organization’s operations or services, it may not be considered material. Media reports that some of Mr. Cooper Group’s services have been restored—a fact confirmed by various parties on Reddit — which suggests that the disruption is limited.
A prompt and effective response to the incident, such as containment measures which include a deliberate precautionary system shutdown (aka “going dark”), can significantly mitigate potential harm and contribute to the determination of non-materiality.
If the incident did not result in significant financial losses, liabilities, or legal repercussions for the organization, it may not be deemed material. Often, a threshold of 0.5% of revenue is used to assess financial impact. Given that Mr. Cooper Group’s annual revenue exceeds $2 billion, it would take a financial impact of over $100 million to reach that threshold — an unlikely event at this point in time.
If the cybersecurity incident did not violate any relevant data protection regulations or industry standards, it may be considered material. In the coming days, analyses will be performed to confirm Mr. Cooper’s compliance with appropriate data protection laws and regulations, including state and federal statutes.
If the incident did not lead to widespread harm or loss for customers (including financial losses, identity theft, or other events that could damage their credit score), the event may not reach the level of materiality. Though certain aspects of their website were — and continue to be — inaccessible, Mr. Cooper Group has insisted that there will be no financial impact.
To reassure customers, the mortgage company stated explicitly:
“Rest assured, you will not incur any fees, penalties or negative credit reporting related to late payments as we work to fix this issue.”
The ability to continue some level of service to customers (though perhaps degraded) can mitigate the impact and support the claim that this incident does not meet the criteria for materiality.
So, what does this have to do with Taylor Swift? Just as Ms. Swift suggested, “Players gonna play, and haters gonna hate,” but she is more inclined to “shake it off.”
Given the approach Mr. Cooper Group has taken to address customer concerns and minimize actual damage done, they are attempting to dodge materiality claims and “Shake It Off.”
Well, not quite. For most publicly traded companies, cyber risk still needs to be considered from the perspective of materiality. Failure to comply with material disclosure rules can bear significant implications that are very real, potentially affecting investor confidence and business operations.
As it might be amusing to be this glib, anyone who has dealt with an ongoing incident understands its gravity. An effective cyber risk management program is critical not only to achieve compliance with the SEC Cybersecurity Rules, but, more importantly, to improve your ability to anticipate, withstand and recover from sophisticated cyberattacks.
Perhaps Mr. Cooper Group can indeed dismiss the critics by adhering to proper incident handling procedures and protocols.
As for their ability to “shake off” the attackers – that, indeed, would deserve a standing ovation.
Eldon Sprickerhoff is the original pioneer and inventor of what is now referred to as Managed Detection and Response (MDR). In founding eSentire, he responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over 20 years of tactical experience, Eldon is acknowledged as a subject matter expert in information security analysis. Eldon holds a Bachelor of Mathematics, Computer Science degree from the University of Waterloo.