What We Do
How we do it
Resources
SECURITY ADVISORIES
Jul 26, 2021
PetitPotam NTLM Relay Attack
THE THREAT PetitPotam is a variant of NTLM Relay attacks discovered by security researcher Gilles Lionel. Proof of Concept code released last week [1] relies on the Encrypting File System Remote (EFSRPC) protocol to provoke a Windows host into performing an NTLM authentication request against an attacker-controlled server, exposing NTLM authentication details or authentication certificates.…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Jul 12, 2021
Tecala and eSentire Partner to Protect Enterprises across APAC from Business-Disrupting Cyber Attacks
Sydney, 12 July, 2021 - Tecala, Australia’s award-winning technology services and IT consulting provider, today announced it has chosen eSentire, the global Authority in Managed Detection and Response (MDR) cybersecurity services, as their exclusive MDR solution provider in Australia and New Zealand. This partnership will enable Tecala to augment its cybersecurity practice and offer enterprises…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
Resources
Blog — Mar 04, 2015

Would active threat protection from eSentire have prevented the Sony hack?

3 min read

In the weeks that have passed since the well-publicized Sony breach I have been asked the same question dozens of times, ‘could eSentire’s services have prevented this breach?’ I should say eSentire does not have all the details about this particular breach and we are relying on recent comments issued by FBI Director James Comey and Sony’s own CEO to give us insight to make a determination. In short, the answer is that there is a high probability that the type of threat Sony experienced would have been detected and contained had continuous monitoring like that provided by eSentire, been employed.

Regardless of how the threat actors (or hackers), gained initial network entry access, the resulting breach actually would’ve taken several weeks to achieve, not days. The combination of state-of-the-art detection technologies and human monitoring – the core premise of Active Threat Protection – would have immediately flagged inconsistencies associated with the attack.

When a breach of this level occurs there are several red flags that arise before the damage is done. The key to preventing a serious breach is to identify the significance of those red flags and actively mitigate the harm. Here are some examples of the inconsistencies that should have set off alarm bells:

1. Numerous external connections using non-company proxy servers (eSentire Solution: Network Interceptor™ to identify the connection attempts and Asset Manager Protect and Country Killer to recognize blacklisted IP addresses).

2. Lateral movement within the network originated from different hosts (eSentire Solution: Network Interceptor™ and Host Interceptor).

3. For exploit deployment, numerous payload drops would have to occur (eSentire Solution: Active Forensics, Network Interceptor™ and Executioner).

4. Changes in logging, as privileges were escalated to gather the necessary data to extract (eSentire Solution: Log Sentry™).

5. Finally, Active Threat Protection would have caught and alerted a threat analysis as a result of the 100 TB data exfiltration, as described by Sony’s CEO (eSentire Solution: Active Forensics and Network Interceptor™).

In the world of Active Threat Protection, we act on each of these signals immediately. The elements of this attack are what we detect and block everyday. Intricate attacks such as these are becoming commonplace – so much so that leading analyst firm Gartner Research published a best practices framework (in 2014) to help organizations defend against and mitigate against these kinds of targeted attacks.

As we have seen with the case of Sony, the clean up work involved after a breach has occurred is far more complex and expensive than the preventative measures available to stop and prevent this level of damage.

Without forensic-level network traffic at your disposal, the job of tracking down the culprits and retrieving data is immeasurably more difficult – approaching impossible. In hindsight it is easy to say, “I should have used a working fire alarm,” after you’ve experienced a house fire. In the same way, we don’t want a business to find out too late that they could have had protection measures in place to protect their high value assets.

When we revisit the question of whether Active Threat Protection would help to prevent a breach like Sony’s, the answer is that every indicator points to yes.

J. Paul Haynes
J. Paul Haynes President & Chief Operating Officer

J.Paul Haynes is a professional engineer with a 25-year entrepreneurial track record of success. J.Paul has led eSentire to 10x its size since he joined the company in late 2010.