Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
For the Mr. Cooper Group, materiality may have reached its
“Taylor Swift” moment
On October 31, 2023, a mortgage and financial services company, Mr. Cooper Group (NASDAQ:COOP), experienced a cybersecurity incident severe enough to necessitate the lockdown of their systems. To comply with a recently adopted SEC rules on cybersecurity, Mr. Cooper Group filed an 8-K form, stating that an unauthorized third party gained access to Mr. Cooper Group’s technology systems.
The new SEC rules require publicly traded companies to disclose material cybersecurity incidents and to describe the material aspects of the incident's nature, scope, and timing, as well as its material impact within four business days of being deemed material. The new rule also requires affected companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects from cybersecurity threats and previous cybersecurity incidents.
In compliance with the rule, Mr. Cooper Group reported that they initiated response protocols following the detection of the incident. The mortgage company, however, did not indicate when the unauthorized third party originally gained access to its systems. Mr. Cooper Group also reported that the containment protocol was launched as a precautionary measure to protect the sensitive data of the organization and its clients. This protocol included a complete shutdown of the company’s systems.
Mr. Cooper Group then launched a formal investigation and notified law enforcement. While the investigations were ongoing, the mortgage company shared that based on the available information, they did not believe this incident would adversely affect its business, operations, or financial results, deeming it non-material.
In the meantime, dozens of people have been posting on social media — including Reddit, TikTok and X (formerly Twitter) — that they’re unable to access the information in their mortgage account, their transactions haven’t been posted, and so on. Some people are hoping that this is a Mr. Robot/Elliot Alderson event and that their mortgages have been dissolved by “friendly” hackers.
All of this begs the question - Given that people appear to have been adversely affected, how can the company claim that there is no materially adverse effect? How can this happen?
Let’s start from from the beginning...Due to the nature of the attack, the most likely attack vector is ransomware. However, ransomware deployed to gain access into Mr. Cooper Group’s environment most likely used sophisticated tactics which are a distant relative to the methodology employed by opportunistic actors in the past.
Any ransomware typically demands some remote attacker to gain access to an internal machine. This is typically through malicious code received via email attachment or website download. Ransomware deployed in 2017 would typically compromise one machine. Then, acting as a toehold into the environment, the attacker immediately initiated the encryption process and demanded the equivalent of $500 in Bitcoin (BTC) to obtain a key to unlock it.
Today’s ransomware uses tactics known best as APTs: Advanced Persistent Threats. Once a single machine has been compromised, the attacker gains a toehold into the environment, quickly spreading the same malicious content throughout every system they can reach. This could include multiple offices and geographies.
The attacker then waits for an especially critical time when it is unlikely that IT staff are likely to rapidly detect the attack. Usually this happens on a weekend or, even better, a long holiday weekend.
But October 31, 2023, wasn’t a weekend, it was a Tuesday!
Since Mr. Cooper Group is a mortgage servicer and mortgage payments are typically made on the first day of the month, October 31 and November 1 are particularly critical dates.
The hypothesis of ransomware causing the incident is supported by the fact that many of Mr. Cooper Group’s essential systems were locked down (ostensibly by design) on an auspicious date. The breadth of this incident points to the criticality of 24/7 security monitoring, incident handling and incident response to identify and contain targeted attacks.
The definition of materiality may be somewhat nebulous. There is no single variable that could adequately create a definition. In the context of a cybersecurity incident, the term itself is used to assess the impact of the incident on many parties: the affected organization and its stakeholders, but also customers, shareholders, and regulatory bodies.
When an affected organization states that an attack does not attain materiality, it means that the organization believes the attack does not impart a significant or substantial impact on the organization, its stakeholders, customers, or investors.
There are several reasons why a specific cybersecurity incident may not attain materiality. Note that this list is not exhaustive:
If the cybersecurity incident did not result in the unauthorized access or exposure of sensitive or financial information, it is less likely to be deemed material. The extent of data lost has not yet been disclosed.
If the incident did not significantly disrupt the organization’s operations or services, it may not be considered material. Media reports that some of Mr. Cooper Group’s services have been restored—a fact confirmed by various parties on Reddit — which suggests that the disruption is limited.
A prompt and effective response to the incident, such as containment measures which include a deliberate precautionary system shutdown (aka “going dark”), can significantly mitigate potential harm and contribute to the determination of non-materiality.
If the incident did not result in significant financial losses, liabilities, or legal repercussions for the organization, it may not be deemed material. Often, a threshold of 0.5% of revenue is used to assess financial impact. Given that Mr. Cooper Group’s annual revenue exceeds $2 billion, it would take a financial impact of over $100 million to reach that threshold — an unlikely event at this point in time.
If the cybersecurity incident did not violate any relevant data protection regulations or industry standards, it may be considered material. In the coming days, analyses will be performed to confirm Mr. Cooper’s compliance with appropriate data protection laws and regulations, including state and federal statutes.
If the incident did not lead to widespread harm or loss for customers (including financial losses, identity theft, or other events that could damage their credit score), the event may not reach the level of materiality. Though certain aspects of their website were — and continue to be — inaccessible, Mr. Cooper Group has insisted that there will be no financial impact.
To reassure customers, the mortgage company stated explicitly:
“Rest assured, you will not incur any fees, penalties or negative credit reporting related to late payments as we work to fix this issue.”
The ability to continue some level of service to customers (though perhaps degraded) can mitigate the impact and support the claim that this incident does not meet the criteria for materiality.
So, what does this have to do with Taylor Swift? Just as Ms. Swift suggested, “Players gonna play, and haters gonna hate,” but she is more inclined to “shake it off.”
Given the approach Mr. Cooper Group has taken to address customer concerns and minimize actual damage done, they are attempting to dodge materiality claims and “Shake It Off.”
Well, not quite. For most publicly traded companies, cyber risk still needs to be considered from the perspective of materiality. Failure to comply with material disclosure rules can bear significant implications that are very real, potentially affecting investor confidence and business operations.
As it might be amusing to be this glib, anyone who has dealt with an ongoing incident understands its gravity. An effective cyber risk management program is critical not only to achieve compliance with the SEC Cybersecurity Rules, but, more importantly, to improve your ability to anticipate, withstand and recover from sophisticated cyberattacks.
Perhaps Mr. Cooper Group can indeed dismiss the critics by adhering to proper incident handling procedures and protocols.
As for their ability to “shake off” the attackers – that, indeed, would deserve a standing ovation.
Eldon Sprickerhoff is the original pioneer and inventor of what is now referred to as Managed Detection and Response (MDR). In founding eSentire, he responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over 20 years of tactical experience, Eldon is acknowledged as a subject matter expert in information security analysis. Eldon holds a Bachelor of Mathematics, Computer Science degree from the University of Waterloo.