Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
A cautionary tale about third-party risk
Cobalt Strike
Legal
Legal entities and court systems store sensitive and confidential information. Due to the nature of the data they keep on file, maintaining data security to ensure client confidentiality is critical to protecting brand reputation and continued business operations. No matter how mature an organization’s security posture is, they are only as safe as their weakest link.
This was the case for one eSentire customer in the legal industry who experienced a Cobalt Strike attack via a 3rd party partner. Fortunately, eSentire’s Security Operation Center (SOC) leveraging MDR for Endpoint’s proprietary machine learning capabilities detected the threat actor presence and mitigated the threat before exfiltration could occur.
In this cautionary tale of third-party risk, it is unknown who patient zero was, as the attack originated with the customer’s business partner who had access to their network. This did not affect eSentire’s ability to stop the attack but it put a wrinkle in the investigation, as there was not access to complete data to see where and how the attack originated.
eSentire’s proprietary machine learning module, BlueSteel, alerted the Security Operation Center (SOC) to malicious PowerShell activity on one of the customer’s machines. Via the MDR for Endpoint service, the security analysts went to the dashboard to view the alert and spotted the malicious activity. There was a connection to an external IP address, which indicates a Command and Control channel. The SOC alerted the customer and began their investigation.
eSentire’s security analysts began their investigation by looking for lateral movement. They discovered fourteen other machines communicating with the malicious IP address, so they alerted the customer to lateral movement and flagged the security event in the eSentire SOC.
Further investigation uncovered that the PowerShell command was being used to inject malicious code into the memory of each machine. That code was the Cobalt Strike Server Message Block (SMB) beacon, which opens a backdoor that allows the attacker to remotely control the machine.
Cobalt Strike is a commercial penetration testing tool designed to simulate targeted attacks and emulate the post-exploitation actions of advanced threat actors. Cobalt Strike contains numerous features used to avoid detection and has flexibility in deploying many types of malicious payloads while providing the tools to manage compromised assets, which has made it a tool of choice for cybercriminals who use it to gain access to networks and move laterally, looking for valuable data. If high-value data is found, ransomware is often deployed.
The eSentire Security Analysts observed two movement techniques deployed by the attacker. The first was a file copy (the SMB beacon) to the admin share folder on the machines that was accessible from the network. This technique was not working for the attacker, however, as it was most-likely being blocked by the customer’s antivirus. Due to that failed attempt, the attacker deployed a second technique using Windows Remote Management (WinRM).
eSentire Analysts observed the WinRM activity and saw correlation to successful WinRM sessions on each lateral machine movement, all originating from one machine that did not have eSentire’s MDR for Endpoint protection installed on it. We were, however, able to see that it was that one machine that was sending out the SMB beacon.
With no endpoint visibility on the originating machine, eSentire was unable to go any further with the investigation. That created a “hop” in the investigation of the lateral movement. The customer did some digging and informed us that the machine shared a Network Segment (Subnet) with some third-party providers. They informed us that the infection actually originated with a partner organization, and we had to work with the customer and coordinate with the partner organization to clean up the incident. eSentire worked with our customer to isolate their infected machines, and shared investigation information with the partner. Having no visibility into the partner organization, eSentire could only share the information we had with the partner and hope that they then cleaned up the attack in order to avoid reinfection.
Even though the attacker was able to take over several machines on the customer’s network, no visible damage or exfiltration had occurred. eSentire had isolated the machines and stopped the intrusion before the attacker’s intent was made clear, or their plan fully-executed. The customer disabled the infected account in order to avoid reinfection.
We’re here to help! Submit your information and an eSentire representative will be in touch to help you build a more resilient security operation today.