eSentire Blog

LOGJAM: The Latest Security Flaw Threatening the Security of Communication Protocols

Posted by Tara Parachuk on Mon, May 25, 2015 @ 01:12 PM

This new encryption attack compromises 8.4% of Alexa Top Million HTTPS sites, putting secure data at risk.

by: Akash Malhotra

The official discovery of the logjam vulnerability, made few days ago by security researchers, affects the “Diffie-Hellman” key exchange algorithm which grants protocols such as SSH, HTTP and TLS to pass encryption keys over an insecure channel. The basis of the algorithm is for two users to agree on a key for encryption such that no third party can listen in, ensuring a secure transfer of information. This is done by using large prime values and computing (g^a mod p, g^b mod p) where p a prime number, g is a generator of a multiplicative group modulo p, and a, b are random secret values, one for each communicating party. The security of the scheme relies on the fact that it is easy to compute g^x mod p, but difficult to invert the computation to recover x given only g and p (the discrete logarithm problem).

The Logjam vulnerability involves two distinct weaknesses: one in the TLS protocol and one in the way that Diffie-Hellman key exchange is implemented. Due to a flaw in the TLS protocol, a man-in-the-middle attack could be implemented, which would downgrade a Diffie-Hellman key exchange to a less-secure 512-bit export grade version. Many TLS servers  are configured to accept DHE_EXPORT primes (which are 512 bits long), allowing an attacker to recover the shared secret.

The TLS protocol weakness in Logjam is similar to the FREAK attack that occurred back in March, except that it involves a Diffie-Hellman key exchange rather than an RSA key exchange (another public key cryptosystem).  The implementation weakness of Logjam is made possible by the following observations:

a) For key exchanges involving the same prime p, the discrete logarithm computation can be split into two parts, the first of which takes a lot of computing effort but can be precomputed ahead of time, and a second part which has to be repeated for each individual key exchange, but can be done near-real time.

b) Since generating prime numbers with the special properties required for Diffie-Hellman is not trivial, a lot of implementations reuse the same small set of prime numbers that are known to be safe from number-theoretic shortcuts.

It took researchers a week to precompute the first part for a 512-bit prime (used by 82% of vulnerable HTTPS servers) and they were then able to leverage the result to crack DH key exchanges using this prime within 90 seconds on average. Precomputation attacks for 768 and 1024 bit groups, which are extensively used in practice, were also explored.  Results showed that precomputations for the 768-bit groups were within reach of academic teams, while 1024-bit groups were a distinct possibility for nation-state attackers.

The researchers recommend disabling all support for export grade RSA (512-bit primes) and configure DH groups of at least 1024 bits or, better yet, 2048 bits. This will prevent downgrade attacks during communication with servers that still support DHE_EXPORT. A long term recommendation involves transitioning to elliptic curve Diffie-Hellman key exchange, as it is not affected by the precomputation attack described above.


Akash Malhotra is a Technical Writer at eSentire.

Notes from RSAC 2015: Is InfoSec Having an Identity Crisis?

Posted by Mandy Bachus on Mon, Apr 27, 2015 @ 03:13 PM

This year’s RSA Conference drew an unbelievable number of security professionals from around the globe. The electricity was palpable, as more than 28,000 descended on San Francisco to dissect last year’s major breaches, the lessons learned and emerging trends. And while a large number of sessions focused on the pressures facing professionals working in the field, they also built on the conversation around the state of the industry’s maturity and repeatedly asked the question, is InfoSec having an identity crisis? 

Information Security is a young industry, especially when compared to other industrialized fields. The discipline is growing at an unbelievable pace, though this should come as no surprise given the steep rise in cybercrime. Like any growing discipline, InfoSec is experiencing its own brand of growing pains. From an adoption standpoint, the industry has made great strides in convincing the boardroom that cybersecurity is a critical organizational function. However even with that recognition, many organizations are still lagging when it comes to implementing cybersecurity policies and measures. The pendulum swung quickly in large enterprise, especially as the effects of the 2014 mega breach stories were realized. But what about the smaller companies - the small to mid-sized organizations?

Through regular surveys we’ve observed that small to mid-sized enterprise is still having a difficult time adapting and adopting cybersecurity infrastructure. Leaders in this space are contending with a cybersecurity trifecta: while they understand that they too have high-risk data, they’re having a difficult time reconciling internal cybersecurity bandwidth, resources and dollars, especially when balancing it with other crucial business functions. To some degree, many businesses in this space are still consider themselves below the radar of cyber threats. And if they are wise enough to realize they are the achilles heel of larger industry, they struggle with monumental task of protecting themselves, particularly when they see the F500 falling victim time and time again.

One walk through RSAC’s exhibition floor amplified the industry’s explosive growth. More and more cybersecurity services are emerging to help organizations build out defenses. On the show floor and in the RSAC lecture rooms, it became evident that InfoSec is in fact, having an identity crisis. Without question, ours is an industry that’s outpacing all other global industry. As a discipline, we recognize the risks, threats and implications our environment presents and are pivoting constantly to stay ahead of the threat curve. 

We have an abundance of data that we can use to help educate enterprise at all levels. And really, it’s our duty to share resources to help establish the need for proactive cybersecurity programs and solidify the commitment towards action. Like any immature industry, we’re having a hard time defining who we are. We use variant language to describe what we do and unfortunately for us, this is complicating the conversation that's happening in boardrooms, where business decisions are made. 

So what can we do? The conference sent us on our way with an answer - a call to action, if you will. As a discipline, we have to collaborate together to elevate our already tenacious discipline. We need to drive the definitions that will define the discipline’s identity and continue to foster the profession's collaboration that has already proved invaluable in today’s shifting landscape. Think of the ISAC’s as just one example. Back in late 2013, eSentire issued a service advisory to its client base giving visibility to a .docm file circulating through the hedge fund atmosphere. Then, the intent of the attack was to drive a spear-phishing campaign with the explicit intent of accessing sensitive financial data in the hedge fund market through credential harvesting. At the time, eSentire’s Security Operations Center flagged what became known in 2014 news reports as “FIN4”. In addition to our client advisory, eSentire shared this information with FS-ISAC (we’ve been a member of the ISAC community for several years) to help warn others in the financial community of this emerging threat.

At the end of the day, every professional working in the InfoSec industry is an influencer. Every professional possesses the data and resources that can help define industry-wide policies, drive best practices and perhaps most importantly, help the industry shake its identity crisis.

Tags: RSA

Notes from RSAC 2015: Social Engineering - So Easy, Even a 9-Year-Old Can Do It!

Posted by Mandy Bachus on Wed, Apr 22, 2015 @ 08:20 PM

We know the hazard that human users pose to network security. Even as technology has advanced in sophistication, attack rates have continued to rise. In spite of the complex defenses that you've built to protect your network, odds are a human user will ultimately click a malicious email link. 

At eSentire we talk a lot about social engineering. Everyone at the RSA Conference is talking about social engineering, too. And rightfully so! The worrisome spike in complex targeted threats like phishing or watering hole attacks continues to grow at an alarming rate. At eSentire we regard user/employee training as a fundamental component within any organization's cybersecurity framework. Equally important is the vigilance required to always look for the hallmarks of a phishing email. 

At RSAC 2015, the risk of social engineering never became more clear than at an intriguing keynote session featuring a bright and charismatic 9-year-old named Reuben Paul. Reuben represents the next generation of security professionals. Even at 9 years old, he’s an overachiever. Reuben is a programming whiz and acts as CEO for his own educational software games company called Prudent Games. Reuben joined Christofer Hoff, VP and Security CTO at Juniper Networks on stage to demonstrate just how easy social engineering is. In a five minute demonstration, he proved that he, a 9-year-old whiz-kid could hack a user account. And if Reuben could do it, what does that mean for someone twice his age?

On RSAC's exhibition floor, eSentire is challenging visitors to a phishing email test. The timed challenge asks players to study a suspect email. Once they’ve timed out, they select a number of indicators that told them that the email was a phishing attempt. Every participant receives a grade, and on this, the third day of the conference, only 1% of participants have scored 100%. 

The point here is that social engineering is becoming commonplace. It represents the single fastest growing threat facing consumers and businesses alike and has already proved incredibly effective, as is evidenced by the monumental corporate breach stories of 2014. 

While social engineering has been a popular topic at RSA, equally popular is the concept of cybersecurity hygiene. At the root of proactive hygienic practice is always education. It’s of critical importance that every individual understands what data is important to our business and the mechanisms that we’re using to defend that data. Employees need to recognize that they too are a security mechanism and must understand the vigilance required to defend their business from the fastest rising threat in the cyber world. Because as we’re quickly learning, complex cyber threats are not child’s play.

Tags: RSA

Notes from RSAC 2015: Escaping Security’s Dark Ages

Posted by Mandy Bachus on Tue, Apr 21, 2015 @ 07:01 PM

Last year’s big breach stories have amplified the need to radically shift industry thinking. And as RSA President Amit Yoran described in his keynote today, we’ve arrived at a critical inflection point in our industry. There’s an admission and acceptance that while perimeter defenses are failing, it’s still a necessary weapon in our cybersecurity arsenal.

Organizations today are beginning to accept the reality that perimeter defenses are permeable. Adversaries are rapidly evolving to maneuver the walls that we’ve built to keep them out; they’re already in our networks.

Last year has regularly been referred to as the year of the mega breach and it’s widely expected that 2015 will supersede it, with monumental impact. As Amit described, several of the world’s largest corporations with the most powerful next gen security technology couldn’t stop a breach. So what does that mean for everyone else?

“We need pervasive and true visibility” – Amit Yoran

We couldn’t agree more. At eSentire, this fundamental assertion drives our entire business. Our human powered cybersecurity allows us to see behavioral anomalies that technology alone might miss. Our highly skilled analysts monitor client networks 24/7, identifying, mitigating and communicating threats in real-time, always.

Amit has suggested that organizations at any level need to drive their own destiny: that we’ve been relying on maps that haven’t charted the threat terrain we are navigating today. A resounding theme at this year's RSA conference exemplifies that it's officially time to adopt a progressive approach to cybersecurity; an approach that refuses to rely on technology alone. Because just as Amit suggested, if you're not doing deep packet inspection or endpoint detection, than you're just pretending to do security. 

Tags: RSA

OCIE-SEC and FINRA Release Groundbreaking Cybersecurity Guidance Reports

Posted by Mandy Bachus on Wed, Feb 11, 2015 @ 01:30 PM

by: Eldon Sprickerhoff


The Office of Compliance Inspections and Examinations (OCIE) Securities and Exchange Commission (SEC), has released its hotly anticipated examination sweep summary results. The report summarizes the responses gathered from 100+ registered broker-dealers and investment advisors, as part of an initial fact-finding mission. The 28-point questionnaire was widely regarded as the first step toward the introduction and implementation of an industry-wide Cybersecurity Examination Initiative.

As previously reported, the OCIE-SEC will proceed with in-depth, independent testing not only in the U.S., but abroad. Testing is expected to delve deeper into areas evaluated through the initial 28-point questionnaire. The investigative phase was designed to give the SEC a better understanding of overall industry preparedness when it comes to cybersecurity.

Collectively, questions focused on the examined firms’ overall comprehension of the data they own, legislation that may regulate that data, existing cybersecurity risks and how they’re defending against those risks.

The findings promisingly highlight that a large number of participating firms have developed written security policies (93% of broker-dealers and 83% of advisors).

Results also indicate that a number of respondents have introduced proactive measures that include conducting regular risk assessments (93% of broker-dealers, 79% of advisors) and employing cybersecurity insurance (58% of broker-dealers, 21% of advisors).

Interestingly enough, industry regulatory authority FINRA (The Financial Industry Regulatory Authority) has also released an indispensable tool, dubbed the Report on Cybersecurity Practices (released February 2015).

As the SEC announced its Cybersecurity Examination Initiative in 2014, FINRA launched a targeted examination sweep to (similarly) gain an understanding of threats and vulnerabilities facing the industry today. The sweep was part of an ongoing FINRA cybersecurity initiative, which initially kicked off in 2007. FINRA’s extensive report details observations and findings that provide firms with incredible insight into key priorities as they work to strengthen their cybersecurity posture.

FINRA’s report groups its findings under several headings. Those include:

 - Cybersecurity governance and risk management

 - Cybersecurity risk assessment

 - Technical controls

 - Incident response planning

 - Vendor management

 - Staff training

 - Cyber intelligence and information sharing

 - Cyber insurance

FINRA describes the report as ‘an approach to cybersecurity grounded in risk management’, something that we at eSentire respect and staunchly promote.

Together, these two reports highlight the complexity of an industry undergoing radical change to confront evolving cybersecurity risks. Firms participating in these exams and fact-finding interviews are blazing a trail for the industry not just on a national platform - but also on a global stage. There’s no question that cyber threats will continue to pose significant risk to the industry. And while the ramifications from regulatory intervention may seem daunting, the resources developed as a result are critical tools that will help to defend the industry from cyber risk. 

Download the ‘Juggling Regulatory Compliance Strategies’ webinar from eSentire on demand to learn more about the SEC and FINRA findings.
Eldon Sprickerhoff is Founder and Chief Security Strategist at eSentire.

Tags: Compliance, Hedgefund Security, SEC Regulatory Developments

The Jury is In: LegalTech New York Highlights Industry Cybersecurity Risk

Posted by Mandy Bachus on Wed, Feb 11, 2015 @ 09:32 AM

by: Mark Sangster

MarkSangster2Last week eSentire participated in LegalTech New York, the legal industry’s largest technology event of the year. This annual conference provides firms and legal departments with practical tips that they can adopt to improve the way that their practice is managed. This year’s event offered an assortment of trend discussions, with the overarching theme focused squarely on cybersecurity and data protection.

The legal industry continues to face mounting pressures from government and industry regulators as they work to address cybersecurity defense gaps. And while it’s evident that there’s been a shift in thinking when it comes to cybersecurity defense planning, the industry remains largely unregulated.

Law firms have become a popular target with cybercriminals looking for easy access to rich data. With one strike, cybercriminals can interrupt mergers and acquisitions, manipulate business transactions or acquire business and client data. Contrary to what many might believe, small and medium-sized firms are just as vulnerable to attacks as larger firms. All client data is a target.

eSentire presented an emerging technology talk track at LegalTech New York to highlight industry recommendations and help firms understand how those new standards can be applied.

Attorney and author Jill D. Rhodes recently published The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals, a resource that is informally regarded as the industry's cybersecurity roadmap. The book helps to define cyber and data security risk and best practices, describes data security and lawyers’ legal and ethical obligations to the client.

Perhaps of greatest interest are the top ten measures that all firms should consider to defend their firm against cyber attacks. Recommended measures suggest that firms:

 1. Evaluate their cybersecurity risk profile.

 2. Evaluate client-specific data security considerations (regulatory).

 3. Organize and empower an information security and data governance committee.

 4. Appoint a Chief Information Security Officer (CISO/CSO) to run day-to-day operations.

 5. Define and implement an auditable, security program.

 6. Establish a stringent requirement for data security (in-house and vendor).

 7. Develop a security incident response protocol to address breaches.

 8. Develop controls on Internet access and personal devices (BYOD).

 9. Educate lawyers and staff within the firm of their cybersecurity obligations.

 10. Conduct routine audits and conduct vulnerability assessments.

Ms. Rhode’s suggestions reinforce the advice that eSentire regularly shares with clients as they work to beef up their cybersecurity defenses. At eSentire, we recognize that breaches are inevitable. The key in managing risk is to shift thinking from simply blocking and prevention to Detection and Response. Knowing where to start can be a challenge, so we’ve developed a best practices framework specifically for law firms to help build out (or expand) cybersecurity initiatives.

While last week’s conference emphasizes the real and present danger that cyber threats pose to the industry, attendees also made it clear that the industry is committed to strengthening its cybersecurity stance.

Download eSentire’s Cybersecurity Series Webinar to learn more about eSentire’s Best Practice Recommendations for Law Firms.

Mark Sangster is Vice President of Marketing at eSentire.

Tags: Security Recommendations, Legal Cybersecurity

Preparing for the Cybersecurity Paradigm Shift

Posted by Mandy Bachus on Tue, Feb 03, 2015 @ 01:54 PM

by Eldon Sprickerhoff

EldonSprickerhoffAt eSentire, we take our business seriously. We’re passionate about the work that we do and acknowledge the unique risks that clients specifically operating in the financial space face on a daily basis. To gain recognition for the work that we do in any capacity is icing on the cake.

Thus, we’re honored to have received the Best Security Solution and Most Innovative Technology Solution awards at this week’s HFM US Technology Awards gala!

And while we’re grateful for moments like this, we recognize that our work is far from over. The frequency and complexity that we see with cyber attacks today is only going to continue to grow. Organizations operating in the financial space in particular have felt increasing pressure with the introduction of a 28-point cyber review questionnaire and looming U.S. Securities and Exchange Commission’s (SEC) Office of Compliance, Inspections and Examinations (OCIE) testing.

Several months ago the SEC launched the first round of cyber reviews, targeting 100+ firms as part of an initial fact-finding mission. The feedback gathered in this stage was meant to provide a snapshot of the industry’s overall cybersecurity posture while providing context for upcoming industry-wide examinations.

The original timeline detailed by the SEC suggested that industry-wide examinations would launch in September of 2014. It was expected that the results of the cyber reviews would provide a glimpse into what the exams would bring.

Just last week, HFMWeek Online reported exclusively that after months of speculation, the SEC is ready to announce next steps. The first of which will focus on independent testing, which is expected to be more thorough than that experienced with the 28-point questionnaire. OCIE Director Drew Bowden suggested that while the information collected through the 28-point questionnaire was informative, it in no way declared the preparedness of the industry.  

If anything, the SEC’s initiative has spurred a radical shift in thinking. The OCIE expects that a summary of its questionnaire findings may be released sometime in March. In the meantime, plans are also underway to expand testing abroad (Europe, the UK and Asia).

The after-effects of last year’s record-breaking breaches continue to permeate the industry. Firms of all scale and scope recognize the very real risk of threats today. The SEC is just one regulatory association taking action to protect the national economy, and global assets. At eSentire, we recognize that education and preparation are fundamental steps in maintaining a sturdy cybersecurity posture. Taking a proactive stance can help firms protect their assets while preparing for any regulatory ask that might come their way.

In the spirit of planning, we’ve issued incident response and information security policy guidance framework documents. The checklist-style documents, available at no charge, provide an actionable framework for responding to and managing a proactive cybersecurity defense posture. Both documents have been released under a Creative Commons license (Creative Commons Attribution Non-Commercial (by-nc). Resources like these framework documents are a critical tool that firms can employ to build out fundamental cybersecurity plans and considerations. At eSentire we live by the adage that an ounce of prevention is worth a pound of cure. Last year’s radical paradigm shift exemplifies that point.

Eldon Sprickerhoff is Founder and Chief Security Strategist at eSentire (

Tags: US government security, Security Recommendations, Hedgefund Security

Would Active Threat Protection from eSentire Have Prevented the Sony Hack?

Posted by Mandy Bachus on Thu, Jan 15, 2015 @ 08:30 AM

by J.Paul Haynes

jpaulIn the weeks that have passed since the well-publicized Sony breach I have been asked the same question dozens of times, ‘could eSentire’s services have prevented this breach?’ I should say eSentire does not have all the details about this particular breach and we are relying on recent comments issued by FBI Director James Comey and Sony’s own CEO to give us insight to make a determination. In short, the answer is that there is a high probability that the type of threat Sony experienced would have been detected and contained had continuous monitoring like that provided by eSentire, been employed.

Regardless of how the threat actors (or hackers), gained initial network entry access, the resulting breach actually would’ve taken several weeks to achieve, not days. The combination of state-of-the-art detection technologies and human monitoring  – the core premise of Active Threat Protection – would have immediately flagged inconsistencies associated with the attack.

When a breach of this level occurs there are several red flags that arise before the damage is done. The key to preventing a serious breach is to identify the significance of those red flags and actively mitigate the harm. Here are some examples of the inconsistencies that should have set off alarm bells:

1. Numerous external connections using non-company proxy servers (eSentire Solution: Network InterceptorTM to identify the connection attempts and Asset Manager Protect and Country Killer to recognize blacklisted IP addresses).

2. Lateral movement within the network originated from different hosts (eSentire Solution: Network InterceptorTM and Host Interceptor).

3. For exploit deployment, numerous payload drops would have to occur (eSentire Solution: Active Forensics, Network InterceptorTM and Executioner).

4. Changes in logging, as privileges were escalated to gather the necessary data to extract (eSentire Solution: Log SentryTM).

5. Finally, Active Threat Protection would have caught and alerted a threat analysis as a result of the 100 TB data exfiltrating, as described by Sony’s CEO (eSentire Solution: Active Forensics and Network InterceptorTM).

In the world of Active Threat Protection, we act on each of these signals immediately. The elements of this attack are what we detect and block everyday. Intricate attacks such as these are becoming commonplace – so much so that leading analyst firm Gartner Research published a best practices framework (in 2014) to help organizations defend against and mitigate against these kinds of targeted attacks.

As we have seen with the case of Sony, the clean up work involved after a breach has occurred is far more complex and expensive than the preventative measures available to stop and prevent this level of damage.

Without forensic-level network traffic at your disposal, the job of tracking down the culprits and retrieving data is immeasurably more difficult – approaching impossible. In hindsight it is easy to say, “I should have used a working fire alarm,” after you’ve experienced a house fire. In the same way, we don’t want a business to find out too late that they could have had protection measures in place to protect their high value assets.

When we revisit the question of whether Active Threat Protection would help to prevent a breach like Sony’s, the answer is that every indicator points to yes.

J.Paul Haynes is CEO at eSentire (

Tags: Active Threat Protection, Data Breach

Just another day at the office: protecting clients from complex threat networks with Active Threat Protection from eSentire

Posted by Mandy Bachus on Wed, Dec 03, 2014 @ 02:38 PM

by J.Paul Haynesjpaul

On Dec. 1, a large US-based cybersecurity firm received extensive international media coverage for a reported cybersecurity incident. The incident focused on a threat actor classified as “FIN4”. Reports describe an active targeted phishing campaign with a focus specifically targeted at “the emails of C-level executives, legal counsel, regulatory risk, and compliance personnel, and other individuals who would regularly discuss confidential, market-moving information”.

The technique uses spear-phishing emails to gather credentials from users and return them back to the “FIN4” Command and Control servers (CnC) where the login credentials are then used to log into the users webmail remotely through TOR to escalate the attack. Again the level of angst was escalated further.

While this news article may be the first mention of “FIN4”, eSentire has been tracking and mitigating this very activity for more than a year. Late in 2013, eSentire issued a service advisory to its client base giving visibility to a .docm file circulating through the hedge fund atmosphere. At the time, eSentire’s Security Operations Center flagged what is now known as “FIN4” activity at its earliest inception. Then, the intent of the attack was the same: to drive a spear-phishing campaign with the explicit intent of accessing sensitive financial data in the hedge fund market through credential harvest.

The story surrounding “FIN4” is an important one, however, a story like this reminds us of the complexity and challenges faced by the Information Security industry. Complicated threats like these don’t pop up overnight. Dedicated forensics is critical in identifying and managing threats of this nature. eSentire clients have not been affected by “FIN4” attacks thanks to our Security Operations Center’s ongoing forensics and layered Active Threat Protection services.

What is it about the eSentire approach to Active Threat Protection that’s so unique? We’re able to see and mitigate threats of this nature through continuous monitoring. eSentire analysts continually monitor ALL our client’s network traffic, looking for signs of atypical behavior by utilizing ‘operationalized forensics’ - a technique pioneered by eSentire - which is the continuous analysis of all traffic flowing into and out of client networks.

As with the attack initially detected by eSentire in 2013, when a compromised word document containing the macro executes and connects to an external server and transfers data - in this case user credentials to an unfamiliar IP destination - we notice those unusual behavioral signals and immediately scrutinize it.

With our DVR-like capabilities, our skilled threat analysts rewind and replay the traffic and critically analyze it. If the traffic looks malicious, we block that specific connection on that customer’s network. Next, the block is propagated to all other eSentire subscriber networks through our Asset Manager Protect service, ensuring all clients are protected from the threat in question. At eSentire, this is standard operating procedure, 24/7/365, whether during business hours on Wednesday or at 2AM on Sunday.

If your first visibility into a major attack network like that publicized this week comes from a best-in-class forensic firm, the horse is likely already out of the barn. At this stage of breach you are also calling lawyers, regulators and law enforcement. Even worse, you have spent at least three to five full years of what Active Threat Protection services from eSentire would have cost. Let’s not rule out impact to reputation and brand which can trigger in a New York minute.

With Active Threat Protection from eSentire, clients benefit from immediate threat isolation, mitigation and real-time reports. Quite literally we are talking about an ounce of prevention versus a pound of cure. 

There’s a reason why eSentire is the trusted, award-winning security services provider to more than 450 financial services firms, legal, extractive and healthcare organizations. We can comfortably lay claim to pioneering Continuous Advanced Threat Protection, which leading analyst firm Gartner Research began covering in June 2014 as a best practices framework for defending against cybersecurity attacks.

In our world, managing and mitigating a threat like “FIN4” is simply another day at the office.

J.Paul Haynes is CEO at eSentire (

Tags: Active Threat Protection

Phishing Expedition: Protect Your Organization from Phishing Exploits

Posted by Mandy Bachus on Mon, Nov 10, 2014 @ 04:35 PM

by Eric Ritter

EricRitterTwo months ago, Home Depot announced it had been the target of an elaborate hack through a third-party vendor. The attack successfully embedded software within thousands of self-checkout machines across Canada and the United States, which silently harvested credit card information for months.

Just last week, new reports revealed more damage; in addition to the library of 56 million credit card accounts, hackers also gained access to 53 million customer email addresses. In the case of the Home Depot hack, cyber criminals accessed the enterprise with stolen vendor credentials, likely acquired through phishing campaigns.

The Home Depot hack is among several targeted major retailers this year. While businesses work to strengthen their cybersecurity posture, these attacks amplify the vulnerabilities of supply and distribution chains, and vendor systems used by countless organizations, regardless of industry.

Phishing scams are ubiquitous and often incredibly effective. ‘Smash and Grab’ describes attacks used to achieve quick monetary return, through access to specific financial data.

Spear-phishing is among a sub-set of phishing campaigns now gaining momentum. These attacks are far more surgical and often take more effort to execute. They target specific individuals within an organization, like a CFO or CEO. First cyber criminals gain access to the executive’s email account. Next they’ll drive the phishing campaign, usually by issuing a document to employee and requesting password confirmation for records update. In most cases employees will provide this information without hesitation, given that the source appears to be trusted.

These attempts are far more sophisticated than historical bids involving lottery or inheritance claims. Today, what we see are polished emails, perfectly branded to reflect a legitimate organization, like a trusted credit card company, bank or other vendor.

The objective is always the same – convince the recipient to enter their credentials by requesting identity verification. In a business setting, employees sifting through hundreds of emails daily could see such an email as innocuous, and click a link or submit credentials without thinking twice.

At eSentire, we see thousands of phishing attempts every week, and more than a dozen custom-crafted spear-phishing attacks.

So what can you do to protect your organization from the onslaught of phishing campaigns seeking to destroy and disrupt your organization? In addition to robust cybersecurity policies, staff training and education is critical. Be sure to communicate cybersecurity risks and the nuances of phishing to employees at any level across the organization.

In an era of multi-tasking and challenging workloads, employees must remain vigilant and cautious of suspicious emails as they are on the first line of attack. Legitimate organizations never ask clients or employees to click a link or enter confidential credentials via email or website submission. And if ever in doubt, don’t respond. Odds are an authentic request would be communicated by some other means.

Our motto at eSentire: don’t take the bait and don’t click the link.

Eric Ritter is Director, Security Operations Center and Client Experience at eSentire (
 Read more on phishing threats in this month’s issue of HFMTechnology.


Tags: Spear Phishing attack

    Subscribe by Email

    Follow Me