3 posts tagged with "incident-response"

By the time ransomware starts encrypting files, the attacker has already won. The encryption event that triggers your EDR alert, your SOC ticket, and your incident response retainer is not the attack it is the final step of an operation that began days or weeks earlier, during which the threat actor mapped your entire Active Directory, escalated to Domain Admin, exfiltrated your most sensitive data to a cloud storage bucket, killed your backups, and confirmed that every shadow copy on every server is gone. The encryption itself takes minutes. Everything that makes it devastating the leverage, the irreversibility, the breadth was assembled during the dwell period when your SIEM was generating zero alerts. The Conti playbook leaked in 2022, LockBit 3.0's affiliate documentation, and ALPHV/BlackCat's observed TTPs across hundreds of incidents all confirm the same operational tempo: reconnaissance, credential theft, lateral movement, exfiltration, and backup destruction are completed before a single file is touched.

The attacker has been in your network for six days. You have no packet capture. You have no IDS tap on east-west traffic. Your NDR license only covers the perimeter. The EDR on the compromised host was disabled on day two. What you do have: DNS server query logs, DHCP lease records, NetFlow from your core switches, and Windows Security event logs from your domain controllers. That is enough if you know exactly what to look for, in what order, and how to correlate across sources that were never designed to talk to each other.

You're staring at an EDR alert from 11:47 PM. A Word document spawned PowerShell. By the time your analyst acknowledges the ticket at 12:09 AM, the attacker already has a beacon calling home, has run BloodHound across your entire AD, dumped credentials from LSASS, and is authenticating to your domain controller with a Domain Admin hash. The "200-day dwell time" you quoted last quarter's board meeting is about to become a footnote. This intrusion will be over in four hours.

Category: Threat Intelligence · Reading time: 25 min · Audience: SOC Analysts, Detection Engineers, Incident Responders