Incident Response Timeline – Ransomware

aw-timeline-platform-icon_w-210706.png

Arctic Wolf's Platform

aw-timeline-triage-icon-210706.png

Arctic Wolf Triage Team

aw-timeline-customer-icon_w-210706.png

Arctic Wolf Customer

aw-timeline-cst-icon_w-210706.png

Arctic Wolf Concierge Security Team

aw-timeline-platform-icon_w-210706.png

Arctic Wolf Platform

aw-timeline-triage-icon-210706.png

Arctic Wolf Triage Team

aw-timeline-customer-icon_w-210706.png

Arctic Wolf Customer

aw-timeline-cst-icon_w-210706.png

Arctic Wolf Concierge Security Team

Ransomware attack

Incident Response Timeline 5 Minutes or less

For the first time, we invite you to take an exclusive and real life look at how Concierge Security experts within Arctic Wolf’s industry-leading Security Operations workflow triage investigated, escalated and remediated a ransomware attack on a local government organization.

01

SOURCE

Active Directory 5:23am

Ransomware attack against [CUSTOMER] begins in the early morning. Within Active Directory, the Arctic Wolf Platform detects [USER] logging into multiple systems.
  • 5:23am

DID YOU KNOW?

In the four years since January 2016, more than 4,000 ransomware attacks have been carried out daily, according to ransomware statistics from 2020 published by the FBI. 

02

SOURCE

ARCTIC WOLF SENSOR 5:26am

The Arctic Wolf Sensor is continuously scanning network traffic. It reads HTTP header information containing outbound communication with [IP ADDRESS], a suspected C2 server. In parallel, the sensor also detects
PowerShell Empire is an incredibly powerful post-exploitation tool. It provides capabilities including privilege escalation, lateral movement, credential theft, and more.
PowerShell Empire activity detected on [SERVER].
  • 5:26am

Coming with little surprise, remote desktop protocol connections (RDP) was *the most common attack vector in Q1 2021 with many vulnerabilities in securing remote connections. *Coveware.com

03

5 minutes since initial activity:

investigation triggered 5:28am

The Arctic Wolf Platform correlates C2 traffic with PowerShell Empire activity on [SERVER]. The incident is escalated to
Triage Team level 3 is Arctic Wolf’s most senior and experienced team of security experts. They handle the most critical and complex incidents discovered by the Arctic Wolf Platform.
Triage Team Level 3 forensics dashboard with
Urgent is Arctic Wolf’s highest level of alert. It is reserved for critical events, such as active ransomware.
Urgent status.
  • 5:28am

Dwell Time

The time it takes to deploy patches for critical vulnerabilities increased by an *extra 40 days since March. Higher CVE volumes, more critical CVEs, and a disruption of patching programs caused by the dispersed workforce have all contributed to this increase. *Arctic Wolf Annual Report

Ransomware Cases Rise

As dwell time dropped last year, the number of ransomware cases rose: Twenty-five percent of Mandiant investigations involved ransomware, a sharp increase from 14% in 2019. 

04

ONE MINUTE LATER:

The Investigation Starts 5:29am

The Arctic Wolf Triage Team begins investigation and finds activity within Active Directory logs of [USER] logging into many systems in a short amount of time. They also confirm that the network and PowerShell Empire alerts are a true positive and begin to assess the scope of the attack.

2021 Ransomware outlook

The healthcare and education sectors were easy targets for ransomware in 2020 due to the disruptions caused by the global pandemic. Analysts are predicting that *the parcel and shipping sector may be hit hard in 2021 driven by an increase in dependency on these services. *Safeatlast.co