aw-timeline-platform-icon_w-210706.png

Arctic Wolf's Platform

aw-timeline-triage-icon-210706.png

Arctic Wolf Triage Team

aw-timeline-customer-icon_w-210706.png

Arctic Wolf Customer

aw-timeline-cst-icon_w-210706.png

Arctic Wolf Concierge Security Team

aw-timeline-platform-icon_w-210706.png

Arctic Wolf Platform

aw-timeline-triage-icon-210706.png

Arctic Wolf Triage Team

aw-timeline-customer-icon_w-210706.png

Arctic Wolf Customer

aw-timeline-cst-icon_w-210706.png

Arctic Wolf Concierge Security Team

Ransomware attack

Incident Response Timeline 5 Minutes or less

For the first time, we invite you to take an exclusive and real life look at how Concierge Security experts within Arctic Wolf’s industry-leading Security Operations workflow triage investigated, escalated and remediated a ransomware attack on a local government organization.

01

SOURCE

Active Directory 5:23am

Ransomware attack against [CUSTOMER] begins in the early morning. Within Active Directory, the Arctic Wolf Platform detects [USER] logging into multiple systems.
  • 5:23am

DID YOU KNOW?

In the four years since January 2016, more than 4,000 ransomware attacks have been carried out daily, according to ransomware statistics from 2020 published by the FBI. 

02

SOURCE

ARCTIC WOLF SENSOR 5:26am

The Arctic Wolf Sensor is continuously scanning network traffic. It reads HTTP header information containing outbound communication with [IP ADDRESS], a suspected C2 server. In parallel, the sensor also detects
PowerShell Empire is an incredibly powerful post-exploitation tool. It provides capabilities including privilege escalation, lateral movement, credential theft, and more.
PowerShell Empire activity detected on [SERVER].
  • 5:26am

Coming with little surprise, remote desktop protocol connections (RDP) was *the most common attack vector in Q1 2021 with many vulnerabilities in securing remote connections. *Coveware.com

03

5 minutes since initial activity: