Inside an Active Intrusion: Exclusive Interview with the Incident Manager

Incident response is a dynamic field where challenging and unique cases are part of the job. As cyber threats constantly evolve, staying adaptable and refining our strategies is essential.

Man typing on Laptop

Team collaboration plays a vital role in this process. By sharing experiences and insights, we keep everyone informed about emerging threats and techniques, enhancing our collective ability to respond effectively to incidents. Recently, we encountered a ransomware case that was particularly interesting, offering valuable lessons for the team. You can read more about this particular incident in a previously published blog post. 

To share these insights, we interviewed Michael Popovtschak, the incident lead at SEC Consult, who played a central role in managing the response. Michael has been with the SEC Defence team for 5 years, and during that time, he has handled numerous incidents, both from a technical and organisational standpoint. His experience in this case provided plenty of learning opportunities, and we hope others can benefit from them as well.

What was your role in this incident, and what responsibilities did it entail?

Michael: At the beginning, I took on dual roles as both the Technical Lead and the Incident Manager since the case initially involved just two suspected compromised systems. We started with a smaller team. As the Technical Lead, my responsibility was to coordinate the analysis efforts and communicate the technical findings of our analysts. Meanwhile, as the Incident Manager, my primary role was to liaise with the customer, assess their situation, and determine how best we could assist them.

What was the initial situation?

Michael: The customer first noticed suspicious activity involving access to a password safe. Additionally, a vigilant employee observed the presence of AnyDesk in their Citrix session. These signs led the customer to suspect a potential intrusion. To mitigate the risk, they began shutting down VPN connections to their clients to block any potential attacker from accessing their environments. At this stage, SEC Defence was brought in to investigate further. Due to the nature of these activities, the customer initially suspected an insider threat. However, at that point, we could neither confirm nor rule out this theory. It’s crucial to base any conclusions on solid, technical evidence, so further analysis was necessary.

What were your first steps?

Michael: Our first step was to collect triage data from the potentially compromised systems and work with the customer to scope the incident. Proper scoping is critical as it informs the direction of the response. Initially, we concentrated on analyzing the two systems flagged by the customer. However, the attacker’s actions—dumping a password safe and installing AnyDesk—indicated a more extensive compromise, likely involving the broader domain. To validate this theory, we expanded our investigation to include artifacts from the domain controller (DC), which allowed us to uncover more information.

When did you realize the whole domain was affected?

Michael: After verifying the initial findings, we traced the attacker’s activity back to a Citrix system. This was the same system where the suspicious AnyDesk installation had been reported by the observant employee. We identified that the Citrixbleed vulnerability had likely been exploited to gain initial access. From there, the attacker moved laterally across the network, confirming that the compromise extended beyond the initially suspected systems to the entire domain.

Can you walk us through the moment you realized it was a ransomware attack?

Michael: We confirmed it was a ransomware attack later in the investigation because the ransomware hadn’t yet been deployed in the environment. However, we uncovered multiple indicators of compromise (IOCs), such as suspicious IP addresses, which we verified using threat intelligence tools. When we fingerprinted the services running on the servers behind those IPs, we found an SSH server’s host key linked to prior attacks by a known ransomware gang. We also detected a Cobalt Strike server, commonly used by the same group. These findings clearly indicated we were dealing with a ransomware operation.

How did you determine this was a financially motivated attack?

Michael: Initially, there were no clear signs—no ransom note, no direct communication from the attacker, and no immediate impacts that could suggest blackmail. However, the attacker’s behavior was notably “noisy,” which is characteristic of financially motivated groups. This contrasts with state-sponsored attackers, who prioritize stealth. Once we identified the ransomware gang involved, it became clear their primary objective was financial gain.

How skilled was the attacker?

Michael: The attacker demonstrated advanced skills, consistently adapting their methods when blocked. Their initial attempts to establish command and control (C2) communications through the Citrix system were thwarted by the firewall’s IPS and threat intelligence module. While many attackers might abandon their efforts at this stage, this one persisted. They eventually exploited a host where firewall restrictions didn’t block their connections, allowing them to gain a foothold. Their persistence and ability to overcome obstacles highlighted their expertise, though their noisy approach—typical of ransomware groups—contrasted with the stealth seen in nation-state attacks.

How did the team prioritize actions during the first 24 hours?

Michael: The customer had already taken a crucial step by isolating their Citrix instance. While this helped contain the attack, it also created challenges since Citrix was their primary method of remote access. We had to balance multiple priorities: restoring remote access, deploying forensic endpoint agents, and rolling out an EDR solution. Despite the complexity, our team tackled these tasks simultaneously to ensure the environment was secure while maintaining operational continuity.

Was there a critical turning point in the response that helped contain the damage?

Michael: Yes, there were two pivotal moments. First, the firewall played a crucial role in slowing the attacker by blocking their command-and-control (C2) connections, giving us much-needed time to investigate. The second was the decision to isolate the entire environment after observing ongoing attacker activity. This move allowed us to focus on eliminating the threat without the attacker continuing to spread, avoiding a drawn-out cat-and-mouse scenario.

How did you discover the attacker was still active?

Michael: Even after isolating the environment, we continued to detect attacker activity, which puzzled both our team and the customer. A thorough investigation revealed that one server was bypassing the firewall. An old pre-filter rule, which had been forgotten, allowed traffic from that server to bypass the firewall’s protections. Once we identified and corrected this rule, we were able to fully isolate the environment.

Why wasn’t host-based isolation using forensic agents or EDR considered?

Michael: At the time, we didn’t know how the attacker was bypassing the firewall. Isolating the server at the host level might not have stopped their communication and could have prompted them to change tactics, potentially invalidating the intelligence we had gathered. Additionally, host-based isolation is more invasive and can significantly disrupt a customer’s operations. We always aim to exhaust technical explanations, like the firewall rule we eventually uncovered, before resorting to such measures.

How often is it possible to stop ransomware deployment?

Michael: It’s relatively rare because most environments don’t detect attacker activity early enough. Engaging an incident response (IR) team early significantly improves the odds of stopping ransomware. In this case, the firewall’s defensive measures bought us critical time to respond before the ransomware was deployed.

What led to the early detection in this case?

Michael: The customer’s proactive measures were key. They had identified their critical assets and implemented stronger monitoring around them, which flagged suspicious activity on their password safe. Additionally, a vigilant employee quickly reported the AnyDesk installation. This combination of robust monitoring and employee awareness enabled us to act early, avoiding the worst-case scenario of ransomware deployment or data theft and extortion.

How did communication flow between stakeholders during the incident?

Michael: Tasks were organized into workstreams, each with a designated lead, and daily sync meetings were held to track progress and plan next steps. Management placed trust in their teams, giving them the autonomy to implement solutions quickly. Despite the high-pressure situation, communication remained open and positive both internally and with external partners. The customer’s transparency and proactive outreach strengthened relationships, ensuring the incident had no negative impact on their partners. This collaborative approach was critical to the success of the response.

How did the eradication phase proceed?

Michael: The eradication phase began once we achieved full isolation of the environment. We aligned this phase with the customer’s business operations to minimize disruption.

  • Day 1: Completed the eradication process.
  • Day 2: Double-checked the environment for any missed traces.
  • Days 3-4: Conducted a thorough threat hunt to ensure no hidden threats remained.
  • Day 5: Partnered with the customer to temporarily shut down operations, reducing background noise and making it easier to spot anomalies.

The tools we deployed earlier, such as EDR and forensic endpoint agents, ensured a smooth transition from incident response to threat hunting.

What advice would you give companies to better prepare for ransomware attacks?

Michael: Start by identifying your most critical assets and focusing monitoring efforts on them. A targeted security strategy is more effective and cost-efficient than generic measures. Additionally, establish clear communication channels that empower employees to contribute. Decision-making should strike a balance between management providing direction and teams having the freedom to act. Transparency ensures everyone understands the priorities, fostering a more coordinated and effective response.

Turning Challenges into Lessons: Enhancing Ransomware Preparedness and Response

This ransomware incident underscores the critical importance of early detection, efficient communication, and robust security measures. By combining proactive monitoring, employee vigilance, and a well-coordinated response, we successfully mitigated the threat and avoided significant impact. These insights highlight valuable lessons for organizations aiming to enhance their incident response strategies and bolster ransomware preparedness.

While the incident presented several challenges, the effective resolution provided meaningful lessons and actionable insights. I hope this reflection offers practical takeaways for refining your organization’s approach to ransomware defense and incident management.

SEC Defence offers a comprehensive solution to strengthen your organization's defenses against ransomware and other cyber threats. In the event of an incident, SEC Defence provides advanced detection capabilities, incident response support, and threat containment measures. Its proactive approach helps organizations identify vulnerabilities, minimize downtime, and safeguard critical data, ensuring a swift and effective response to cyberattacks.

 

This blogpost has been conducted by Ivan Boranijasevic and published on behalf of SEC Defence