Ransomware actor deleted logs to frustrate investigation

Learning From Incident Response: April to June 2023

Secureworks incident responders investigated a ransomware incident after the victim discovered encrypted files within their server environment. The investigation revealed that an unauthorized user obtained access to the victim’s environment, likely via a VPN, and established a remote desktop session to a domain controller. From there, they conducted network discovery activity. Two days later, the attacker installed and then immediately uninstalled a cloud hosting app from the domain controller, deleting the app’s logs in the process. Threat actors typically use this application to exfiltrate data.

The next day, the threat actor established a remote desktop session from the same domain controller to an endpoint, installed the cloud hosting app on the endpoint, and used the app to upload multiple files to cloud-based servers. They then leveraged the domain controller to establish remote desktop sessions to other systems throughout the environment.

Read the Incident Response Report for more highlights from notable observations from Secureworks incident response engagements.

?

The Great SIEM Debate: Overprices or Essential to Your Cybersecurity Program

• What is the impact of changes in the SIEM market, such as Splunk's acquisition by Cisco, and why might businesses envision switching from SIEM to XDR?
• How does XDR meet the modern security challenges SIEM can’t fully address?
• How can XDR deliver better security outcomes than SIEM and higher ROI?

Dive deeper into why the ever-evolving landscape of the SIEM market may mean it's time for many organizations to make a switch.

Watch the on-demand webinar

?AI and Cybersecurity: Embrace the Shift, Dispel the Fear, Secure the Future

Hackers are not slow in their adoption of AI approaches. We have observed adversaries pushing boundaries and executing with increasing speed. The reality is that defenders need to keep pace and leverage AI for defense. It is time for us as security professionals to run hard and embrace AI as a powerful tool for defenders.

Closing the Talent Gap and Improving Response

There simply aren't enough skilled professionals to keep up with the increasing threat volume and customer demand. We know that with Human + AI-powered systems, even lesser-skilled cybersecurity professionals can uncover advanced threats and become more proficient faster. We use AI to close the talent gap and bolster our defenses. We believe every security company should be taking this Human + AI approach as fast as possible.

Read why accelerating the integration of AI into cybersecurity is not a luxury but a pressing necessity