Postmortem of Two Real World Attacks: 1) Fast-moving Ransomware 2) Webshell-based Data Exfiltration

Webinar Registration

Deep dives into real world attacks are so valuable but equally tough to come by. So I’m really excited about this real training for free session where we will examine not one but 2 different attacks.

And these attacks highlight an important fact: In the world of Threat Detection & Response, endpoint visibility is currently king. EDR (Endpoint Detection & Response) and MDR (Managed Detection & Response) vendors stress the importance of full endpoint visibility, often as a ‘silver bullet’ for detecting and responding to evil. While endpoint visibility is critically important, it’s only part of the picture. For full visibility you need to be able to see activity on the network and in the cloud as well as analyze user behavior.

In this webinar, we’ll talk about a balanced approach to detection & response that leverages endpoint, network, user, and cloud service visibility to effectively detect & respond to the full range of threats facing enterprises today. We’ll do this through deep dives into 2 different real-world attacks detected and investigated by my guest, the Rapid7 Managed Detection & Response team. We’ll go over how logging and monitoring from the endpoint to the cloud helped the MDR team effectively identify these incidents, accurately assess scope and impact, and guide effective containment and eradication actions to eliminate the threat.

  • First, we’ll walk through a fast-moving ransomware attack. The attacker moved quickly, from initial compromise to staging ransomware on dozens of systems in less than 48 hours. The Rapid7 SOC needed to respond rapidly to prevent ransomware detonation. We had alerts firing on some of the impacted systems. But where did the attack originate? And were other systems also compromised? Only by leveraging a combination of endpoint, user, and network data was the SOC able to quickly identify impact and root cause and take swift containment actions to limit the damage.
  • Second, we’ll look at our response to an attacker determined to steal sensitive data from one of our customers. This adversary had planted webshells on Internet-facing systems and was using them to exfiltrate data. But how was the attacker getting in to drop these webshells in the first place? The Rapid7 SOC used endpoint, cloud, user, and network activity to pinpoint and lock down the source of the compromise.

Both attacks are valuable to learn about because 1) everyone is a target for ransomware and 2) webshells are multi-purpose and can be difficult to detect. As the name would imply, a web shell is a web-based implementation of the shell concept; it enables users to access a web server by way of a web browser that acts like a command-line interface. There are many different ways attackers can attempt to deliver a webshell and once it’s installed they can use it for data theft, watering hole attacks, defacement, relaying C&C traffic to internal endpoints and as a C&C base in general.

After this technical, real training for free content, Rapid7 will briefly show you how their technology and MDR service work.

Please join us for this real training for free event.

First Name:   
Last Name:   
Work Email:  
Phone:  
Job Title:  
Organization:  
Country:    
State:  
 

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us.

 

 

Additional Resources