Rapid Response in Action: Containing a Potential Threat in 10 mins

Written By Dan Harrison

In the high-stakes world of cybersecurity, where threats evolve hourly and every endpoint is a potential vulnerability, rapid response can make or break an organisation's defences. A recent customer case study showcases how our Quick Actions feature is enhancing the way organisations handle cybersecurity incidents.

The Challenge

Cybersecurity teams often face a race against time when dealing with potential threats. Every second counts, and the ability to take immediate action can mean the difference between a contained incident and a full-scale breach. However, not all alerts indicate malicious activity, and thorough investigation is key to understanding the true nature of a threat.

Quick Actions in Action

Our Quick Actions feature addresses this challenge head-on. Our one click quick actions include device isolation, starting a remote session, terminating a process and deleting a file. More actions will come in the near future, further reducing investigation and response times.  

As demonstrated in a recent real-world scenario, this tool empowers users to take decisive action with just a few clicks while investigations are ongoing.

The Incident Timeline

1. A high-priority malware alert was flagged, indicating potential ransomware activity.

2. Within just 6 minutes, our SOC team acknowledged the alert and began investigating.

3. Leaving no chances, the customer used Quick Actions to isolate the potentially affected device only 10 minutes and 29 seconds after the initial alert.

The Investigation

Following the device isolation, our team conducted a thorough analysis of the incident, including a detailed review of the device and user’s telemetry. Here's what we found:

  1. No indicators of malware or connections to known C2 servers were detected.

  2. No indicators of other forms of malicious activity performed by the user or other accounts. 

  3. The flagged activity was linked to the WeMod application, used for downloading game mods and cheats.

  4. The user's device had several gaming platforms installed (Steam, Riot Client) along with games like Valorant, Dota 2, and Total War Warhammer.

  5. µTorrent was also present on the device, potentially used for downloading content from P2P sites.

The Outcome

While the initial alert raised concerns, our investigation revealed that the detected activity was not malicious in the traditional sense. Instead, it highlighted potential Acceptable Use Policy (AUP) violations.

The Benefits of Quick Actions

  1. Speed: Rapid response times significantly reduce potential risks while investigations are conducted.

  2. Simplicity: With just a click, users can execute critical actions like device isolation.

  3. Empowerment: Customers can take precautionary measures swiftly while thorough investigations are ongoing.

  4. Flexibility: Options like device isolation and remote session initiation provide a range of tools to address various scenarios.

Lessons Learned

This case study demonstrates several important points:

  1. Swift Precautionary Action: Customer's quick use of the isolation feature showcased good security practices.

  2. Thorough Investigation: The importance of comprehensive analysis before making final determinations about threats.

  3. Security and Compliance: Recognising the difference between malicious threats and potential policy violations.

  4. Limited Business Disruption: The ability to de-isolate the device once the true nature of the alert was understood is key to minimising any user downtime.

Looking Ahead

As this case demonstrates, not all security alerts indicate malicious activity, but they often reveal areas for improvement in organisational policies and user education. Tools like Quick Actions are becoming indispensable not just for threat response, but for enabling rapid, reversible actions that support thorough investigations whilst minimising business disruption. 

By providing features like Quick Actions and comprehensive investigative capabilities, we're committed to ensuring our customers have the tools they need to maintain robust cybersecurity while also understanding the nuances of each alert.

The key takeaway? In cybersecurity, the ability to act quickly is crucial, but so is the capacity to investigate thoroughly and respond appropriately to the true nature of each alert.

Dan Harrison
Previous

7 Reasons Why You Need a Cybersecurity Platform
Next

What Is a Consolidated Cyber Security Platform and Why You Need One In 2024