Five Stages of a Ransomware Attack, during one ransomware incident X-Force uncovered an entrenched advanced adversary that was leveraging a Shadow IT bridged network to maintain access to two organizations for over a year.
During the investigation, X-Force identified the ransomware attack was contained within a single domain of the multi-domain forest. However, X-Force was able to uncover evidence indicating the adversary had pivoted throughout the entire forest to execute the attack.
X-Force traced the evidence across the forest root domain to another child domain where the adversary had maintained persistence access for 381 days. While monitoring the environment, X-Force detected the adversary return to the environment from an IP range unknown to the client’s IT department. Working with the client’s IT team, X-Force and the client traced the activity back to the security office, where a rogue networking device was discovered that was installed to share badge printing capabilities between the client and another organization.
While interviewing the client and the other organization, the bridged network was unknown to all IT departments and had allowed the adversary to pivot back and forth and operate outside of the visibility of both security teams. This is a worst-case scenario for Shadow IT. Had X-Force not been persistent during the investigation and followed the evidence to determine the root cause of the attack, the adversary would have maintained access to the environment and could have executed another ransomware attack against the client.
Shadow IT Preparedness
Shadow IT can introduce unnecessary risk to an organization because blind spots are the enemy of security. X-Force recommends organizations implement a prevention, detection, and response strategy with regard to Shadow IT to achieve a holistic approach to risk management.
If you are interested in learning more about how to prevent, detect, and respond to Shadow IT within your organization, X-Force provides world-class proactive and reactive services to ensure your organization achieves complete preparedness for the threat of Shadow IT.
If you have questions and want a deeper discussion about Shadow IT prevention, detection, and response techniques or to learn how IBM X-Force can help you with incident response, threat intelligence, or offensive security services schedule a no-cost follow-up meeting here: IBM X-Force Scheduler.
If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.
Lastly, download the 2022 Definitive Guide to Ransomware to fortify your knowledge and defenses against ransomware threats here.