The 2:00 AM Call

At 02:17, an automated alert from Aegis Sovereign fired: anomalous SMB lateral movement across 14 hosts in a manufacturing firm’s operational technology network. By 02:19, an on-call analyst had the alert open. By 04:11 — 114 minutes later — the ransomware operator had been evicted, affected systems were isolated, and recovery was underway. Zero ransom paid.

This is a sanitized account of that incident response, and the playbook that made it possible.

Phase 1: Detection and Initial Triage (0–15 minutes)

Speed in the first 15 minutes is everything. The attacker is moving. Every minute of delay is another host encrypted.

02:17 — Aegis alert: lateral movement, 14 hosts, SMBv1 protocol
02:19 — Analyst confirms: not a false positive, LockBit IOCs present
02:22 — Client emergency contact notified
02:24 — Network isolation initiated on affected VLAN
02:28 — Forensic agent deployed on patient zero
02:31 — Initial entry point identified: RDP brute force on DMZ host

Phase 2: Containment (15–45 minutes)

Containment is the most time-pressured phase. The goal is to stop the spread, not to fully understand the attack. Understanding comes later.

Our containment checklist:

  • Network segment isolation (VLAN ACLs, not full outage)
  • Disable compromised accounts (not delete — preserve forensic trail)
  • Block C2 IPs at the perimeter firewall
  • Preserve volatile memory on affected hosts (before rebooting anything)
  • Identify and protect backup systems (attackers target backups first)

In this incident, the backup server had already been targeted but not yet encrypted. We isolated it 7 minutes before the ransomware payload would have reached it.

Phase 3: Eradication (45–90 minutes)

After containment, we identify and remove all attacker footholds:

✓ Scheduled tasks created by the attacker
✓ New local admin accounts
✓ Malicious DLLs (DLL hijacking for persistence)
✓ Registry autoruns
✓ WMI event subscriptions
✓ Modified LSASS for credential harvesting

Eradication must be complete. Missing a single persistence mechanism means the attacker returns.

Phase 4: Recovery (90–120 minutes)

With footholds removed, recovery begins from clean backups:

  • Restore from last known-good backup (tested — not assumed)
  • Patch the initial access vector (RDP exposed to internet, weak password)
  • Reset all credentials that were active during the compromise window
  • Enable MFA on all remote access
  • Verify integrity of restored systems before bringing back online

Phase 5: Post-Incident Review

24 hours after containment, we conduct a root cause analysis. In this incident:

  • Initial access: RDP brute force (14,000 attempts over 3 days before success)
  • Initial access was preventable: RDP should not have been exposed to the internet
  • Dwell time: 11 days from initial access to ransomware deployment
  • What Aegis caught: Lateral movement at deployment time — the dwell period was quiet
  • Recommendation: Deploy Aegis agents earlier in the kill chain

What Makes the Difference

Incidents are won or lost in the detection and containment phases. Having a tested playbook, pre-established communication protocols, and a platform that compresses detection time from hours to minutes is what separates a 2-hour containment from a 2-week recovery.

Our Managed Detection and Response service means our analysts are watching your environment 24/7, with this playbook ready to execute the moment something fires. Learn more about our Incident Response service or contact us to establish a retainer before you need it.