Earlier this year, analysts in the LevelBlue Managed Threat Detection and Response (MTDR) security operations center (SOC) were alerted to a potential ransomware attack on a large municipal customer. The attack, which was subsequently found to have been carried out by members of the Royal ransomware group, affected several departments and temporarily disrupted critical communications and IT systems.
During the incident, LevelBlue analysts served as critical first responders, promptly investigating alarms in the USM Anywhere platform and quickly communicating the issue to the customer. They also provided extensive after-hours support at the height of the attack—as the customer shared updates on impacted servers and services, the analysts gave guidance on containment and remediation. They shared all observed indicators of compromise (IOCs) with the customer, some of which included IP addresses and domains that could be blocked quickly by the LevelBlue Managed Firewall team because the customer was also using LevelBlue’s managed firewall services.
Just 24 hours after initial communications, analysts had compiled and delivered to the customer a detailed report on the incident findings. The report included recommendations on how to help protect against future ransomware attacks as well as suggested remediation actions the customer should take in the event that legal, compliance, or deeper post-incident forensic review is needed.
Read our case study to learn more about how our analysts helped the customer accelerate their time to respond and contain the damage from the attack, and learn how the LevelBlue Labs threat intelligence team has used the findings from this incident to help secure all LevelBlue Cybersecurity managed detection and response customers!
