One of our members called "Wildfire!" today, meaning they were submitting information to the portal as they worked an incident. The member submitted log snippets showing exfiltration and C2 destinations as well as inbound sourcing, the malware, and a full copy of an email with the header intact.
Within minutes after the report, Red Sky began victim notification while the company worked the intrusion from the inside. When we needed a contact at an external company one of the other members chimed into the portal with a contact and then made an introduction. Victims responded to offending servers. The C2 and exfil paths were blocked by the member, and all external entities (except one, where we had to leave a VM) knew about the incident and were responding.
When the dust settled, one of the companies has asked for membership information and felt they too should be a member of the alliance. I'll have that meeting next week!
That's the way collaboration is SUPPOSED to work!
Jeff is happy today.
No comments:
Post a Comment