je.st
news
How Proactive Threat Hunting Stopped INC Ransom Before the Alert
2026-02-06 20:15:19| The Webmail Blog
How Proactive Threat Hunting Stopped INC Ransom Before the Alert jord4473 Fri, 02/06/2026 - 13:15 Cloud Insights How Proactive Threat Hunting Stopped INC Ransom Before the Alert February 9, 2026 by Craig Fretwell, Global Head of Cybersecurity Operations, Rackspace Technology Link Copied! Recent Posts How Proactive Threat Hunting Stopped INC Ransom Before the Alert February 9th, 2026 Getting Started With AI: A Practical Path Forward February 5th, 2026 Effective Housekeeping With Rackspace Managed Snapshot Cleanup January 29th, 2026 Redefining Detection Engineering and Threat Hunting with RAIDER January 27th, 2026 How to Keep Azure Cloud Costs Under Control with Continuous Optimization January 26th, 2026 Related Posts Cloud Insights How Proactive Threat Hunting Stopped INC Ransom Before the Alert February 9th, 2026 AI Insights Getting Started With AI: A Practical Path Forward February 5th, 2026 Cloud Insights Effective Housekeeping With Rackspace Managed Snapshot Cleanup January 29th, 2026 AI Insights Redefining Detection Engineering and Threat Hunting with RAIDER January 27th, 2026 Cloud Insights How to Keep Azure Cloud Costs Under Control with Continuous Optimization January 26th, 2026 A real-world threat hunting engagement shows how INC Ransom activity was uncovered early, before alerts fired and before ransomware could take hold. Modern security operations rely heavily on automated detection. Alerts, analytics and automated responses play a critical role in identifying known threats and responding at speed. But even the most mature security operations center cannot account for every possible adversary behavior. That gap is where proactive threat hunting becomes essential. Threat hunting is designed to surface malicious activity that does not yet meet the threshold of an incident. This is the kind of activity that blends into normal operations, avoids known detection logic or unfolds slowly over time. If you rely only on alerts, this behavior is easy to miss. A recent threat hunting engagement conducted by the Rackspace Cyber Defense Center demonstrates exactly why this capability matters. Safeguarding critical emergency communications The environment in question belonged to a government services organization that supports critical emergency communications. Availability, reliability and trust were non-negotiable. Any service disruption, particularly one caused by ransomware, would have had immediate operational and public safety implications. Like many organizations operating critical services, this environment relied on standard preventative controls and alerting to identify known threats. At the time of the engagement, there were no active incidents, no high-severity alerts and no visible signs of compromise. That was precisely the point. The absence of alerts did not indicate the absence of risk. It created an opportunity to look deeper for adversary behavior that had not yet reached an alerting threshold. A proactive, analyst-led threat hunt As part of a scheduled, analyst-led threat hunting exercise, the Rackspace Cyber Defense Center conducted a focused review of identity, endpoint and network telemetry collected over the prior month. The hunt assumed potential compromise and intentionally looked beyond alert-based detections. If youre responsible for a mature security environment, this type of threat hunt may feel counterintuitive. There was no incident to respond to and no alert demanding investigation. Instead, analysts worked from the premise that not all adversary activity announces itself. The goal was to identify behaviors that should not exist, even when controls appear to be working as expected. Rather than responding to known indicators, analysts searched for adversary behaviors aligned to the MITRE ATT&CK framework. This included techniques commonly associated with ransomware activity, such as credential abuse, unauthorized remote access, lateral movement and early-stage prepositioning. This hunt was not driven by an incident. Instead, it was driven by intent and the understanding that early-stage adversary behavior is often easiest to find before it becomes an alert. Focusing on the INC Ransom threat group The threat hunt focused on tradecraft associated with INC Ransom, a globally active ransomware and data extortion group that has been operating since at least mid-2023. The group has been linked to attacks against public sector organizations and critical services, often relying on credential compromise, Living off the Land techniques and the abuse of legitimate remote access tools before moving to encryption or extortion. If you are responsible for defending a complex environment, this kind of activity may sound familiar. These techniques are designed to blend in. They rely on tools and access patterns that can appear legitimate, especially in environments with diverse users and administrative workflows. At the time of the hunt, there were no dedicated detections in place tuned specifically to INC Ransoms early-stage behaviors. That gap proved critical. It meant adversary activity could progress quietly, without triggering alerts, unless someone was actively looking for it. What the hunt uncovered before impact The threat hunt did not surface a single obvious indicator. Instead, it revealed a pattern of early-stage adversary behavior unfolding across identity, endpoint and network telemetry. Individually, each signal was subtle. Taken together, they pointed to an active intrusion progressing toward ransomware execution. Because analysts werent constrained by alert thresholds, they were able to identify these behaviors early, before encryption, data exfiltration or service disruption occurred. The findings fell into several key areas. Identity and authentication abuse Analysis of authentication telemetry revealed cleartext authentication events associated with a legitimate user account. This activity deviated from established baselines and suggested potential credential exposure. Correlation with logon timing and source infrastructure elevated the risk assessment. Unauthorized account activity and RDP access Threat hunting analysis identified unauthorized RDP logon activity tied to an unapproved user account. The account did not align with documented access requirements or operational usage patterns. Session attributes and originating infrastructure were inconsistent with normal administrative behavior. Unauthorized remote access tooling Endpoint execution telemetry revealed the presence of an unapproved remote access tool, AnyDesk.exe. Installation and execution context indicated unauthorized use rather than sanctioned administrative activity. The organization confirmed that only approved remote access tools were permitted within the environment. Network-based pre-impact indicators Proactive network analysis identified multiple malicious external IP addresses generating high-volume inbound traffic that was initially permitted at the application layer. In addition, ransomware-related artifacts, including README.txt and README.html files, were observed originating from suspicious external infrastructure. While encryption had not yet occurred, these indicators aligned with known INC Ransom pre-impact behavior. Viewed in isolation, none of these findings would necessarily indicate an active ransomware event. Together, they revealed a clear trajectory toward impact. This is where proactive threat hunting proved decisive. By identifying low-signal behaviors early and connecting them across telemetry sources, analysts were able to surface attacker intent before the environment reached an incident threshold. Containment before disruption Once the activity was identified, containment actions were taken quickly and in close coordination with the customer. The focus was on stopping adversary progression without disrupting normal operations. Key actions included: Disabling unauthorized user accounts associated with suspicious authentication and RDP activity Blocking malicious external IP addresses at perimeter and cloud security layers Removing unauthorized remote access tooling after customer validation Sharing confirmed Indicators of Compromise to strengthen environment-wide prevention and monitoring Following containment, analysts conducted a review of subsequent telemetry to validate remediation. No continued malicious activity was observed. Most importantly, the threat was stopped before it reached impact. No ransomware encryption occurred. No data was exfiltrated. No service disruption was experienced. Closing the gaps between alerts This engagement highlights a practical reality of modern security operations. Not all malicious activity generates alerts, and not all compromises begin with a clear incident. Ransomware groups increasingly rely on low-noise techniques that unfold gradually. They abuse legitimate credentials, use approved tools and blend into normal operational workflows. In environments that depend primarily on automated detection, this activity can persist unnoticed unil attackers reach later stages such as encryption or extortion. Proactive threat hunting is designed to close these gaps. By looking for behavior that falls outside expected patterns, analysts can identify adversary activity earlier, validate whether controls are working as intended and uncover blind spots that automated detections do not address. In this case, threat hunting surfaced adversary behavior that would likely have remained invisible until the environment reached an incident threshold. How Rackspace helps Threat hunting is a core part of Rackspace Managed XDR and is delivered through the Rackspace Cyber Defense Center powered by Microsoft Sentinel. It is not treated as a one-off exercise or an escalation step. It is an ongoing, analyst-led capability designed to work alongside detection and response. If you rely primarily on alerts to understand risk in your environment, threat hunting provides a necessary counterbalance. Analysts actively search for emerging adversary behavior that automated logic may miss, using evidence drawn from identity, endpoint and network telemetry. By combining deep security expertise with continuous analysis across these data sources, Rackspace helps you identify risk earlier, validate whether controls are operating as intended and strengthen cyber resilience without waiting for an alert to fire. Take the next step with a Microsoft Sentinel Visibility & Resilience Check to identify detection gaps and improve visibility between alerts. Tags: Cloud Insights
Category:Telecommunications