Real Incident | Professional Response | Complete Recovery

In the first quarter of 2025, one of Israel’s most significant organizations faced a silent but dangerous threat. For approximately three weeks, attackers exploited a vulnerability in one of the critical components – the firewall management interface – without raising any suspicion. Within the network, they operated discreetly: creating users with elevated privileges, modifying network traffic, penetrating internal servers, and implementing advanced persistence mechanisms.

On February 12th, an unusual traffic pattern from an internal server was detected through routine monitoring, and the client contacted ICTBIT’s Incident Response (IR) service.

From that moment – every minute counted.

Our Response Team in Action

Our response team was immediately activated – both on-site and remotely – implementing a multi-phase response protocol, backed by NIST 800-61 methodology and proven forensic methodologies.

What Did Our Response Process Include?

Initial Network Mapping of the Organization We deployed Active/Passive scans to identify C2 traffic, anomalous protocols, and infected workstations. We determined the infection timeline (“Dwell Time”) and its scope.

Evidence Preservation and Protection of Critical Findings Forensic imaging of key workstations, preservation of swap files, pagefiles, Prefetch files, and relevant logs, alongside isolating workstations from the operational environment.

Deep Technical Investigation (Deep Dive) We performed Timeline Analysis of the operating system, analyzed PowerShell History, Task Scheduler, Shadow Copy Logs, utilized Sigma/YARA tools, and cross-referenced IOCs against global Threat Intelligence.

Attacker Containment and System Hardening We blocked IP addresses and IOC files, re-monitored outbound DNS, activated SSL Inspection, disconnected suspicious components, and verified configuration consistency across firewalls and domain controllers.

Safe Cleanup, Recovery, and Restoration We identified changes in GPOs and SAM, analyzed modifications in the AD schema, compared against secured backups and verified their integrity. Services were restored only after complete verification.

Documentation, Lessons Learned, and Improvement Plan Development We produced a comprehensive report including: attack timeline, Root Cause analysis, IOC signatures, recovery actions and recommended controls, alongside a work plan for defense upgrades and lessons learned.

The Results

• Attacker operations were completely neutralized
• Critical work environment was fully restored
• Systemic vulnerabilities were addressed
• Organization-wide cybersecurity upgrade plan was developed

Key Insights from the Incident

A Skilled IR Team is the Critical Defense Line – Response time, operational order, and precise tools make the difference between measured damage and complete shutdown.

Early Preparedness Saves Time and Money – An organization with procedures, a DR plan, and basic understanding of incident management responds faster.

Without Early Detection – Damage Accumulates Below the Surface – Silent attackers aren’t necessarily less dangerous attackers.

Why Choose ICTBIT for Incident Response

At ICTBIT, we offer 24/7 IR services with certified teams, cutting-edge forensic tools from the most advanced on the market, and proven capability to restore systems rapidly – without compromising investigation quality.

If you’re detecting unusual traffic, unexplained activity, or simply want to check if you’re prepared – contact us. Just before the next incident begins.