je.st
news
How Proactive Threat Hunting Stopped INC Ransom Before the Alert
2026-02-06 20:15:19| The Webmail Blog
How Proactive Threat Hunting Stopped INC Ransom Before the Alert jord4473 Fri, 02/06/2026 - 13:15 Cloud Insights How Proactive Threat Hunting Stopped INC Ransom Before the Alert February 9, 2026 by Craig Fretwell, Global Head of Cybersecurity Operations, Rackspace Technology Link Copied! Recent Posts How Proactive Threat Hunting Stopped INC Ransom Before the Alert February 9th, 2026 Getting Started With AI: A Practical Path Forward February 5th, 2026 Effective Housekeeping With Rackspace Managed Snapshot Cleanup January 29th, 2026 Redefining Detection Engineering and Threat Hunting with RAIDER January 27th, 2026 How to Keep Azure Cloud Costs Under Control with Continuous Optimization January 26th, 2026 Related Posts Cloud Insights How Proactive Threat Hunting Stopped INC Ransom Before the Alert February 9th, 2026 AI Insights Getting Started With AI: A Practical Path Forward February 5th, 2026 Cloud Insights Effective Housekeeping With Rackspace Managed Snapshot Cleanup January 29th, 2026 AI Insights Redefining Detection Engineering and Threat Hunting with RAIDER January 27th, 2026 Cloud Insights How to Keep Azure Cloud Costs Under Control with Continuous Optimization January 26th, 2026 A real-world threat hunting engagement shows how INC Ransom activity was uncovered early, before alerts fired and before ransomware could take hold. Modern security operations rely heavily on automated detection. Alerts, analytics and automated responses play a critical role in identifying known threats and responding at speed. But even the most mature security operations center cannot account for every possible adversary behavior. That gap is where proactive threat hunting becomes essential. Threat hunting is designed to surface malicious activity that does not yet meet the threshold of an incident. This is the kind of activity that blends into normal operations, avoids known detection logic or unfolds slowly over time. If you rely only on alerts, this behavior is easy to miss. A recent threat hunting engagement conducted by the Rackspace Cyber Defense Center demonstrates exactly why this capability matters. Safeguarding critical emergency communications The environment in question belonged to a government services organization that supports critical emergency communications. Availability, reliability and trust were non-negotiable. Any service disruption, particularly one caused by ransomware, would have had immediate operational and public safety implications. Like many organizations operating critical services, this environment relied on standard preventative controls and alerting to identify known threats. At the time of the engagement, there were no active incidents, no high-severity alerts and no visible signs of compromise. That was precisely the point. The absence of alerts did not indicate the absence of risk. It created an opportunity to look deeper for adversary behavior that had not yet reached an alerting threshold. A proactive, analyst-led threat hunt As part of a scheduled, analyst-led threat hunting exercise, the Rackspace Cyber Defense Center conducted a focused review of identity, endpoint and network telemetry collected over the prior month. The hunt assumed potential compromise and intentionally looked beyond alert-based detections. If youre responsible for a mature security environment, this type of threat hunt may feel counterintuitive. There was no incident to respond to and no alert demanding investigation. Instead, analysts worked from the premise that not all adversary activity announces itself. The goal was to identify behaviors that should not exist, even when controls appear to be working as expected. Rather than responding to known indicators, analysts searched for adversary behaviors aligned to the MITRE ATT&CK framework. This included techniques commonly associated with ransomware activity, such as credential abuse, unauthorized remote access, lateral movement and early-stage prepositioning. This hunt was not driven by an incident. Instead, it was driven by intent and the understanding that early-stage adversary behavior is often easiest to find before it becomes an alert. Focusing on the INC Ransom threat group The threat hunt focused on tradecraft associated with INC Ransom, a globally active ransomware and data extortion group that has been operating since at least mid-2023. The group has been linked to attacks against public sector organizations and critical services, often relying on credential compromise, Living off the Land techniques and the abuse of legitimate remote access tools before moving to encryption or extortion. If you are responsible for defending a complex environment, this kind of activity may sound familiar. These techniques are designed to blend in. They rely on tools and access patterns that can appear legitimate, especially in environments with diverse users and administrative workflows. At the time of the hunt, there were no dedicated detections in place tuned specifically to INC Ransoms early-stage behaviors. That gap proved critical. It meant adversary activity could progress quietly, without triggering alerts, unless someone was actively looking for it. What the hunt uncovered before impact The threat hunt did not surface a single obvious indicator. Instead, it revealed a pattern of early-stage adversary behavior unfolding across identity, endpoint and network telemetry. Individually, each signal was subtle. Taken together, they pointed to an active intrusion progressing toward ransomware execution. Because analysts werent constrained by alert thresholds, they were able to identify these behaviors early, before encryption, data exfiltration or service disruption occurred. The findings fell into several key areas. Identity and authentication abuse Analysis of authentication telemetry revealed cleartext authentication events associated with a legitimate user account. This activity deviated from established baselines and suggested potential credential exposure. Correlation with logon timing and source infrastructure elevated the risk assessment. Unauthorized account activity and RDP access Threat hunting analysis identified unauthorized RDP logon activity tied to an unapproved user account. The account did not align with documented access requirements or operational usage patterns. Session attributes and originating infrastructure were inconsistent with normal administrative behavior. Unauthorized remote access tooling Endpoint execution telemetry revealed the presence of an unapproved remote access tool, AnyDesk.exe. Installation and execution context indicated unauthorized use rather than sanctioned administrative activity. The organization confirmed that only approved remote access tools were permitted within the environment. Network-based pre-impact indicators Proactive network analysis identified multiple malicious external IP addresses generating high-volume inbound traffic that was initially permitted at the application layer. In addition, ransomware-related artifacts, including README.txt and README.html files, were observed originating from suspicious external infrastructure. While encryption had not yet occurred, these indicators aligned with known INC Ransom pre-impact behavior. Viewed in isolation, none of these findings would necessarily indicate an active ransomware event. Together, they revealed a clear trajectory toward impact. This is where proactive threat hunting proved decisive. By identifying low-signal behaviors early and connecting them across telemetry sources, analysts were able to surface attacker intent before the environment reached an incident threshold. Containment before disruption Once the activity was identified, containment actions were taken quickly and in close coordination with the customer. The focus was on stopping adversary progression without disrupting normal operations. Key actions included: Disabling unauthorized user accounts associated with suspicious authentication and RDP activity Blocking malicious external IP addresses at perimeter and cloud security layers Removing unauthorized remote access tooling after customer validation Sharing confirmed Indicators of Compromise to strengthen environment-wide prevention and monitoring Following containment, analysts conducted a review of subsequent telemetry to validate remediation. No continued malicious activity was observed. Most importantly, the threat was stopped before it reached impact. No ransomware encryption occurred. No data was exfiltrated. No service disruption was experienced. Closing the gaps between alerts This engagement highlights a practical reality of modern security operations. Not all malicious activity generates alerts, and not all compromises begin with a clear incident. Ransomware groups increasingly rely on low-noise techniques that unfold gradually. They abuse legitimate credentials, use approved tools and blend into normal operational workflows. In environments that depend primarily on automated detection, this activity can persist unnoticed unil attackers reach later stages such as encryption or extortion. Proactive threat hunting is designed to close these gaps. By looking for behavior that falls outside expected patterns, analysts can identify adversary activity earlier, validate whether controls are working as intended and uncover blind spots that automated detections do not address. In this case, threat hunting surfaced adversary behavior that would likely have remained invisible until the environment reached an incident threshold. How Rackspace helps Threat hunting is a core part of Rackspace Managed XDR and is delivered through the Rackspace Cyber Defense Center powered by Microsoft Sentinel. It is not treated as a one-off exercise or an escalation step. It is an ongoing, analyst-led capability designed to work alongside detection and response. If you rely primarily on alerts to understand risk in your environment, threat hunting provides a necessary counterbalance. Analysts actively search for emerging adversary behavior that automated logic may miss, using evidence drawn from identity, endpoint and network telemetry. By combining deep security expertise with continuous analysis across these data sources, Rackspace helps you identify risk earlier, validate whether controls are operating as intended and strengthen cyber resilience without waiting for an alert to fire. Take the next step with a Microsoft Sentinel Visibility & Resilience Check to identify detection gaps and improve visibility between alerts. Tags: Cloud Insights
Category:Telecommunications
LATEST NEWS
Rackspace Technology at ViVE 2026
2026-02-06 19:19:08| The Webmail Blog
Rackspace Technology at ViVE 2026 jord4473 Fri, 02/06/2026 - 12:19 Cloud Insights Rackspace Technology at ViVE 2026 February 17, 2026 by Rich Fletcher, Global Healthcare Marketing Director, Rackspace Technology Link Copied! Recent Posts Rackspace Technology at ViVE 2026 February 17th, 2026 Rethinking Security in the Face of the Skills Gap February 16th, 2026 Community Impact 2025: A Global Year of Giving Back February 13th, 2026 Turning AI into Measurable Outcomes with Private Cloud February 12th, 2026 How Proactive Threat Hunting Stopped INC Ransom Before the Alert February 9th, 2026 Related Posts Cloud Insights Rackspace Technology at ViVE 2026 February 17th, 2026 Cloud Insights Rethinking Security in the Face of the Skills Gap February 16th, 2026 Culture & Talent Community Impact 2025: A Global Year of Giving Back February 13th, 2026 AI Insights Turning AI into Measurable Outcomes with Private Cloud February 12th, 2026 Cloud Insights How Proactive Threat Hunting Stopped INC Ransom Before the Alert February 9th, 2026 At ViVE 2026, Rackspace Technology explores cyber resilience in healthcare and how minimum viable hospital strategies help organizations sustain care during disruption. Moving beyond cybersecurity to enable the minimum viable hospital Healthcare leaders know cybersecurity is no longer just an IT concern. When systems go down, care delivery is at risk. That reality is driving a broader shift from traditional prevention-only security models toward cyber resilience. At ViVE 2026, Rackspace Technology will be on site to engage with healthcare executives and IT leaders navigating this shift. Our team will join industry peers to explore how resilient cloud foundations help organizations protect patient trust, meet regulatory demands and keep clinical operations running when it matters most. Cyber resilience as a healthcare imperative Hospitals are complex digital ecosystems. Clinical systems are only one part of the picture. Core operations such as facilities, staffing, supply chains and administrative services are just as essential to patient outcomes. As cyber threats increase, resilience becomes the true indicator of readiness. Cyber resilience is about maintaining a minimum viable hospital. By connecting security, cloud architecture and operations, healthcare organizations can sustain essential care and hospital-wide operations during disruption. This reduces impact to patients, protects operational continuity and reputation and ultimately helps prevent loss of life, transforming cybersecurity from a reactive function into an operational imperative. ViVE 2026 speaking session Melissa Pettigrew, Product Director, Healthcare, Rackspace Technology, will take the ViVE stage to explore this topic alongside Rubrik, sharing practical insights on how healthcare organizations can operationalize resilience without slowing innovation. Session details Title: Beyond Cybersecurity: Enabling the Minimum Viable Hospital Through Cyber Resilience Event: ViVE 2026 Location: Live from the CHiME Theater, Los Angeles Convention Center Date & time: Tuesday, February 24, 2026 | 12:50 PM1:20 PM Speakers Melissa Pettigrew, Product Director, Healthcare, Rackspace Technology Nathan Bahls, Sales Engineering Manager, Rubrik Calli Dretke, EVP, Chief Digital and Marketing Officer, CHIME The session will examine how cyber resilience strategies support continuity of care, align security with operations and help healthcare leaders rethink preparedness through the lens of patient impact. Meet the Rackspace team at ViVE Rackspace Technology will be sending a team of healthcare sales and product leaders to ViVE 2026. We will be hosting onsite meetings throughout the event in Meeting Room MC-655, located in the Meeting Cube Complex on the show floor. If you are attending ViVE and want to discuss cyber resilience, cloud modernization or healthcare-specific security challenges, we would welcome the conversation. Attend the session Tags: Private Cloud Cloud Insights Healthcare
Category: Telecommunications
Getting Started With AI: A Practical Path Forward
2026-02-04 21:44:25| The Webmail Blog
Getting Started With AI: A Practical Path Forward jord4473 Wed, 02/04/2026 - 14:44 AI Insights Getting Started With AI: A Practical Path Forward February 5, 2026 By Madhavi Rajan, Head of Product Strategy, Research and Operations, Rackspace Technology Link Copied! Recent Posts Getting Started With AI: A Practical Path Forward February 5th, 2026 Effective Housekeeping With Rackspace Managed Snapshot Cleanup January 29th, 2026 Redefining Detection Engineering and Threat Hunting with RAIDER January 27th, 2026 How to Keep Azure Cloud Costs Under Control with Continuous Optimization January 26th, 2026 Using Agentic AI to Modernize VMware Environments on AWS January 22nd, 2026 Related Posts AI Insights Getting Started With AI: A Practical Path Forward February 5th, 2026 Cloud Insights Effective Housekeeping With Rackspace Managed Snapshot Cleanup January 29th, 2026 AI Insights Redefining Detection Engineering and Threat Hunting with RAIDER January 27th, 2026 Cloud Insights How to Keep Azure Cloud Costs Under Control with Continuous Optimization January 26th, 2026 AI Insights Using Agentic AI to Modernize VMware Environments on AWS January 22nd, 2026 AI success starts with focus, not hype. This article outlines a phased approach to AI adoption, from improving operations to enhancing customer experiences and unlocking new revenue. Starting with AI can feel overwhelming. Headlines often focus on massive investments by global enterprises building or consuming frontier models at scale. For most organizations, however, that level of GPU-heavy infrastructure is neither required nor practical. If youre not running large-scale production models, the broader AI ecosystem doesnt need to dictate where you begin. Across the cloud landscape, organizations are at very different stages of AI adoption. While Fortune 100 companies invest billions in in-house development, many organizations in the Russell 2000 and beyond are focused on building practical capabilities that help them stay competitive. The question most leaders ask is straightforward: Where do I begin my AI journey? A useful way to answer that question is to think in phases. Most organizations move through three broad stages of AI adoption: operational efficiency, customer-facing experiences and new revenue streams. The level of investment required depends on several factors. These include compute, network and storage needs, the type of models in use, workload volume, organizational readiness and the phase of adoption. Understanding these variables early helps teams focus on use cases that deliver value without unnecessary complexity. Phase 1: Operational efficiency Organizations of all sizes struggle with inefficiencies caused by fragmented data and disconnected systems. These silos slow decision-making and can create costly errors. In some cases, businesses continue paying vendors months after a contract has ended simply because systems do not talk to each other. Using AI to improve operational efficiency across functions such as IT, finance, HR, supply chain, procurement and sales is often the lowest-risk, highest-impact starting point. These use cases are internal, measurable and closely tied to day-to-day productivity. The challenge is not a lack of data, but where that data lives. Critical information is often trapped in separate systems and supported by institutional knowledge that does not scale. When introducing AI, you need to be clear about intent. The goal is not to replace roles, but to remove friction so people can focus on higher-value work. Many established enterprises carry years of technical debt across product, operations, customer success and go-to-market systems. Simply buying an AI copilot rarely solves that problem. Off-the-shelf tools alone cannot bridge disconnected data or deliver meaningful ROI. Real value comes from applying AI on top of an organizations own data and processes. Consider a typical services business. Supply chain data lives in one system, customer records in a CRM and contracts in a homegrown application. The result is a collection of dashboards that offer limited insight into utilization, customer health or revenue trends. AI can act as an intelligence layer across these systems. It can surface which customers are growing, highlight utilization patterns and support scenario modeling. ROI becomes tangible through faster insights, fewer spreadsheets and better decisions. Speed to value also matters. How quickly do teams see results once a model is deployed? In one finance organization, analysts reduced time spent wrangling spreadsheets by roughly 40% with the help of an AI assistant. That time shifted to scenario modeling and analysis, where human judgment delivers the most value. Completing this phase gives organizations a clearer view of what their AI workloads require and how those capabilities can eventually extend to customer-facing value. Phase 2: Customer-facing experiences As AI matures, personalization becomes a key driver of customer retention. Buying AI tools does not equal adoption. AI must deliver specific business outcomes to matter. While automation can support customization, true personalization requires context, judgment and empathy. This applies across both B2C and B2B environments. In financial services, for example, some organizations use AI to assemble client intelligence that includes recent activity, potential opportunities and emerging risks. That insight allows teams to personalize interactions, anticipate needs and identify growth opportunities earlier. Continuous monitoring of customer consumption patterns helps organizations anticipate change. When paired with alerting and recommendations, customer-facing teams can deliver more relevant outreach, predict demand shifts and align offerings more closely to customer goals. This is especially valuable in subscription and recurring revenue models. With the right foundation, teams can enter every customer interaction better informed and more precise. Data, process insight and market context come together, enabling employees to move beyond routine tasks and focus on deeper, strategic engagement. Phase 3: Embedding AI into what you sell The first two phases help organizations improve how they operate and serve customers. The third phase is where AI becomes transformational, embedded into what you sell and directly driving new revenue. Success at this stage looks different by industry. In financial services, AI may streamline onboarding or fraud response while improving the customer experience. In other sectors, AI may become a differentiated product or service in its own right. This shift often requires new business models. Many AI-native companies tie pricing to outcomes rather than consumption alone. In these cases, AI is not just an internal capability, but a core part of the value proposition. Sustaining that value depends on culture and decision-making. AI influences the full lifecycle, from product development to billing and supply chain operations. Real impact only emerges when teams align across functions. While AI excitement dominated recent conversations, the next phase will be defined by how effectively you translate AI into practical execution and measurable outcomes. How Rackspace Technology can help Turning AI ambition into results requires the right foundation, governance and operational support. Rackspace Technology helps organizations design, deploy and manage AI solutions that align to real business goals, whether the focus is efficiency, customer experience or new growth opportunities. With deep expertise across hybrid cloud, data platforms and AI operations, Rackspace provides a structured path from experimentation to production. Learn more about how Rackspace supports AI initiatives here. Tags: AI Insights
Category: Telecommunications