What does it really look like to detect, contain, and respond to modern cyber threats in real time? At the Take Command 2025 Virtual Cybersecurity Summit, Inside the SOC session offered a behind-the-scenes look at how security teams are tackling everything from ransomware staging to advanced social engineering.
Hosted by Mikayla Wyman, Senior Product Marketing Manager at Rapid7, the session featured:
-
Lonnie Best, Senior Manager, Detection and Response Services, Rapid7
-
Hernán Díaz, Incident Responder, Rapid7
Through firsthand stories and deep technical insights, the session highlighted the real challenges of SOC life — and how teams are staying ahead.
Case study: responding to a Black Basta attack
The team shared a detailed account of an investigation involving a Black Basta ransomware campaign targeting a U.S. critical infrastructure organization. The attack used social engineering through Microsoft Teams, impersonating IT personnel to convince users to install remote access tools.
Hernán Díaz explained:
“They were using Quick Assist to get that initial access, and then from there they’d stage credential harvesting, malware delivery, and eventually lateral movement.”
The attacker leveraged Impacket and Cobalt Strike, culminating in ransomware staging behavior across multiple domains. The SOC team had to quickly coordinate with the customer, extract and enrich IOCs, and identify multiple pivot points across endpoint and cloud logs.
Visibility and logging are everything
The conversation repeatedly emphasized that incomplete logging is still one of the biggest barriers to effective detection and response. Hernán noted:
“We only found lateral movement because one system had logging turned on. If that hadn’t been there, we might not have seen it in time.”
This visibility challenge echoes what attendees reported in the post-event survey. 31% said they were unsure of the last time their organization had a detection-and-response-initiated incident response engagement, signaling a potential lack of awareness or communication across teams.
MFA Isn’t enough: Axios, AitM, and identity abuse
The team also investigated a case involving adversary-in-the-middle (AitM) tactics. Using Axios (a legitimate HTTP client) to relay MFA requests and gain access to user accounts, the attacker bypassed standard protections.
Hernán Díaz shared:
“The user agent string showed axios/1.7.7. That was our clue. That’s what tipped us off.”
This kind of technique highlights how attackers are leveraging legitimate tools in unexpected ways — and why user behavior analytics (UBA) and endpoint monitoring must evolve in parallel.
Proactive collaboration is key
The panel made it clear that incident response is a team sport. From SOC analysts to customer stakeholders, speed and coordination determine whether containment is successful.
Lonnie Best said:
“When customers understand how we operate — what we need and how fast we move — that changes everything.”
The more aligned internal teams and external partners are, the faster decisions can be made and action taken during high-pressure scenarios.
Watch the full session on demand
If you’re looking to sharpen your detection workflows or strengthen your incident response muscle, Inside the SOC offers a real-world view of what works — and where gaps still exist.