US-CERT released an alert on an ongoing attack with roots as far back as May 2016. With a command-and-control shared with Stone Panda and a backdoor malware called RedLeaves, the attack was on a number of systems including those with IT service providers. So let's imagine it hit one of our outsourced IT providers, and the criminals used this to pivot onto our networks. What would the attack look like? Could we detect and respond?