SANS FOR528: Ransomware for Incident Responders

مهاجمان باج‌افزار پیچیده‌تر شده‌اند و تکنیک‌های آنها دائماً در حال تکامل است. سازمان ها بیش از هر زمان دیگری در معرض خطر از دست دادن داده ها و اطلاعات خود در اثر این حملات هستند که می تواند منجر به از دست دادن درآمد، آسیب به شهرت، سرقت زمان و بهره وری کارکنان و ناتوانی در عملکرد عادی شود. دوره آموزشی FOR528: Ransomware for Incident Responders نحوه برخورد با ویژگی‌های باج‌افزار، از تشخیص اولیه تا پاسخ حادثه و تجزیه و تحلیل پس از فاجعه را آموزش می‌دهد. این کلاس یک رویکرد عملی برای یادگیری با استفاده از تمرین‌های داده‌های دنیای واقعی برای آموزش دانش‌آموزان در مورد نحوه آماده‌سازی، شناسایی، پاسخ به و مقابله با پیامدهای باج‌افزار دارد. اصطلاح “Ransomware” دیگر به یک رمزگذار ساده که منابع را قفل می کند اشاره نمی کند. ظهور باج افزار انسانی (HumOR) همراه با تکامل Ransomware-as-a-Service (RaaS) یک اکوسیستم کامل را ایجاد کرده است که با استفاده از صفحه کلید دستی و کمپین های حمله به خوبی برنامه ریزی شده رشد می کند. این یک تهدید به سرعت در حال رشد است که از یک عفونت ماشینی به دنبال یک کلیک نادرست ماوس به یک روش پررونق تبدیل شده است که می تواند شبکه های بزرگ و کوچک را به طور کامل فلج کند.

Date: 2022
Price: $6,595 USD
Format: eBooks PDF
Publisher: SANS

Ransomware attackers have become more sophisticated, and their techniques constantly evolve. More than ever, organizations are at risk of losing their data and information to these attacks, which can lead to revenue losses, reputational damage, theft of employee time and productivity, and inability to function normally. The FOR528: Ransomware for Incident Responders course teaches how to deal with the specifics of ransomware, from initial detection to incident response and postmortem analysis. The class features a hands-on approach to learning by applying real-world data exercises to train students on how to prepare for, detect, hunt, respond to, and deal with the aftermath of ransomware.

The term “Ransomware” no longer refers to a simple encryptor that locks down resources. The advent of Human-Operated Ransomware (HumOR) along with the evolution of Ransomware-as-a-Service (RaaS) have created an entire ecosystem that thrives on hands-on the keyboard, well-planned attack campaigns. It is a rapidly growing threat that has evolved from being a single machine infection following an ill-advised mouse click to becoming a booming enterprise capable of crippling large and small networks alike.

Organizations are at risk of losing their data and information to these attacks, which can lead to revenue losses, reputational damage, theft of employee time and productivity, and inability to function normally. It is now common to see these large-scale sophisticated attacks where the ransomware actors first establish persistence and execute tools on their target, then move laterally throughout the organization, ultimately exfiltrating data before deploying their ransomware payloads.

Even though payments to ransomware actors slowed down in 2022 as compared to previous years, that same year there were over 2,600 posts made to extortion sites related to ransomware. This number does not include an unknown quantity of incidents that were resolved through communication and/or negotiation behind the scenes prior to public notification. Of the reported incidents from 2022, the following are the top 10 sectors in terms of compromise*:

• Construction
• Hospital and Health Care
• Government Administration
• IT Services and IT Consulting
• Law Practice
• Automotive
• Financial Services
• Higher Education
• Insurance
• Real Estate

The FOR528: Ransomware for Incident Responders course teaches students how to deal with the specifics of ransomware to prepare for, detect, hunt, respond to, and deal with the aftermath of ransomware. The class features a hands-on approach to learning using real-world data and includes a full day Capture the Flag challenge to help students solidify their learning. The four-day class teaches students what artifacts to collect, how to collect them, how to scale out your collection efforts, how to parse the data, and how to review the parsed results in aggregate.

The course also provides in-depth details along with detection methods for each phase of the ransomware attack lifecycle. These phases include Initial Access, Execution, Defense Evasion, Persistence, Attacks on Active Directory, Privilege Escalation, Credential Access, Lateral Movement, Data Access, Data Exfiltration, and Payload Deployment.

Unfortunately, many businesses will find themselves falling victims to ransomware attacks because they feel they are not in danger. No matter if you are a small, medium, or large organization, every internet-connected network is at risk, and the threat is not going away any time soon.

Syllabus

FOR528.1: Ransomware Incident Response Fundamentals
FOR528.2: Ransomware Modus Operandi
FOR528.3: Advanced Ransomware Concepts
FOR528.4: Course Capture the Flag Challenge

The FOR528 Ransomware for Incident Responders In-Depth Course will help you understand:

• How ransomware has evolved to become a major business
• How human-operated ransomware (HumOR) operators have evolved into well-tuned attack teams
• Who and what organizations are most at risk of becoming a ransomware victim
• How ransomware operators get into their “victim’s” environments
• How best to prepare your organization against the threat of HumOR
• How to identify the tools that HumOR operators often use to get into and perform post-exploitation activities during a ransomware attack
• How to hunt for ransomware operators within your network
• How to respond when ransomware is running actively within your environment
• What steps to take following a ransomware attack
• How to identify data access and exfiltration

Ransomware for Incident Responders Course Topics

• Ransomware evolution and history

• • First-recognized ransomware attack
  • Human-Operated Ransomware (HumOR)
  • Ransomware-as-a-Service (RaaS)

• Windows forensics artifacts critical to ransomware incident response, such as:

  • Windows Event Logs
  • Shellbags
  • Shimcache
  • System Resource Usage Monitor (SRUM)
  • Windows New Technology File System (NTFS) metadata analysis
  • Artifacts as denoted in the SANS Windows Forensic Analyis poster

• Evidence Acquisition Tools and TechniquesParsing forensic artifacts
• Ingesting parsed data into a SIEM
• Analyzing SIEM/aggregator data via TimeSketch and Kibana
• Initial Access

• • Remote Desktop Protocol (RDP)
  • Phishing
  • Software vulnerabilities

• Execution and Defense Evasion

• • Threat actor tooling
  • Security tool bypass methods and scripts
  • Native execution methods
  • Scripting engine abuse and script deobfuscation

• Persistence

• • C2 frameworks and Remote Monitoring Management
  • Post-exploitation frameworks
  • Native Windows persistence mechanisms

• Active Directory Attacks

• • Overview of Active Directory and Kerberos
  • AD Enumeration
  • Kerberoasting
  • AS-REP Roasting
  • DCSync attacks

• Privilege Escalation and Credential Access

• • Commonly targeted accounts and methods of access
  • User Account Control (UAC) bypass
  • LSASS and NTDS.dit attacks

• Lateral Movement

• • RDP
  • SMB
  • WinRM

• Data Access

• • Network share enumeration and access
  • File/folder access including deleted files
  • Registry analysis

• Data exfiltration

• • Archive creation and data staging
  • Data exfiltration routes

• Backup and Recovery tampering
• Payload deployment
• Encryption specifics including source code review
• Decryptors
• Cobalt Strike architecture, components, and payloads
• Dealing with an active threat
  • Pre-encryption, during encryption, and post-encryption

• Hunting methods and techniques