FOR528: Cyber Security Training at SANS Managing Security Risk 2023

What You Will Learn

Learning to thwart the threat of human-operated ransomware once and for all!

The term "Ransomware" no longer refers to a simple encryptor that locks down resources. The advent of Human-Operated Ransomware (HumOR) along with the evolution of Ransomware-as-a-Service (RaaS) have created an entire ecosystem that thrives on hands-on the keyboard, well-planned attack campaigns. It is a rapidly growing threat that has evolved from being a single machine infection following an ill-advised mouse click to becoming a booming enterprise capable of crippling large and small networks alike.

Organizations are at risk of losing their data and information to these attacks, which can lead to revenue losses, reputational damage, theft of employee time and productivity, and inability to function normally. It is now common to see these large-scale sophisticated attacks where the ransomware actors first establish persistence and execute tools on their target, then move laterally throughout the organization, ultimately exfiltrating data before deploying their ransomware payloads.

Even though payments to ransomware actors slowed down in 2022 as compared to previous years, that same year there were over 2,600 posts made to extortion sites related to ransomware. This number does not include an unknown quantity of incidents that were resolved through communication and/or negotiation behind the scenes prior to public notification. Of the reported incidents from 2022, the following are the top 10 sectors in terms of compromise*:

• Construction
• Hospital and Health Care
• Government Administration
• IT Services and IT Consulting
• Law Practice
• Automotive
• Financial Services
• Higher Education
• Insurance
• Real Estate

The FOR528: Ransomware for Incident Responders course teaches students how to deal with the specifics of ransomware to prepare for, detect, hunt, respond to, and deal with the aftermath of ransomware. The class features a hands-on approach to learning using real-world data and includes a full day Capture the Flag challenge to help students solidify their learning. The four-day class teaches students what artifacts to collect, how to collect them, how to scale out your collection efforts, how to parse the data, and how to review the parsed results in aggregate.

The course also provides in-depth details along with detection methods for each phase of the ransomware attack lifecycle. These phases include Initial Access, Execution, Defense Evasion, Persistence, Attacks on Active Directory, Privilege Escalation, Credential Access, Lateral Movement, Data Access, Data Exfiltration, and Payload Deployment.

Unfortunately, many businesses will find themselves falling victims to ransomware attacks because they feel they are not in danger. No matter if you are a small, medium, or large organization, every internet-connected network is at risk, and the threat is not going away any time soon.

The time to be proactive about ransomware is now!

*: Statistics from ecrime.ch

The FOR528 Ransomware for Incident Responders In-Depth Course will help you understand:

• How ransomware has evolved to become a major business
• How human-operated ransomware (HumOR) operators have evolved into well-tuned attack teams
• Who and what organizations are most at risk of becoming a ransomware victim
• How ransomware operators get into their "victim's" environments
• How best to prepare your organization against the threat of HumOR
• How to identify the tools that HumOR operators often use to get into and perform post-exploitation activities during a ransomware attack
• How to hunt for ransomware operators within your network
• How to respond when ransomware is running actively within your environment
• What steps to take following a ransomware attack
• How to identify data access and exfiltration

Ransomware for Incident Responders Course Topics:

• Ransomware evolution and history

• First-recognized ransomware attack
• Human-Operated Ransomware (HumOR)
• Ransomware-as-a-Service (RaaS)

• Windows forensics artifacts critical to ransomware incident response, such as:
  • Windows Event Logs
  • Shellbags
  • Shimcache
  • System Resource Usage Monitor (SRUM)
  • Windows New Technology File System (NTFS) metadata analysis
  • Artifacts as denoted in the SANS Windows Forensic Analyis poster

• Evidence Acquisition Tools and TechniquesParsing forensic artifacts
• Ingesting parsed data into a SIEM
• Analyzing SIEM/aggregator data via TimeSketch and Kibana
• Initial Access

• Remote Desktop Protocol (RDP)
• Phishing
• Software vulnerabilities

• Execution and Defense Evasion

• Threat actor tooling
• Security tool bypass methods and scripts
• Native execution methods
• Scripting engine abuse and script deobfuscation

• Persistence

• C2 frameworks and Remote Monitoring Management
• Post-exploitation frameworks
• Native Windows persistence mechanisms

• Active Directory Attacks

• Overview of Active Directory and Kerberos
• AD Enumeration
• Kerberoasting
• AS-REP Roasting
• DCSync attacks

• Privilege Escalation and Credential Access

• Commonly targeted accounts and methods of access
• User Account Control (UAC) bypass
• LSASS and NTDS.dit attacks

• Lateral Movement

• RDP
• SMB
• WinRM

• Data Access

• Network share enumeration and access
• File/folder access including deleted files
• Registry analysis

• Data exfiltration

• Archive creation and data staging
• Data exfiltration routes

• Backup and Recovery tampering
• Payload deployment
• Encryption specifics including source code review
• Decryptors
• Cobalt Strike architecture, components, and payloads

• Dealing with an active threat
  • Pre-encryption, during encryption, and post-encryption

• Hunting methods and techniques

HANDS-ON LABS

SANS labs provide hands-on experience that reinforces course concepts and learning objectives. This course includes lab instructions with a step-by-step electronic workbook that's directly tied to the material to develop skills in a hands-on environment.

Lab 0: Virtual Machine Setup

Lab 1.1: Analysis of a RaaS Ecosystem (RAASNet)

Lab 1.2: Acquiring and Analyzing Artifacts

Lab 1.3: Analysis at Scale: TimeSketch

Lab 1.4: Analysis at Scale: Kibana

Lab 2.1: Hunting RDP Activity

Lab 2.2: Finding the Infection Vector

Lab 2.3: PowerShell Scripting: Foe, not Friend

Lab 2.4: Identifying Lateral Movement

Lab 3.1: Identifying Data Access & Exfil

Lab 3.2: Decoding Cobalt Strike Payloads

Lab 3.3: Detecting the TA's Toolbox

Day 4: FOR528 Capture The Flag Challenge

You Will Receive with This Course

• Course-specific/custom Windows 10 Enterprise version of the SIFT Workstation Virtual Machine with free and open-source (FOSS) and freeware Digital Forensics and Incident Response (DFIR) tools prebuilt into the environment
  • This VM includes KAPE-acquired Windows forensic artifacts from all 15 hosts that make up the target network range/environment

• Course-specific/custom version of the Linux SIFT Workstation Virtual Machine
  • This VM includes both Scenario 1 and Scenario 2 data contained within an Elasticsearch instance accessible via both TimeSketch and Kibana

• ISO image containing both VMs along with archival tools to aid in installation and setup
• FOR528 exercise workbook with including detailed step-by-step instructions for all labs