FOR528: DFIR Summit & Training 2024

Provided by

Enquire about this course

What You Will Learn
Learning to thwart the threat of human-operated ransomware once and for all!

The term "Ransomware" no longer refers to a simple encryptor that locks down resources. The advent of Human-Operated Ransomware (HumOR) along with the evolution of Ransomware-as-a-Service (RaaS) have created an entire ecosystem that thrives on hands-on the keyboard, well-planned attack campaigns. It is a rapidly growing threat that has evolved from being a single machine infection following an ill-advised mouse click to becoming a booming enterprise capable of crippling large and small networks alike. Even when extortion actors do not deploy an encryptor, the fallout can be devastating.

Organizations are at risk of losing their data and information to these attacks, which can lead to revenue losses, reputational damage, theft of employee time and productivity, and inability to function normally. It is now common to see these large-scale, sophisticated attacks where the ransomware actors first establish persistence and execute tools on their target, then move laterally throughout the organization, and ultimately exfiltrate data before deploying their ransomware payloads. That is, if they even deploy an encryptor.

Even though payments to ransomware actors slowed in early 2022 as compared to previous years, that same year there were over 2,600 posts made to extortion sites related to ransomware. This number does not include an unknown quantity of incidents that were resolved through communication and/or negotiation behind the scenes prior to public notification. Of the reported incidents from 2022, the following are the top 10 compromised sectors:
  • Construction
  • Hospital and Health Care
  • Government Administration
  • IT Services and IT Consulting
  • Law Practice
  • Automotive
  • Financial Services
  • Higher Education
  • Insurance
  • Real Estate
The FOR528: Ransomware and Cyber Extortion course teaches students how to deal with the specifics of ransomware to prepare for, detect, hunt, respond to, and address the aftermath of these attacks. The course features a hands-on approach to learning using real-world data and includes a full day capture the flag (CTF) challenge to help students solidify their learning. The four-day class teaches students what artifacts to collect, how to collect them, how to scale collection efforts, how to parse the data, and how to review the parsed results in aggregate.

The course also provides in-depth details and detection methods for each phase of the ransomware and cyber extortion attack lifecycle. These phases include Initial Access, Execution, Defense Evasion, Persistence, Attacks on Active Directory (AD), Privilege Escalation, Credential Access, Lateral Movement, Data Access, Data Exfiltration, and Payload Deployment.

Unfortunately, many businesses will find themselves falling victims to ransomware attacks because they feel they are not in danger. Regardless of whether your organization is small, medium, or large, every internet-connected network is at risk... and the threat is not going away any time soon.
Ransomware and Cyber Extortion Course Topics:
  • Ransomware Evolution and History
    • First-recognized ransomware attack
    • Human-operated ransomware (HumOR)
    • Ransomware-as-a-Service (RaaS)
  • Windows Forensics Artifacts Critical to Ransomware Incident Response:
    • Windows event logs
    • Shellbags
    • Shimcache
    • System Resource Usage Monitor (SRUM)
    • Windows New Technology File System (NTFS) metadata analysis
    • Artifacts as denoted in the SANS "Windows Forensic Analysis" poster
  • Evidence Acquisition Tools and Techniques
  • Parsing Forensic Artifacts
  • Ingesting Parsed Data Into a Security Information and Event Management (SIEM) solution
  • Analyzing SIEM/Aggregator Data via TimeSketch and Kibana
  • Initial Access
    • Remote Desktop Protocol (RDP)
    • Phishing
    • Software vulnerabilities
  • Execution and Defense Evasion
    • Threat actor tooling
    • Security tool bypass methods and scripts
    • Native execution methods
    • Scripting engine abuse and script deobfuscation
  • Persistence
    • Command and Control (C2) frameworks and Remote Monitoring and Management (RMM)
    • Post-exploitation frameworks
    • Native Windows persistence mechanisms
  • Cobalt Strike
    • Architecture, components, and payloads
    • Access and uses by extortion threat actors
  • Privilege Escalation and Credential Access
    • Commonly targeted accounts and methods of access
    • User Account Control (UAC) bypass
    • Local Security Authority Server Service (LSASS) and NTDS.dit attacks
  • Lateral Movement
    • RDP
    • Server Message Block (SMB)
    • Windows Remote Management (WinRM)
  • Active Directory (AD) Attacks
    • Overview of AD and Kerberos
    • AD enumeration
    • Kerberoasting
    • AS-REP roasting
    • DCSync attacks
  • Data Access
    • Network share enumeration and access
    • File/folder access including deleted files
    • Registry analysis
  • Data Exfiltration
    • Archive creation and data staging
    • Data exfiltration routes
  • Backup and Recovery Tampering
  • Payload Deployment
  • Encryption Specifics Including Source Code Review
  • Decryptors
    • Dealing With an Active Threat
  • Pre-encryption, during encryption, and post-encryption
  • Hunting Methods and Techniques
Notice: For multi-course live training events, there is an 8:30-9:00am setup time on the first day to ensure sure that computers are configured correctly in order to make the most of class time. All students are strongly encouraged to attend.
What Is Ransomware and Cyber Extortion?

While ransomware incidents involve entry into an environment usually with the goals of exfiltrating data and then encrypting resources, cyber extortion groups perform the same types of attacks, yet do not encrypt the environment. In essence, an incident following common ransomware TTPs/IOCs that does not involve encryption is often referred to simply as cyber extortion.
Business Takeaways
  • Bolster defenses by implementing preventative measures to stop ransomware actors from gaining access to your organization
  • Quickly detect when a ransomware actor has gained access to your environment and is leveraging tools common to the trade
  • Identify what ransomware attacks look like to help work out a plan for responding if it's detected on the network
  • Respond quickly through understanding where to focus your efforts given your unique environment
  • Identify which backups to use for restoration to ensure successful restoration while avoiding restoring threat access persistence within your environment.
  • Determine if an identified actor within your environment is affiliated with ransomware.
  • Identify what data may have been accessed, how, and when
  • Identify what data may have been exfiltrated by a ransomware actor (This course prepares you for the [GWEB] certification that meets the requirements of the DoD8140 IAT Level 2)
Skills Learned

The FOR528: Ransomware and Cyber Extortion course will help you understand:
  • How ransomware has evolved to become a major business
  • How HumOR operators have evolved into well-tuned attack teams
  • Who and what organizations are most at risk of becoming a ransomware victim
  • How ransomware operators get into their victim's environments
  • How to respond when ransomware is actively running within your environment
  • What steps to take following a ransomware attack
  • How best to prepare your organization against HumOR threats
  • How to identify the tools that HumOR operators often use to get into a system and perform post-exploitation activities during a ransomware attack
  • How ransomware and cyber extortion campaigns differ
  • How to hunt for ransomware operators within your network
  • How to identify data access and exfiltration
Hands-On Ransomware and Cyber Extortion Training

SANS labs provide hands-on experience that reinforces course concepts and learning objectives. This course includes lab instructions with a step-by-step electronic workbook that's directly tied to the material to develop skills in a hands-on environment.

Lab 0: Virtual Machine Setup

Lab 1.1: Analysis of a RaaS Ecosystem (RAASNet)

Lab 1.2: Acquiring and Analyzing Artifacts

Lab 1.3: Analysis at Scale: TimeSketch

Lab 2.1: Analysis at Scale: Kibana

Lab 2.2: Finding the Infection Vector

Lab 2.3: PowerShell Scripting: Foe, not Friend

Lab 2.4: Decoding Cobalt Strike Payloads

BONUS Lab 2.5: Hunting RDP Activity

Lab 3.1: Identifying Lateral Movement

Lab 3.2: Identifying Data Access and Exfiltration

Lab 3.3: Detecting the Threat Actor's Toolbox

BONUS Lab 3.4: Additional Lateral Movement

Day 4: FOR528 CTF Challenge
What You Will Receive
  • Course-specific/custom Windows 10 Enterprise version of the SIFT Workstation VM with Free and Open-Source Software (FOSS) and freeware Digital Forensics and Incident Response (DFIR) tools prebuilt into the environment.
  • This VM includes KAPE-acquired Windows forensic artifacts from all 15 hosts that make up the target network range/environment.
  • Course-specific/custom version of the Linux SIFT Workstation VM.
  • This VM includes both Scenarios 1 and 2 data contained within an Elasticsearch instance accessible via both TimeSketch and Kibana.
  • ISO image containing both VMs along with archival tools to aid in installation and setup.
  • FOR528 exercise workbook including detailed step-by-step instructions for all labs.

Enquire

Start date Location / delivery
24 Aug 2024 Salt Lake City Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...