FOR528: Ransomware for Incident Responders

Learning to thwart the threat of human-operated ransomware once and for all!

The threat of ransomware has evolved over time from being a single machine infection following an ill-advised click to becoming a booming enterprise capable of crippling even the largest of networks.

"Nearly all computer networks are susceptible to ransomware attacks, and ransomware operators are targeting new verticals often" says SANS Instructor and FOR528 course author Ryan Chapman. Thwarting the threat of HumOR attacks requires a coordinated effort among multiple IT teams."

Understanding the importance these teams play in the event of a ransomware attack the new four-day course aims to teach enterprise network administrators how to enable strong protection controls and ensure that backups will be secure in the face of a ransomware event. Likewise, the course provides IT security and/or incident response analysts with the skills to hunt for operators who slip past security mechanisms and how to respond while ransomware is running actively within the environment. It also teaches Management teams how to deal with operators should ransomware be executed successfully within the environment.

Why This Course?

Ransomware has become a common occurrence about which we hear in our daily computing lives. The threat of ransomware has evolved over time from being a single machine infection following an ill-advised click to becoming a booming enterprise capable of crippling even the largest of networks. FOR528 teaches students how to deal with the specifics of ransomware in order to prepare for, detect, hunt, response to, and deal with the aftermath of ransomware. The class includes multiple hunting methods, a hands-on approach to learning using real-world data, and a full-day CTF-style capstone to help students solidify their learning.

Attend the Livestream with course author Ryan Chapman to learn more!
6/21 | 11:00 am ET

Course Day At-A-Glance:

Day one of the course provides a foundational knowledge for how ransomware began, how it has evolved, and where it's going in the near future. The day unfolds by covering the common infection vectors ransomware actors are using and how to deal with them. This section includes an overview of the Tactics, Techniques, and Procedures (TTPs) these actors use, with a heavy emphasis on the common tools found in the actors' toolbox. The day ends by providing a multitude of processes and implementations that can help organizations prevent or at least armor themselves against a ransomware outbreak from occurring, viewed from the lens of an incident responder.

Day two of the course focuses on hunting methods, including a thorough review of hunting for TTPs vs. indicators of compromise (IOCs). Students will spend time with hands-on labs that walk them through hunting for both the TAs and their tools. The course then moves to teaching students how to respond to an active, ongoing ransomware attack. The day ends with a thorough review of the tasks that need to be carried out when ransomware has run within the environment. Just because the ransomware is no longer encrypting files actively, this does not mean the overall incident is over; in fact, the truth is quite the opposite.

Day three of the course begins by covering the inner-workings of ransomware samples. This section focuses on how ransomware operates at a low level in hopes of arming incident responders with methods to recover as much data as possible. The day continues by providing directions for identifying potential data exfiltration within an environment. Forensic detection methods for data staging, data archival, and network-based data exfiltration are covered. The day ends with a thorough, hands-on case study of a large ransomware group.

Day four of the course is a full-day, scoreboard-based capture the flag (CTF) capstone that reinforces what the students have learned throughout the class via hands-on analysis. This CTF combined with plenty of hands-on labs throughout the course will enable students to help deter, detect, and respond to ransomware within their organizations.

The FOR528 – Ransomware for Incident Responders In-Depth Course will help you understand:

How ransomware has evolved to become a major business
How human-operated ransomware (HumOR) operators have evolved into well-tuned attack teams
Who and what verticals are most at risk of becoming a ransomware victim
How ransomware operators get into their victims’ environments
How best to prepare your organization against the threat of HumOR
How to identify the tools that HumOR operators often use to get into and perform post-exploitation activities during a ransomware attack
How to hunt for ransomware operators within your network
How to respond when ransomware is running actively within your environment
What steps to take following a ransomware attack
How to identify data exfiltration

For more new and in-development course information visit here