When first released in December of 2022, the SANS FOR528 course focused most intently on ransomware. The course has since been updated in December of 2023 with a streamlined course flow, more focus on ransomware vs. cyber extortion, and new lab opportunities. The course update is already live, so anything you read in this article is what you can expect when you sign up and take SANS FOR528: Ransomware and Cyber Extortion.
To begin, the course curriculum has been streamlined to allow each section to be completed in the expected timeframe. The original version of the course was over-engineered with a plethora of resources and tech. While we still share over 300 shortened links within the first three sections of curriculum, we have streamlined the books to allow for a more complete experience within the expected timeframes.
Next, we have a greater focus on the difference between ransomware and cyber extortion. Though the original course covered both, we now call it out much clearer. While most ransomware incidents involve a coordinated attack that ends with the deployment of an encryptor to facilitate locking down the network, not all do. In fact, the term “cyber extortion” refers to when an attack occurs very similarly to a ransomware case, yet the primary focus is the identification and exfiltration of data for extortion purposes. The differentiator is easy – cyber extortion cases do not involve encryption.
Finally, we have modified the course labs to streamline existing labs, which includes new bonus activities in most labs. We have also added new bonus labs to the mix. First, labs have been streamlined to be completed within the allotted 45 minutes per lab that we provide during class time. Second, we have added bonus activities to labs to provide additional hands-on training for those wanting to learn even more outside of course hours. Third, we have added two new bonus labs. These labs are meant to be completed outside of class hours and bolster the training you will receive during the normal lab flow.
New FOR528 Lab Structure
SANS labs provide hands-on experience that reinforce course concepts and learning objectives. The FOR528 course includes lab instructions with a step-by-step electronic workbook that’s directly tied to the material to develop skills in a hands-on environment. The updated lab curriculum is structured as follows:
Activity Name | Lab Name | Includes Bonus Activity? |
Lab 0 | Virtual Machine Setup | n/a |
Lab 1.1 | Analysis of a RaaS Ecosystem (RAASNet) | Yes |
Lab 1.2 | Acquiring and Analyzing Artifacts | No |
Lab 1.3 | Analysis at Scale: TimeSketch | Yes |
Lab 2.1 | Analysis at Scale: Kibana | Yes |
Lab 2.2 | Finding the Infection Vector | Yes |
Lab 2.3 | PowerShell Scripting: Foe, not Friend | Yes |
Lab 2.4 | Decoding Cobalt Strike Payloads | Yes |
BONUS Lab 2.5 | Hunting RDP Activity | Full bonus lab |
Lab 3.1 | Identifying Lateral Movement | No |
Lab 3.2 | Identifying Data Access & Exfil | Yes |
Lab 3.3 | Detecting the TA’s Toolbox | Yes |
BONUS Lab 3.4 | Additional Lateral Movement | Full bonus lab |
Section 4 | FOR528 Capture the Flag Challenge | n/a |
To learn more about the course and to take our free course demo, see the course page at https://sans.org/for528.
