Identifying Ransomware and Lateral Proliferation in the Network (On-site Training)
Ransomware is one of the top threats that organizations face today and, if encountered, will test all of an organization’s cyber defenses. From uncertainties on how to be handled in legislations and legal actions across different countries and enterprises to effective means to stop it and/or minimize its impact, the impact of ransomware stretches far beyond the ransom demanded. Understanding how ransomware operates, what attack vectors exist and the lateral proliferation it can go through is essential for developing effective means of prevention and detection. In the majority of attacks, different malware actors and tools work together to drop some form of Ransomware as the last step of a successful breach and lateral proliferation.
Ransomware is one of the top threats that organizations face today and, if encountered, will test all of an organization’s cyber defenses. From uncertainties on how to be handled in legislations and legal actions across different countries and enterprises to effective means to stop it and/or minimize its impact, the impact of ransomware stretches far beyond the ransom demanded. Understanding how ransomware operates, what attack vectors exist and the lateral proliferation it can go through is essential for developing effective means of prevention and detection. In the majority of attacks, different malware actors and tools work together to drop some form of Ransomware as the last step of a successful breach and lateral proliferation.
On a very high level there are two general types of ransomware proliferation vectors. ”Opportunistic” - the one that immediately locks upon exploiting anything it finds vulnerable. An example would be a user laptop. “Targeted” - this vector goes through a bigger effort and needs more time understanding the internal environment, finding high value targets, understanding if those are vulnerable and further exploiting them for higher impact. An example would be to identify and target the domain controller in an enterprise network.
Network visibility is an essential, non-intrusive way of creating observables and early warning indicators for detection of threat actors. In this hands-on training we will dissect real-world ransomware network capture examples and the steps that the malware actors go through from a network detection and response perspective. That includes the sequence from first breach to lateral SMB/KRB5 movement and ransomware deployment. This training aims at transferring knowledge and sharing ready to use examples, network visualizations, hunting techniques and processes for Ransomware and Lateral detection in the organization.