Identifying Ransomware and Lateral Proliferation in the Network (On-site Training)

Ransomware is one of the top threats that organizations face today and, if encountered, will test all of an organization’s cyber defenses. From uncertainties on how to be handled in legislations and legal actions across different countries and enterprises to effective means to stop it and/or minimize its impact, the impact of ransomware stretches far beyond the ransom demanded. Understanding how ransomware operates, what attack vectors exist and the lateral proliferation it can go through is essential for developing effective means of prevention and detection. In the majority of attacks, different malware actors and tools work together to drop some form of Ransomware as the last step of a successful breach and lateral proliferation.

On a very high level there are two general types of ransomware proliferation vectors. ”Opportunistic” - the one that immediately locks upon exploiting anything it finds vulnerable. An example would be a user laptop. “Targeted” - this vector goes through a bigger effort and needs more time understanding the internal environment, finding high value targets, understanding if those are vulnerable and further exploiting them for higher impact. An example would be to identify and target the domain controller in an enterprise network.

Network visibility is an essential, non-intrusive way of creating observables and early warning indicators for detection of threat actors. In this hands-on training we will dissect real-world ransomware network capture examples and the steps that the malware actors go through from a network detection and response perspective. That includes the sequence from first breach to lateral SMB/KRB5 movement and ransomware deployment. This training aims at transferring knowledge and sharing ready to use examples, network visualizations, hunting techniques and processes for Ransomware and Lateral detection in the organization.

About the Speakers

Peter Manev

Peter has been involved with Suricata IDS/IPS/NSM from its very early days in 2009 as QA and training lead. He is currently a Suricata executive council member. Peter has 15 years of experience in the IT industry, including as an enterprise-level IT security practitioner.

SELKS maintainer - turn key Suricata based IDS/IPS/NSM. A frequent contributor to and user of innovative open source security software, Peter maintains several online repositories for Suricata-related information: https://github.com/pevma and https://twitter.com/pevma.

Additionally, Peter is one of the founders of Stamus Networks, a company providing commercial and open source network detection and response solutions based on Suricata. Peter often engages in private or public training events in the area of advanced deployment and Threat hunting at conferences or live fire cyber exercises such as Crossed Swords, DeepSec,Troopers,DefCon,Suricon,SharkFest and others.