Book Image

Incident Response Techniques for Ransomware Attacks

Book Image

Incident Response Techniques for Ransomware Attacks

Overview of this book

Ransomware attacks have become the strongest and most persistent threat for many companies around the globe. Building an effective incident response plan to prevent a ransomware attack is crucial and may help you avoid heavy losses. Incident Response Techniques for Ransomware Attacks is designed to help you do just that. This book starts by discussing the history of ransomware, showing you how the threat landscape has changed over the years, while also covering the process of incident response in detail. You’ll then learn how to collect and produce ransomware-related cyber threat intelligence and look at threat actor tactics, techniques, and procedures. Next, the book focuses on various forensic artifacts in order to reconstruct each stage of a human-operated ransomware attack life cycle. In the concluding chapters, you’ll get to grips with various kill chains and discover a new one: the Unified Ransomware Kill Chain. By the end of this ransomware book, you’ll be equipped with the skills you need to build an incident response strategy for all ransomware attacks.

Preface

Who this book is for

What this book covers

Download the color images

Conventions used

Share Your Thoughts

Section 1: Getting Started with a Modern Ransomware Attack

Section 1: Getting Started with a Modern Ransomware Attack

Free Chapter

Chapter 1: The History of Human-Operated Ransomware Attacks

Chapter 1: The History of Human-Operated Ransomware Attacks

2016 – SamSam ransomware

2017 – BitPaymer ransomware

2018 – Ryuk ransomware

2019-present – ransomware-as-a-service

Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack

Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack

Initial attack vectors

Post-exploitation

Data exfiltration

Ransomware deployment

Chapter 3: The Incident Response Process

Chapter 3: The Incident Response Process

Preparation for an incident

Threat detection and analysis

Containment, eradication, and recovery

Post-incident activity

Section 2: Know Your Adversary: How Ransomware Gangs Operate

Section 2: Know Your Adversary: How Ransomware Gangs Operate

Chapter 4: Cyber Threat Intelligence and Ransomware

Chapter 4: Cyber Threat Intelligence and Ransomware

Strategic cyber threat intelligence

Operational cyber threat intelligence

Tactical cyber threat intelligence

Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures

Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures

Gaining initial access

Executing malicious code

Obtaining persistent access

Escalating privileges

Bypassing defenses

Accessing credentials

Moving laterally

Collecting and exfiltrating data

Ransomware deployment

Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence

Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence

Threat research reports

Section 3: Practical Incident Response

Section 3: Practical Incident Response

Chapter 7: Digital Forensic Artifacts and Their Main Sources

Chapter 7: Digital Forensic Artifacts and Their Main Sources

Volatile memory collection and analysis

Non-volatile data collection

Master file table

Windows Registry

Windows event logs

Other log sources

Chapter 8: Investigating Initial Access Techniques

Chapter 8: Investigating Initial Access Techniques

Collecting data sources for an external remote service abuse investigation

Investigating an RDP brute-force attack

Collecting data sources for a phishing attack investigation

Investigating a phishing attack

Chapter 9: Investigating Post-Exploitation Techniques

Chapter 9: Investigating Post-Exploitation Techniques

Investigating credential access techniques

Investigating reconnaissance techniques

Investigating lateral movement techniques

Chapter 10: Investigating Data Exfiltration Techniques

Chapter 10: Investigating Data Exfiltration Techniques

Investigating web browser abuse for data exfiltration

Investigating cloud service client application abuse for data exfiltration

Investigating third-party cloud synchronization tool abuse for data exfiltration

Investigating the use of custom data exfiltration tools

Chapter 11: Investigating Ransomware Deployment Techniques

Chapter 11: Investigating Ransomware Deployment Techniques

Investigation of abusing RDP for ransomware deployment

Crylock ransomware overview

Investigation of Administrative shares for ransomware deployment

REvil ransomware overview

Investigation of Group Policy for ransomware deployment

LockBit ransomware overview

Chapter 12: The Unified Ransomware Kill Chain

Chapter 12: The Unified Ransomware Kill Chain

Cyber Kill Chain®

The Unified Kill Chain

The Unified Ransomware Kill Chain

Other Books You May Enjoy

Other Books You May Enjoy

Packt is searching for authors like you

Share Your Thoughts

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

Other log sources

Let's finish this chapter by listing a few additional log sources that may play a critical role in your investigation:

Anti-virus software logs – As you already know, ransomware affiliates may use quite a few tools, so at least some of them will be detected by anti-virus software. These logs may provide you with a few good pivot points.
Firewall logs – These logs may provide you with great insights into network connections, including malicious connections. These are an extremely valuable source of forensic data, especially if they store data for a long time period, and you have at least some network indicators of compromise.
VPN logs – These are some of the common vectors of obtaining initial access to the network. So, they can also reveal some information about the threat actors' network infrastructure. GeoIP analysis may be quite useful. Is it common for your client's employees to connect to the network from Russia...