Book Image

Incident Response Techniques for Ransomware Attacks

Book Image

Incident Response Techniques for Ransomware Attacks

Overview of this book

Ransomware attacks have become the strongest and most persistent threat for many companies around the globe. Building an effective incident response plan to prevent a ransomware attack is crucial and may help you avoid heavy losses. Incident Response Techniques for Ransomware Attacks is designed to help you do just that. This book starts by discussing the history of ransomware, showing you how the threat landscape has changed over the years, while also covering the process of incident response in detail. You’ll then learn how to collect and produce ransomware-related cyber threat intelligence and look at threat actor tactics, techniques, and procedures. Next, the book focuses on various forensic artifacts in order to reconstruct each stage of a human-operated ransomware attack life cycle. In the concluding chapters, you’ll get to grips with various kill chains and discover a new one: the Unified Ransomware Kill Chain. By the end of this ransomware book, you’ll be equipped with the skills you need to build an incident response strategy for all ransomware attacks.

Related Content you might be interested in

Current Title:

Small book image
Incident Response Techniques for Ransomware Attacks
Apr, 2022 | 228 pages
Small book image
Aligning Security Operations with the MITRE ATT&CK Framework
Rebecca Blair
May, 2023 | 192 pages
Small book image
Practical Memory Forensics.
Svetlana Ostrovskaya | Oleg Skulkin
Mar, 2022 | 304 pages
Small book image
Digital Forensics and Incident Response.
Gerard Johansen
Dec, 2022 | 532 pages
Table of Contents (17 chapters)
Preface
Preface
Who this book is for
What this book covers
Download the color images
Conventions used
Get in touch
Disclaimer
Share Your Thoughts
1
Section 1: Getting Started with a Modern Ransomware Attack
Section 1: Getting Started with a Modern Ransomware Attack
Free Chapter
2
Chapter 1: The History of Human-Operated Ransomware Attacks
Chapter 1: The History of Human-Operated Ransomware Attacks
2016 – SamSam ransomware
2017 – BitPaymer ransomware
2018 – Ryuk ransomware
2019-present – ransomware-as-a-service
Summary
3
Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack
Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack
Initial attack vectors
Post-exploitation
Data exfiltration
Ransomware deployment
Summary
4
Chapter 3: The Incident Response Process
Chapter 3: The Incident Response Process
Preparation for an incident
Threat detection and analysis
Containment, eradication, and recovery
Post-incident activity
Summary
5
Section 2: Know Your Adversary: How Ransomware Gangs Operate
Section 2: Know Your Adversary: How Ransomware Gangs Operate
6
Chapter 4: Cyber Threat Intelligence and Ransomware
Chapter 4: Cyber Threat Intelligence and Ransomware
Strategic cyber threat intelligence
Operational cyber threat intelligence
Tactical cyber threat intelligence
Summary
7
Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures
Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures
Gaining initial access
Executing malicious code
Obtaining persistent access
Escalating privileges
Bypassing defenses
Accessing credentials
Moving laterally
Collecting and exfiltrating data
Ransomware deployment
Summary
8
Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence
Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence
Threat research reports
Community
Threat actors
Summary
9
Section 3: Practical Incident Response
Section 3: Practical Incident Response
10
Chapter 7: Digital Forensic Artifacts and Their Main Sources
Chapter 7: Digital Forensic Artifacts and Their Main Sources
Volatile memory collection and analysis
Non-volatile data collection
Master file table
Prefetch files
LNK files
Jump lists
SRUM
Web browsers
Windows Registry
Windows event logs
Other log sources
Summary
11
Chapter 8: Investigating Initial Access Techniques
Chapter 8: Investigating Initial Access Techniques
Collecting data sources for an external remote service abuse investigation
Investigating an RDP brute-force attack
Collecting data sources for a phishing attack investigation
Investigating a phishing attack
Summary
12
Chapter 9: Investigating Post-Exploitation Techniques
Chapter 9: Investigating Post-Exploitation Techniques
Investigating credential access techniques
Investigating reconnaissance techniques
Investigating lateral movement techniques
Summary
13
Chapter 10: Investigating Data Exfiltration Techniques
Chapter 10: Investigating Data Exfiltration Techniques
Investigating web browser abuse for data exfiltration
Investigating cloud service client application abuse for data exfiltration
Investigating third-party cloud synchronization tool abuse for data exfiltration
Investigating the use of custom data exfiltration tools
Summary
14
Chapter 11: Investigating Ransomware Deployment Techniques
Chapter 11: Investigating Ransomware Deployment Techniques
Investigation of abusing RDP for ransomware deployment
Crylock ransomware overview
Investigation of Administrative shares for ransomware deployment
REvil ransomware overview
Investigation of Group Policy for ransomware deployment
LockBit ransomware overview
Summary
15
Chapter 12: The Unified Ransomware Kill Chain
Chapter 12: The Unified Ransomware Kill Chain
Cyber Kill Chain®
MITRE ATT&CK®
The Unified Kill Chain
The Unified Ransomware Kill Chain
Summary
Why subscribe?
16
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Investigating an RDP brute-force attack

So, we've collected a few Windows event log files with KAPE for further analysis from a server, potentially compromised as the result of a brute-force attack.

We may have several files, but let's focus on Security.evtx, as it contains a lot of useful IDs for such investigations. Two main event IDs useful for investigating an RDP brute-force attack are the following:

  • 4624 – An account was successfully logged on.
  • 4625 – An account failed to log on.

There are just two events. The second one will help us to identify brute-force attempts, and the first one, a successful logon.

You may find it helpful to have a reference guide for event IDs so that you can easily understand what to look for when investigating this or that type of incident.

Let's look into collected event logs. First, let's check whether there are any events with the ID 4625. Here, I want to introduce you to another tool...

Previous Section
End of Section 3
Next Section