Book Image

Incident Response Techniques for Ransomware Attacks

Book Image

Incident Response Techniques for Ransomware Attacks

Overview of this book

Ransomware attacks have become the strongest and most persistent threat for many companies around the globe. Building an effective incident response plan to prevent a ransomware attack is crucial and may help you avoid heavy losses. Incident Response Techniques for Ransomware Attacks is designed to help you do just that. This book starts by discussing the history of ransomware, showing you how the threat landscape has changed over the years, while also covering the process of incident response in detail. You’ll then learn how to collect and produce ransomware-related cyber threat intelligence and look at threat actor tactics, techniques, and procedures. Next, the book focuses on various forensic artifacts in order to reconstruct each stage of a human-operated ransomware attack life cycle. In the concluding chapters, you’ll get to grips with various kill chains and discover a new one: the Unified Ransomware Kill Chain. By the end of this ransomware book, you’ll be equipped with the skills you need to build an incident response strategy for all ransomware attacks.

Related Content you might be interested in

Current Title:

Small book image
Incident Response Techniques for Ransomware Attacks
Apr, 2022 | 228 pages
Small book image
Aligning Security Operations with the MITRE ATT&CK Framework
Rebecca Blair
May, 2023 | 192 pages
Small book image
Practical Memory Forensics.
Svetlana Ostrovskaya | Oleg Skulkin
Mar, 2022 | 304 pages
Small book image
Digital Forensics and Incident Response.
Gerard Johansen
Dec, 2022 | 532 pages
Table of Contents (17 chapters)
Preface
Preface
Who this book is for
What this book covers
Download the color images
Conventions used
Get in touch
Disclaimer
Share Your Thoughts
1
Section 1: Getting Started with a Modern Ransomware Attack
Section 1: Getting Started with a Modern Ransomware Attack
Free Chapter
2
Chapter 1: The History of Human-Operated Ransomware Attacks
Chapter 1: The History of Human-Operated Ransomware Attacks
2016 – SamSam ransomware
2017 – BitPaymer ransomware
2018 – Ryuk ransomware
2019-present – ransomware-as-a-service
Summary
3
Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack
Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack
Initial attack vectors
Post-exploitation
Data exfiltration
Ransomware deployment
Summary
4
Chapter 3: The Incident Response Process
Chapter 3: The Incident Response Process
Preparation for an incident
Threat detection and analysis
Containment, eradication, and recovery
Post-incident activity
Summary
5
Section 2: Know Your Adversary: How Ransomware Gangs Operate
Section 2: Know Your Adversary: How Ransomware Gangs Operate
6
Chapter 4: Cyber Threat Intelligence and Ransomware
Chapter 4: Cyber Threat Intelligence and Ransomware
Strategic cyber threat intelligence
Operational cyber threat intelligence
Tactical cyber threat intelligence
Summary
7
Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures
Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures
Gaining initial access
Executing malicious code
Obtaining persistent access
Escalating privileges
Bypassing defenses
Accessing credentials
Moving laterally
Collecting and exfiltrating data
Ransomware deployment
Summary
8
Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence
Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence
Threat research reports
Community
Threat actors
Summary
9
Section 3: Practical Incident Response
Section 3: Practical Incident Response
10
Chapter 7: Digital Forensic Artifacts and Their Main Sources
Chapter 7: Digital Forensic Artifacts and Their Main Sources
Volatile memory collection and analysis
Non-volatile data collection
Master file table
Prefetch files
LNK files
Jump lists
SRUM
Web browsers
Windows Registry
Windows event logs
Other log sources
Summary
11
Chapter 8: Investigating Initial Access Techniques
Chapter 8: Investigating Initial Access Techniques
Collecting data sources for an external remote service abuse investigation
Investigating an RDP brute-force attack
Collecting data sources for a phishing attack investigation
Investigating a phishing attack
Summary
12
Chapter 9: Investigating Post-Exploitation Techniques
Chapter 9: Investigating Post-Exploitation Techniques
Investigating credential access techniques
Investigating reconnaissance techniques
Investigating lateral movement techniques
Summary
13
Chapter 10: Investigating Data Exfiltration Techniques
Chapter 10: Investigating Data Exfiltration Techniques
Investigating web browser abuse for data exfiltration
Investigating cloud service client application abuse for data exfiltration
Investigating third-party cloud synchronization tool abuse for data exfiltration
Investigating the use of custom data exfiltration tools
Summary
14
Chapter 11: Investigating Ransomware Deployment Techniques
Chapter 11: Investigating Ransomware Deployment Techniques
Investigation of abusing RDP for ransomware deployment
Crylock ransomware overview
Investigation of Administrative shares for ransomware deployment
REvil ransomware overview
Investigation of Group Policy for ransomware deployment
LockBit ransomware overview
Summary
15
Chapter 12: The Unified Ransomware Kill Chain
Chapter 12: The Unified Ransomware Kill Chain
Cyber Kill Chain®
MITRE ATT&CK®
The Unified Kill Chain
The Unified Ransomware Kill Chain
Summary
Why subscribe?
16
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

What this book covers

Chapter 1, The History of Human-Operated Ransomware Attacks, provides you with an introduction to the world of human-operated ransomware attacks, focusing on the historical aspects.

Chapter 2, The Life Cycle of a Human-Operated Ransomware Attack, briefly describes how modern threat actors operate during a ransomware attack life cycle.

Chapter 3, The Incident Response Process, provides an overview of the incident response process from the perspective of a human-operated ransomware attack.

Chapter 4, Cyber Threat Intelligence and Ransomware, provides an introduction to cyber threat intelligence, focusing on human-operated ransomware attacks.

Chapter 5, Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures , details the techniques, procedures, methods, and tools commonly used by various ransomware affiliates in their operations.

Chapter 6, Collecting Ransomware-Related Cyber Threat Intelligence, provides an overview of the various collection methods and sources of cyber threat intelligence related to modern ransomware attacks.

Chapter 7, Digital Forensic Artifacts and Their Main Sources, provides an overview of the various sources of forensic artifacts that can be used during an incident response engagement to reconstruct the attack life cycle.

Chapter 8, Investigating Initial Access Techniques, offers a practical investigation into the various initial access techniques used by the threat actors.

Chapter 9, Investigating Post-Exploitation Techniques, looks at the various post-exploitation techniques employed by the threat actors.

Chapter 10, Investigating Data Exfiltration Techniques, covers the various data exfiltration techniques used by the threat actors.

Chapter 11, Investigating Ransomware Deployment Techniques, investigates the various ransomware deployment techniques used by the threat actors.

Chapter 12, The Unified Ransomware Kill Chain, describes the concept of the kill chain with a view to introducing the Unified Ransomware Kill Chain.

Previous Section
Next Section