Incident response techniques for ransomware attacks : understand modern ransomware attacks and build an incident response strategy to work through them / Oleg Skulkin.

Format:

Book

Author/Creator:

Skulkin, Oleg, author.

Language:

English

Subjects (All):

Malware (Computer software).

Computer security.

Computer crimes--Prevention.

Computer crimes.

Physical Description:

1 online resource (228 pages)

Place of Publication:

Birmingham : Packt Publishing, Limited, [2022]

Summary:

Explore the world of modern human-operated ransomware attacks, along with covering steps to properly investigate them and collecting and analyzing cyber threat intelligence using cutting-edge methods and tools Key Features Understand modern human-operated cyber attacks, focusing on threat actor tactics, techniques, and procedures Collect and analyze ransomware-related cyber threat intelligence from various sources Use forensic methods and tools to reconstruct ransomware attacks and prevent them in the early stages Book Description Ransomware attacks have become the strongest and most persistent threat for many companies around the globe. Building an effective incident response plan to prevent a ransomware attack is crucial and may help you avoid heavy losses. Incident Response Techniques for Ransomware Attacks is designed to help you do just that. This book starts by discussing the history of ransomware, showing you how the threat landscape has changed over the years, while also covering the process of incident response in detail. You'll then learn how to collect and produce ransomware-related cyber threat intelligence and look at threat actor tactics, techniques, and procedures. Next, the book focuses on various forensic artifacts in order to reconstruct each stage of a human-operated ransomware attack life cycle. In the concluding chapters, you'll get to grips with various kill chains and discover a new one: the Unified Ransomware Kill Chain. By the end of this ransomware book, you'll be equipped with the skills you need to build an incident response strategy for all ransomware attacks. What you will learn Understand the modern ransomware threat landscape Explore the incident response process in the context of ransomware Discover how to collect and produce ransomware-related cyber threat intelligence Use forensic methods to collect relevant artifacts during incident response Interpret collected data to understand threat actor tactics, techniques, and procedures Understand how to reconstruct the ransomware attack kill chain Who this book is for This book is for security researchers, security analysts, or anyone in the incident response landscape who is responsible for building an incident response model for ransomware attacks. A basic understanding of cyber threats will be helpful to get the most out of this book.

Contents:

Cover

Title page

Untitled

Copyright and Credits

Contributors

Table of Contents

Preface

Section 1: Getting Started with a Modern Ransomware Attack

Chapter 1: The History of Human-Operated Ransomware Attacks

2016 - SamSam ransomware

Who was behind the SamSam ransomware

2017 - BitPaymer ransomware

The mastermind behind the BitPaymer ransomware

2018 - Ryuk ransomware

Who was behind the Ryuk ransomware?

2019-present - ransomware-as-a-service

Who was behind ransomware-as-a-service programs?

Summary

Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack

Initial attack vectors

RDP compromise

Spear phishing

Software vulnerabilities

Post-exploitation

Data exfiltration

Ransomware deployment

Chapter 3: The Incident Response Process

Preparation for an incident

The team

The infrastructure

Threat detection and analysis

Containment, eradication, and recovery

Post-incident activity

Section 2: Know Your Adversary: How Ransomware Gangs Operate

Chapter 4: Cyber Threat Intelligence and Ransomware

Strategic cyber threat intelligence

Operational cyber threat intelligence

Tactical cyber threat intelligence

Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures

Gaining initial access

External remote services (T1133)

Exploiting public-facing applications (T1190)

Phishing (T1566)

Supply chain compromise (T1195)

Executing malicious code

User execution (T1204)

Command and scripting interpreters (T1059)

Exploitation for client execution (T1203)

Windows Management Instrumentation (T1047)

Obtaining persistent access

Valid accounts (T1078)

Create account (T1136)

Boot or logon autostart execution (T1547)

Scheduled task/job (T1053).

Server software component (T1505)

Escalating privileges

Exploiting for privilege escalation (T1068)

Creating or modifying system process (T1543)

Process injection (T1055)

Abuse elevation control mechanism (T1548)

Bypassing defenses

Exploiting for defense evasion (T1211)

Deobfuscating/decoding files or information (T1140)

File and directory permissions modification (T1222)

Impairing defenses (T1562)

Indicator removal on host (T1070)

Signed binary proxy execution (T1218)

Accessing credentials

Brute force (T1110)

OS credential dumping (T1003)

Steal or forge Kerberos tickets (T1558)

Moving laterally

Exploiting remote services (T1210)

Remote services (T1021)

Using alternate authentication material (T1550)

Collecting and exfiltrating data

Data from local system (T1005)

Data from network shared drives (T1039)

Email collection (T1114)

Archive collected data (T1560)

Exfiltration over web service (T1567)

Automated exfiltration (T1020)

Inhibit system recovery (T1490)

Data encrypted for impact (T1490)

Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence

Threat research reports

Community

Threat actors

Section 3: Practical Incident Response

Chapter 7: Digital Forensic Artifacts and Their Main Sources

Volatile memory collection and analysis

Non-volatile data collection

Master file table

Prefetch files

LNK files

Jump lists

SRUM

Web browsers

Windows Registry

Windows event logs

Other log sources

Chapter 8: Investigating Initial Access Techniques

Collecting data sources for an external remote service abuse investigation

Investigating an RDP brute-force attack

Collecting data sources for a phishing attack investigation.

Investigating a phishing attack

Chapter 9: Investigating Post-Exploitation Techniques

Investigating credential access techniques

Credential dumping with hacking tools

Credential dumping with built-in tools

Kerberoasting

Investigating reconnaissance techniques

Network scanning

Active Directory reconnaissance

Investigating lateral movement techniques

Administrative shares

PsExec

RDP

Chapter 10: Investigating Data Exfiltration Techniques

Investigating web browser abuse for data exfiltration

Investigating cloud service client application abuse for data exfiltration

Investigating third-party cloud synchronization tool abuse for data exfiltration

Investigating the use of custom data exfiltration tools

Chapter 11: Investigating Ransomware Deployment Techniques

Investigation of abusing RDP for ransomware deployment

Crylock ransomware overview

Investigation of Administrative shares for ransomware deployment

REvil ransomware overview

Investigation of Group Policy for ransomware deployment

LockBit ransomware overview

Chapter 12: The Unified Ransomware Kill Chain

Cyber Kill Chain®

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Command and Control (C2)

Actions on Objectives

MITRE ATT&amp

CK®

Resource development

Initial access

Execution

Persistence

Privilege escalation

Defense evasion

Credential access

Discovery

Lateral movement

Collection

Command and control

Exfiltration

Impact

The Unified Kill Chain

Initial Foothold

Network Propagation

The Unified Ransomware Kill Chain

Gain Access to the Network

Establish Foothold

Network Discovery

Key Assets Discovery

Network Propagation.

Data Exfiltration

Deployment Preparation

Ransomware Deployment

Extortion

Index

About Packt

Other Books You May Enjoy.

Notes:

Description based upon print version of record.

Inhibit system recovery (T1490).

Description based on print version record.

ISBN:

9781803233994

1803233990

OCLC:

1306060223