Ransomware investigation Intermediate - 4 days
Description
Ransomware attacks are the most feared threats to businesses. The urgency caused by the destruction, even partial, of the information system can quickly overwhelm your security teams if they are not prepared. This training allows you to better anticipate this type of incident and thus reduce the resolution time: reduce stress, anticipate the sequencing of activities to be carried out and quickly agree on the methods to be applied. The objective of this training is to provide the keys to investigate a ransomware incident whether it is localized to a small perimeter or generalized.
During the training, best practices for countering ransomware attacks will be provided, in particular in order to contain and stem the incident. Real race against time, training participants will thus be familiarized with the methods and tools to be implemented. It should be noted that only the technical investigation component and the first stages of the investigation are covered here.
-
4 days (28 hours)
-
Identify the modus operandi of the main ransomware groups
-
First steps towards remediation
Public and prerequisites
This training is suitable for people who have already been confronted with security incidents, and who fear large-scale ransomware-type events. Technical skills are required to handle the TDs and thus investigate this type of incident. The DFIR ORC and Velociraptor tools are used to illustrate the training: prior knowledge of these tools is a plus.
-
Internal cybersecurity team member in companies or agencies
-
System administrator with cybersecurity skills
-
Security manager wishing to understand the technical aspects
Good Windows knowledge is recommended to understand how attacks work (Active Directory, RDP, PowerShell, etc.). The manipulations are carried out on Linux environments.
Content
Jour 1
Warning signs of an attack. First aid measures: preserving systems and backups, cutting off access and reducing the attacker's influence. Which traces to preserve first. Case of an attack by a service provider. Working in a compromised environment: myth, reality and pragmatism. Tools to use to share information and best practices for conducting investigations.
Presentation of DFIR ORC and Velociraptor.
Jour 2
Ante-chronological approach. Quickly find the first structuring information, race against time. Identify malicious codes and backdoors. How to trace the attack. Case of administration positions / crisis positions. How to establish and share a situation (IOC / chronology / compromise perimeter). Analyst bias. Find the balance between exhaustiveness and efficiency.
Jour 3
Approach by operating modes. Benefits and limits of CTI. Know the exposure surface and exploitation opportunities. Persistence mechanisms. OSINT to the rescue. The triad: VPN / phishing / vulnerable service. Effects sought by the attacker. Identify exfiltrated files and exfiltration mechanisms. Special case of false flag attacks, multiple attackers on a network.
Jour 4
CyberRemediation: Good operational practices for crisis management and risk management. Regaining confidence in the information system and cleaning up its fleet. Case of Active Directory switchover. Case of restoring encrypted data.