The very last way you want to detect ransomware is during or after encryption; at that point, the damage is done. And the reality across almost all cyberattacks – ransomware included – is that there is a convergence of threat actions performed that begins to form an expected kill chain or incident lifecycle. This commonality within attacks allows security teams to establish a defense in depth strategy against ransomware attacks that both works to protect against successful attacks and facilitates detection of threat actions well-before encryption.
Rook ransomware is a great modern example of how ransomware attacks leverage exploits, discovery, credential dumping, lateral movement, and more to reach the endgame of encrypting every accessed part of your environment. But because Rook – like its fellow ransomware variants – follows an all-too familiar path, there are numerous detection opportunities that occur PRIOR to encryption or execution of the ransomware binary, making the stopping of an attack a reality.
So, what common detection points are there and how can you use them to stop ransomware attacks – whether Rook or otherwise?
In this Real Training for Free session, Microsoft MVP Nick Cavalancia takes my seat as he first discusses:
- The current state of modern ransomware – what’s changing from previous years
- The rise of the Initial Access Broker and why it matters
- What MITRE ATT&CK TTPs are commonly used in today’s attacks
Up next, you’ll hear from Ted Samuels, Lead Incident Response Consultant and MK Ramasamy, Senior Security Solutions Engineer, from RAPID7. Ted will focus your attention using Rook Ransomware by first outlining the ransomware incident lifecycle, and then taking a deep dive-look at an actual Rook incident that occurred over a period of 7 days, discussing the following actions and their real-world detection opportunities:
- Initial ingress via compromised public facing service
- Use of Initial Access Brokers
- Unauthorized discovery actions
- Credential, LSASS and NTDS.dit dumping
- Cobalt Strike execution
- DLL sideloading
- Use of suspicious TLD’s
- Lateral movement
MK will follow up with a demonstration of what those detections would look like, using the same Rook incident, to provide better context around how you can leverage your understanding of the incident lifecycle and apply it to your detection strategy.
This real training for free event will be jam packed with technical detail and real-world application. Register today!