Incident response techniques for ransomware attacks : understand modern ransomware attacks and build an incident response strategy to work through them

Incident response techniques for ransomware attacks understand modern ransomware attacks and build an incident response strategy to work through them

Explore the world of modern human-operated ransomware attacks, along with covering steps to properly investigate them and collecting and analyzing cyber threat intelligence using cutting-edge methods and tools Key Features Understand modern human-operated cyber attacks, focusing on threat actor tact...

Descripción completa

Detalles Bibliográficos
Otros Autores: Skulkin, Oleg, author (author)
Formato: Libro electrónico
Idioma:Inglés
Publicado: Birmingham : Packt Publishing, Limited [2022]
Materias:
Malware (Computer software)
Computer security.
Computer crimes > Prevention.
Ver en Biblioteca Universitat Ramon Llull:https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009657507206719
Tabla de Contenidos:
  • Cover
  • Title page
  • Untitled
  • Copyright and Credits
  • Contributors
  • Table of Contents
  • Preface
  • Section 1: Getting Started with a Modern Ransomware Attack
  • Chapter 1: The History of Human-Operated Ransomware Attacks
  • 2016 - SamSam ransomware
  • Who was behind the SamSam ransomware
  • 2017 - BitPaymer ransomware
  • The mastermind behind the BitPaymer ransomware
  • 2018 - Ryuk ransomware
  • Who was behind the Ryuk ransomware?
  • 2019-present - ransomware-as-a-service
  • Who was behind ransomware-as-a-service programs?
  • Summary
  • Chapter 2: The Life Cycle of a Human-Operated Ransomware Attack
  • Initial attack vectors
  • RDP compromise
  • Spear phishing
  • Software vulnerabilities
  • Post-exploitation
  • Data exfiltration
  • Ransomware deployment
  • Summary
  • Chapter 3: The Incident Response Process
  • Preparation for an incident
  • The team
  • The infrastructure
  • Threat detection and analysis
  • Containment, eradication, and recovery
  • Post-incident activity
  • Summary
  • Section 2: Know Your Adversary: How Ransomware Gangs Operate
  • Chapter 4: Cyber Threat Intelligence and Ransomware
  • Strategic cyber threat intelligence
  • Operational cyber threat intelligence
  • Tactical cyber threat intelligence
  • Summary
  • Chapter 5: Understanding Ransomware Affiliates' Tactics, Techniques, and Procedures
  • Gaining initial access
  • External remote services (T1133)
  • Exploiting public-facing applications (T1190)
  • Phishing (T1566)
  • Supply chain compromise (T1195)
  • Executing malicious code
  • User execution (T1204)
  • Command and scripting interpreters (T1059)
  • Exploitation for client execution (T1203)
  • Windows Management Instrumentation (T1047)
  • Obtaining persistent access
  • Valid accounts (T1078)
  • Create account (T1136)
  • Boot or logon autostart execution (T1547)
  • Scheduled task/job (T1053).
  • Server software component (T1505)
  • Escalating privileges
  • Exploiting for privilege escalation (T1068)
  • Creating or modifying system process (T1543)
  • Process injection (T1055)
  • Abuse elevation control mechanism (T1548)
  • Bypassing defenses
  • Exploiting for defense evasion (T1211)
  • Deobfuscating/decoding files or information (T1140)
  • File and directory permissions modification (T1222)
  • Impairing defenses (T1562)
  • Indicator removal on host (T1070)
  • Signed binary proxy execution (T1218)
  • Accessing credentials
  • Brute force (T1110)
  • OS credential dumping (T1003)
  • Steal or forge Kerberos tickets (T1558)
  • Moving laterally
  • Exploiting remote services (T1210)
  • Remote services (T1021)
  • Using alternate authentication material (T1550)
  • Collecting and exfiltrating data
  • Data from local system (T1005)
  • Data from network shared drives (T1039)
  • Email collection (T1114)
  • Archive collected data (T1560)
  • Exfiltration over web service (T1567)
  • Automated exfiltration (T1020)
  • Ransomware deployment
  • Inhibit system recovery (T1490)
  • Data encrypted for impact (T1490)
  • Summary
  • Chapter 6: Collecting Ransomware-Related Cyber Threat Intelligence
  • Threat research reports
  • Community
  • Threat actors
  • Summary
  • Section 3: Practical Incident Response
  • Chapter 7: Digital Forensic Artifacts and Their Main Sources
  • Volatile memory collection and analysis
  • Non-volatile data collection
  • Master file table
  • Prefetch files
  • LNK files
  • Jump lists
  • SRUM
  • Web browsers
  • Windows Registry
  • Windows event logs
  • Other log sources
  • Summary
  • Chapter 8: Investigating Initial Access Techniques
  • Collecting data sources for an external remote service abuse investigation
  • Investigating an RDP brute-force attack
  • Collecting data sources for a phishing attack investigation.
  • Investigating a phishing attack
  • Summary
  • Chapter 9: Investigating Post-Exploitation Techniques
  • Investigating credential access techniques
  • Credential dumping with hacking tools
  • Credential dumping with built-in tools
  • Kerberoasting
  • Investigating reconnaissance techniques
  • Network scanning
  • Active Directory reconnaissance
  • Investigating lateral movement techniques
  • Administrative shares
  • PsExec
  • RDP
  • Summary
  • Chapter 10: Investigating Data Exfiltration Techniques
  • Investigating web browser abuse for data exfiltration
  • Investigating cloud service client application abuse for data exfiltration
  • Investigating third-party cloud synchronization tool abuse for data exfiltration
  • Investigating the use of custom data exfiltration tools
  • Summary
  • Chapter 11: Investigating Ransomware Deployment Techniques
  • Investigation of abusing RDP for ransomware deployment
  • Crylock ransomware overview
  • Investigation of Administrative shares for ransomware deployment
  • REvil ransomware overview
  • Investigation of Group Policy for ransomware deployment
  • LockBit ransomware overview
  • Summary
  • Chapter 12: The Unified Ransomware Kill Chain
  • Cyber Kill Chain®
  • Reconnaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command and Control (C2)
  • Actions on Objectives
  • MITRE ATT&amp
  • CK®
  • Reconnaissance
  • Resource development
  • Initial access
  • Execution
  • Persistence
  • Privilege escalation
  • Defense evasion
  • Credential access
  • Discovery
  • Lateral movement
  • Collection
  • Command and control
  • Exfiltration
  • Impact
  • The Unified Kill Chain
  • Initial Foothold
  • Network Propagation
  • Actions on Objectives
  • The Unified Ransomware Kill Chain
  • Gain Access to the Network
  • Establish Foothold
  • Network Discovery
  • Key Assets Discovery
  • Network Propagation.
  • Data Exfiltration
  • Deployment Preparation
  • Ransomware Deployment
  • Extortion
  • Summary
  • Index
  • About Packt
  • Other Books You May Enjoy.

Ejemplares similares