Unmasking Cyber Shadows: A Tactical Approach to Hunting Ransomware TTPs

Подробнее о видео

2023 was another record breaking year for ransomware. We saw many notable attacks this year. The ransomware attack on the City of Dallas in May orchestrated by the Royal ransomware group led to shutdown and disruption of many services in the city and data exfiltration that impacted approximately 26000 people. The MOVEit exploitation by Cl0p in May turned out to be the biggest cyberattack story of the year that affected more than 600 organizations worldwide. We then saw ransomware attacks on the two biggest names on the Las Vegas Strip in September followed by the fallout of a ransomware attack on ICBC, China's largest bank. Research suggests that there is a significant dwell time before ransomware is deployed. Although the dwell time has reduced over the last couple of years from months to weeks to days, defenders still have a window of opportunity to prevent the deployment of ransomware. This is where, Threat Hunting can play a significant role in unmasking ransomware operations. In this presentation, we will cover a tactical approach to hunting and unmasking ransomware operations, and explore an intelligence driven framework for threat hunting. We will examine how Cyber Threat Intelligence (CTI) feeds into the threat hunt process enabling the development of hunt packages based on ransomware actors' behaviors and techniques. We will discuss and dive into the creation of specific hunt use cases against tactics heavily used by ransomware operators post compromise. Finally, we will discuss how threat hunting can be used to improve automated detection capabilities over time. Through this discussion, attendees will learn threat hunting techniques to detect ransomware operations, applying intelligence in an iterative manner to drive threat hunts, and explore methods for automating threat hunting for scalability.

View upcoming Summits:

SANS Ransomware Summit 2024
Unmasking Cyber Shadows: A Tactical Approach to Hunting Ransomware TTPs
Arun Warikoo, Vice President, Cyber Threat Intelligence, BNP Paribas