General
November 15, 2023

Ransomware response training and drills

By venkat

Preparedness is key to handling a massive cyber attack. Below are steps that we believe will aid you to be confident and respond effectively. Our approach of using visually easy and simple Playbooks will aid in developing the strong muscle memory required while mitigating an attack.

First, know whom to call. Please first ensure you are able to quickly mobilize all the help required and the right contacts have been reached out to. You will need to start on several parallel investigation trails.

Preparation for CRISIS management

Understanding when a cyber incident has the potential to become a cyber crisis, and consequently activating the crisis response process in a timely manner constitutes an extremely sensitive and fundamental step.

The transition from incident to crisis, in fact, embodies the shift from a tactical to a strategic level of response, allowing the organization for more holistic and proactive handling of the situation.

Preparation of your CUSTOM Playbook

You need to look at different variants of Ransomware playbooks. Each would have been built with different perspectives. Come up with your own Playbook which could be a customized version of any of the available Playbooks as listed at – https://playbooks.flexibleir.com/playbook-for-a-ransomware-attack/

Understanding your adversary is half battle won. Here is an example of Maze Ransomware at: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ (look at IoCs)

Training

Understanding your adversary is half battle won. Take one or two Ransomware families as a case study and study them in detail. Practise a cyber drill using it as a use case. Here is an example of Maze Ransomware at: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ (look at IoCs)

Practise the use case with your custom Playbook. This will help to validate and train the team on your custom Playbook.

Practise, Practise, and Practise before the crisis happens.

Here is an example – Surviving a Ransomware Attack – Lessons from the Field

Drills

Understanding your adversary is half battle won. Here is an example of Maze Ransomware at: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ (look at IoCs)

War Room

The practice of war room creation and running them over for days is key.

Lessons Learnt

Key is to understand lessons learnt from companies that have under gone a cyber attack and have hardened their systems – Link

Communication Channels

Understanding your adversary is half battle won. Here is an example of Maze Ransomware at: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ (look at IoCs)

Templates

Understanding your adversary is half battle won. Here is an example of Maze Ransomware at: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ (look at IoCs)

Industry sector and region specific threat awareness

Understanding your adversary is half battle won. Here is an example of Maze Ransomware at: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ (look at IoCs)

Twitter handles

Understanding your adversary is half battle won. Here is an example of Maze Ransomware at: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ (look at IoCs)

About The Author

Venkat is founder of FlexibleIR. He brings 20 years of experience in building tools and products at Sun Microsystems, Intel, Novell, HP, Yahoo,Tesco and startups. He has developed test suites and frameworks for post silicon validation of the Xeon processor family (Fuzzing). He has worked deeply on UFS files system at SUN Microsystem. Was a security paranoid at Yahoo.