Cyber resiliency – Ransomware Response Bootcamp
FlexibleIR in association with DSCI and CERT India has created a unique Ransomware Rapid Response 2-day Bootcamp program. Tens of organisations are better prepared for a crisis!. Here we conduct drills and build Playbooks to ensure the organization is prepared technically and from the management perspective too.
Key points on the BootCamp
1. BYOP – Build your own visual playbooks for Rapid Response and compare them with others. Build on best practices. Both technical and management level holistic response.
2. Ransomware case studies and scenarios on which Live responses will be done – The hurdles brought in during scenario execution are close to real !!
3. Most importantly giving the air of realism during a crisis. Understanding to build on worst-case situations.
4. Building abstraction models of your business and exploring how to holistically respond to them.
5. Teams are spread across sectors. There are a lot of open dialogues and learnings which help in building the culture required to respond.
6. Lots of videos, and shared experiences.
7. Rapid – All exercises towards a speedier response and effective program management.
8. Worst case scenario thinking and recording
9. Anticipation and power to withstand
TOPICS that we cover
- Effective communication skills – CRISP, CLEAR , SHORT Communication
- Conti Playbook
- Malwarebytes – source code
- CEO playbook – A clear step by step guide on each topics of crisis response – relevant videos
- Generated video and audio depicting adversarial behavior and other community-wise responses
- Adversary landscape with RU-UA as example
- National cyber incident – Mauritius and Australia – CANADA
- Attack graph/flow – LINK and CODE LINK
- Mitre ATT&CK – Early warning bottom-up Playbooks – SIEM rules/use-cases – LINK
- Negotiation with Ransomware actors – LINK
Ransomware Technical-level playbooks
Different flavors of Ransomware Response Playbooks – LINK
Disaster recovery
- IT Disaster Recovery Plan – LINK
Great guides for best practises
- CISA Ransomware Response Guide – LINK
Communication templates
- Internal and external stakeholders – LINK
Ransomware reverse engineering
Typical expectations from the participants
- Structured response
- Management level response – Crisis Management – Communication
For country wide CERTS
- Similarity between incidents – LINK
IoCs / Artifacts
Lockbit
https://github.com/splunk/attack_data/blob/master/datasets/malware/lockbit_ransomware/
https://github.com/sophoslabs/IoCs
https://github.com/aki2419/LockBit-IOCs
https://github.com/Advisory-Newsletter/Lockbit-3.0
https://github.com/cdong1012/Lockbitv3-Analysis
Conti
https://github.com/splunk/attack_data/tree/master/datasets/malware/conti
community-threats/Conti at master · scythe-io/community-threats · GitHub
https://github.com/sophoslabs/IoCs
Videos
Norsk Hydro – https://www.youtube.com/watch?v=C6MDz-AgQuE
OPTUS – https://www.youtube.com/watch?v=RakCjYIpwJ8 and https://www.youtube.com/watch?v=l_0_SS4wh0U
Colonial – https://www.youtube.com/watch?v=5H6AvsmUG5Q
Equifax – https://www.youtube.com/watch?v=bh1gzJFVFLc
Build your own Cyber Crisis Management Plan (CCMP)
FIRST.org LINK
Malware Source code
https://github.com/vxunderground/MalwareSourceCode/tree/main
Negotiation with adversary LINK
Decryptors
https://www.nomoreransom.org/en/decryption-tools.html
Breach attack simulation
Cymulate and Prelude
EDR basics
https://synzack.github.io/Blinding-EDR-On-Windows/
Ransomware – advancements
https://www.first.org/resources/papers/amsterdam23/Harder-Better-Faster-Locker.pdf
AWS Cloud response
Call tree examples
- Hierarchy in a team – how call flows happen
- 1 to many would be great
Outofband communication
- Inhouse captive voice systems
IR plan examples