October 29, 2023

Cyber resiliency – Ransomware Response Bootcamp

By venkat

FlexibleIR in association with DSCI and CERT India has created a unique Ransomware Rapid Response 2-day Bootcamp program. Tens of organisations are better prepared for a crisis!. Here we conduct drills and build Playbooks to ensure the organization is prepared technically and from the management perspective too.

Key points on the BootCamp
1. BYOP – Build your own visual playbooks for Rapid Response and compare them with others. Build on best practices. Both technical and management level holistic response.
2. Ransomware case studies and scenarios on which Live responses will be done – The hurdles brought in during scenario execution are close to real !!
3. Most importantly giving the air of realism during a crisis. Understanding to build on worst-case situations.
4. Building abstraction models of your business and exploring how to holistically respond to them.
5. Teams are spread across sectors. There are a lot of open dialogues and learnings which help in building the culture required to respond. 
6. Lots of videos, and shared experiences.
7. Rapid – All exercises towards a speedier response and effective program management.
8. Worst case scenario thinking and recording
9. Anticipation and power to withstand

TOPICS that we cover

  1. Effective communication skills – CRISP, CLEAR , SHORT Communication
  2. Conti Playbook
  3. Malwarebytes – source code
  4. CEO playbook – A clear step by step guide on each topics of crisis response – relevant videos
  5. Generated video and audio depicting adversarial behavior and other community-wise responses
  6. Adversary landscape with RU-UA as example
  7. National cyber incident – Mauritius and Australia – CANADA
  8. Attack graph/flow – LINK and CODE LINK
  9. Mitre ATT&CK – Early warning bottom-up Playbooks – SIEM rules/use-cases – LINK
  10. Negotiation with Ransomware actors – LINK

Ransomware Technical-level playbooks

Different flavors of Ransomware Response Playbooks – LINK

Disaster recovery

  1. IT Disaster Recovery Plan – LINK

Great guides for best practises

  1. CISA Ransomware Response Guide – LINK

Communication templates

  1. Internal and external stakeholders – LINK

Ransomware reverse engineering

  1. CONTI – LINK
  2. CONTI – LINK
  3. BLACKMATTER – LINK

Typical expectations from the participants

  1. Structured response
  2. Management level response – Crisis Management – Communication

For country wide CERTS

  1. Similarity between incidents – LINK

IoCs / Artifacts

Lockbit
https://github.com/splunk/attack_data/blob/master/datasets/malware/lockbit_ransomware/
https://github.com/sophoslabs/IoCs
https://github.com/aki2419/LockBit-IOCs
https://github.com/Advisory-Newsletter/Lockbit-3.0
https://github.com/cdong1012/Lockbitv3-Analysis

Conti
https://github.com/splunk/attack_data/tree/master/datasets/malware/conti
community-threats/Conti at master · scythe-io/community-threats · GitHub
https://github.com/sophoslabs/IoCs

Videos

Norsk Hydro – https://www.youtube.com/watch?v=C6MDz-AgQuE
OPTUS – https://www.youtube.com/watch?v=RakCjYIpwJ8 and https://www.youtube.com/watch?v=l_0_SS4wh0U

Colonial – https://www.youtube.com/watch?v=5H6AvsmUG5Q

Equifax – https://www.youtube.com/watch?v=bh1gzJFVFLc

Build your own Cyber Crisis Management Plan (CCMP)

FIRST.org LINK

Malware Source code

https://github.com/vxunderground/MalwareSourceCode/tree/main

Negotiation with adversary LINK

Decryptors

https://www.nomoreransom.org/en/decryption-tools.html

Breach attack simulation

cyberwarfare

Cymulate and Prelude

EDR basics

https://synzack.github.io/Blinding-EDR-On-Windows/

Ransomware – advancements

https://www.first.org/resources/papers/amsterdam23/Harder-Better-Faster-Locker.pdf

AWS Cloud response

https://d1.awsstatic.com/events/Summits/awsreinforce2023/TDR201_How-Citi-advanced-their-containment-capabilities-through-automation.pdf

Call tree examples

  1. Hierarchy in a team – how call flows happen
  2. 1 to many would be great

Outofband communication

  1. Whatsapp
  2. Inhouse captive voice systems

IR plan examples

For528