Detecting Ransomware Before It’s Too Late Using MITRE ATT&CK

Presented by

Randy Franklin Smith, Ultimate Windows Security; Michael McGinnis, LogRhythm

About this talk

Good backups are not the solution to ransomware. Backups take time – time when your business is in complete limbo because it chose to completely shut down business operations out of “an abundance of caution.” Paying the ransom isn’t a solution either because all that data usually needs to be decrypted. This takes time and may not fully recover all of the data or doesn’t work at all. In the case of the Colonial Pipeline, decryption took so long, they decided to restore data from their backups even after paying the ransom. Really the only true defense against ransomware is prevention combined with early detection and response capabilities. Beyond that, you need a well-honed and fast-as-possible, complete-as-possible recovery procedure which means automatic and secure. Fast recovery is a topic for another day. And for many organizations prevention requires redesign of network and re-thinking of security priorities – lots of rip and repair costs and support from management that has yet to materialize at most organizations I talk to. So, for now, how do you know where to spend your limited resources to detect ransomware early enough to prevent Impact (MITRE ATT&CK Tactic TA0040). In this real training for free session, Randy Franklin Smith of Ultimate Windows Security and LogRhythm will use MITRE ATT&CK as a guide for answering that question. We’ll look at the tactics an attacker must complete prior to triggering the ransom note (post Impact). Then we’ll explore key techniques associated with each of those tactics. The prerequisite tactics include: Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Mike McGinnis, Senior Sales Engineer at LogRhythm will show you how they make Network Threat Hunting Made Easy with the MistNet NDR MITRE ATT&CK™ Engine.

Related topics:

More from this channel

Upcoming talks (5)
On-demand talks (217)
Subscribers (69651)
LogRhythm helps busy and lean security operations teams save the day—day after day. There’s a lot riding on the shoulders of security professionals—the reputation and success of their company, the safety of citizens and organizations across the globe, the security of critical resources—the weight of protecting the world. LogRhythm helps lighten this load. The company is on the frontlines defending against many of the world’s most significant cyberattacks and empowers security teams to navigate an ever-changing threat landscape with confidence. As allies in the fight, LogRhythm combines a comprehensive and flexible security operations platform, technology partnerships, and advisory services to help SOC teams close the gaps.