Detecting Ransomware Before It’s Too Late Using MITRE ATT&CK

Good backups are not the solution to ransomware. Backups take time – time when your business is in complete limbo because it chose to completely shut down business operations out of “an abundance of caution.” Paying the ransom isn’t a solution either because all that data usually needs to be decrypted. This takes time and may not fully recover all of the data or doesn’t work at all. In the case of the Colonial Pipeline, decryption took so long, they decided to restore data from their backups even after paying the ransom. Really the only true defense against ransomware is prevention combined with early detection and response capabilities. Beyond that, you need a well-honed and fast-as-possible, complete-as-possible recovery procedure which means automatic and secure. Fast recovery is a topic for another day. And for many organizations prevention requires redesign of network and re-thinking of security priorities – lots of rip and repair costs and support from management that has yet to materialize at most organizations I talk to. So, for now, how do you know where to spend your limited resources to detect ransomware early enough to prevent Impact (MITRE ATT&CK Tactic TA0040). In this real training for free session, Randy Franklin Smith of Ultimate Windows Security and LogRhythm will use MITRE ATT&CK as a guide for answering that question. We’ll look at the tactics an attacker must complete prior to triggering the ransom note (post Impact). Then we’ll explore key techniques associated with each of those tactics. The prerequisite tactics include: Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Mike McGinnis, Senior Sales Engineer at LogRhythm will show you how they make Network Threat Hunting Made Easy with the MistNet NDR MITRE ATT&CK™ Engine.