homepage
Open menu
Go one level top
  • Train and Certify
    • Overview
    • Get Started in Cyber
    • Courses
    • GIAC Certifications
    • Training Roadmap
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • Scholarship Academies
    • NICE Framework
    • Specials
  • Manage Your Team
    • Overview
    • Group Purchasing
    • Why Work with SANS
    • Build Your Team
    • Hire Cyber Talent
    • Team Development
    • Private Training
    • Security Awareness Training
    • Leadership Training
    • Industries
  • Resources
    • Overview
    • Internet Storm Center
    • White Papers
    • Webcasts
    • Tools
    • Newsletters
    • Blog
    • Podcasts
    • Posters & Cheat Sheets
    • Summit Presentations
    • Security Policy Project
  • Focus Areas
    • Cyber Defense
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Cyber Security Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    • About SANS
    • Our Founder
    • Instructors
    • Mission
    • Diversity
    • Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. FOR528: Ransomware for Incident Responders - New DFIR Course Coming soon
Viv_Ross_370x370.png
Viviana Ross

FOR528: Ransomware for Incident Responders - New DFIR Course Coming soon

Learning to thwart the threat of human-operated ransomware once and for all!

May 12, 2021

Copy_of_SANS_Banners.png


Register to receive information about Beta 1 here


Learning to thwart the threat of human-operated ransomware once and for all!

The threat of ransomware has evolved over time from being a single machine infection following an ill-advised click to becoming a booming enterprise capable of crippling even the largest of networks. 

"Nearly all computer networks are susceptible to ransomware attacks, and ransomware operators are targeting new verticals often" says SANS Instructor and FOR528 course author Ryan Chapman. Thwarting the threat of HumOR attacks requires a coordinated effort among multiple IT teams." 

Understanding the importance these teams play in the event of a ransomware attack the new four-day course aims to teach enterprise network administrators how to enable strong protection controls and ensure that backups will be secure in the face of a ransomware event. Likewise,  the course provides IT security and/or incident response analysts with the skills to hunt for operators who slip past security mechanisms and  how to respond while ransomware is running actively within the environment.  It also teaches Management teams how to deal with operators should ransomware be executed successfully within the environment. 

Why This Course?

Ransomware has become a common occurrence about which we hear in our daily computing lives. The threat of ransomware has evolved over time from being a single machine infection following an ill-advised click to becoming a booming enterprise capable of crippling even the largest of networks. FOR528 teaches students how to deal with the specifics of ransomware in order to prepare for, detect, hunt, response to, and deal with the aftermath of ransomware. The class includes multiple hunting methods, a hands-on approach to learning using real-world data, and a full-day CTF-style capstone to help students solidify their learning.

Course Day At-A-Glance:

Day one of the course provides a foundational knowledge for how ransomware began, how it has evolved, and where it's going in the near future. The day unfolds by covering the common infection vectors ransomware actors are using and how to deal with them. This section includes an overview of the Tactics, Techniques, and Procedures (TTPs) these actors use, with a heavy emphasis on the common tools found in the actors' toolbox. The day ends by providing a multitude of processes and implementations that can help organizations prevent or at least armor themselves against a ransomware outbreak from occurring, viewed from the lens of an incident responder. 

Day two of the course focuses on hunting methods, including a thorough review of hunting for TTPs vs. indicators of compromise (IOCs). Students will spend time with hands-on labs that walk them through hunting for both the TAs and their tools. The course then moves to teaching students how to respond to an active, ongoing ransomware attack. The day ends with a thorough review of the tasks that need to be carried out when ransomware has run within the environment. Just because the ransomware is no longer encrypting files actively, this does not mean the overall incident is over; in fact, the truth is quite the opposite. 

Day three of the course begins by covering the inner-workings of ransomware samples. This section focuses on how ransomware operates at a low level in hopes of arming incident responders with methods to recover as much data as possible. The day continues by providing directions for identifying potential data exfiltration within an environment. Forensic detection methods for data staging, data archival, and network-based data exfiltration are covered. The day ends with a thorough, hands-on case study of a large ransomware group. 

Day four of the course is a full-day, scoreboard-based capture the flag (CTF) capstone that reinforces what the students have learned throughout the class via hands-on analysis. This CTF combined with plenty of hands-on labs throughout the course will enable students to help deter, detect, and respond to ransomware within their organizations.

The FOR528 – Ransomware for Incident Responders In-Depth Course will help you understand:

  • How ransomware has evolved to become a major business
  • How human-operated ransomware (HumOR) operators have evolved into well-tuned attack teams
  • Who and what verticals are most at risk of becoming a ransomware victim
  • How ransomware operators get into their victims’ environments
  • How best to prepare your organization against the threat of HumOR
  • How to identify the tools that HumOR operators often use to get into and perform post-exploitation activities during a ransomware attack
  • How to hunt for ransomware operators within your network
  • How to respond when ransomware is running actively within your environment
  • What steps to take following a ransomware attack
  • How to identify data exfiltration

 For more new and in-development course information visit here

Watch Ryan's Ransomware talks: 



Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

Recommended Training

  • FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
  • FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
  • FOR608: Enterprise-Class Incident Response & Threat Hunting

Tags:
  • Digital Forensics and Incident Response

Related Content

Blog
Vote_now.png
Digital Forensics and Incident Response
April 24, 2022
Which DFIR Summit Mascots do you want to see as Lego giveaways this year? Vote now!
To celebrate the 15th year of the DFIR Summit, we are letting you choose your favorite Summit mascot over the years. Which will make our Lego set?
Viv_Ross_370x370.png
Viviana Ross
read more
Blog
FOR500_update.png
Digital Forensics and Incident Response
April 19, 2022
SANS FOR500: Windows Forensic Analysis - Updated for Windows 11 and Beyond
The new release of the FOR500 Windows Forensic Analysis course includes a significant focus to support the new Windows 11 operating system and more.
370x370_Chad-Tilbury.jpg
Chad Tilbury
read more
Blog
Blog_teaser_images_(8).png
Digital Forensics and Incident Response
March 23, 2022
Cursos DFIR de SANS - Justifica tu Entrenamiento
Utiliza estas plantillas de cartas de justificación para compartir detalles del entrenamiento y certificación de SANS DFIR con tu jefe.
Viv_Ross_370x370.png
Viviana Ross
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cyber Security Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe
  • © 2022 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn