9:00 am - 9:15 am ET 1:00 pm - 1:15 pm UTC | Opening Remarks |
9:15 am - 10:00 am ET 1:15 pm - 2:00 pm UTC | Keynote: The RaaS C0nference K3ynote: Opportunities and Risk to Ransomware in 2024 and Beyond Eli Woodward, Cyber Threat Intelligence Analyst, Early Warning Services What if the ransomware summit wasn't for blue team and defenders but was actually for the ransomware threat actors themselves? This talk gives a hypothetical keynote at the “Ransomware As A Service conference: for affiliates, by affiliates.” Highlighting key trends and data from the cybersecurity industry, we can highlight the growth and vitality of the ransomware industry in 2023. This is a cheeky view of the ransomware problem, but from the adversary’s point of view. However, it will also highlight the risks to ransomware threat actors and give defenders ideas of how to defend against, and investigate, this growing problem by looking at the problem from an unorthodox perspective. Key highlights include data points looking at the health of the overall ransomware industry and its growth, mistakes made by other ransomware gangs, and the key trends and opportunities in the future by looking at the “RaaS magic quadrant.” A discussion on viewing the problem from the defender’s point of view will also be evaluated, along with some key risks to ransomware that have been growing where defenders are getting better. We’ll also have an honest look at the risks of PR problems with the targeting of hospitals and the potential backlash from governments. Finally, no keynote is complete without a discussion on the use of AI and how it can be leveraged to better understand both the risks but also the opportunities ahead for ransomware.
Show More
|
10:00 am - 10:15 am ET 2:00 pm - 2:15 pm UTC | Break |
10:15 am - 10:50 am ET 2:15 pm - 2:50 pm UTC | Unmasking Cyber Shadows: A Tactical Approach to Hunting Ransomware TTPs Arun Warikoo, Vice President, Cyber Threat Intelligence, BNP Paribas 2023 was another record breaking year for ransomware. We saw many notable attacks this year. The ransomware attack on the City of Dallas in May orchestrated by the Royal ransomware group led to shutdown and disruption of many services in the city and data exfilration that impacted approximately 26000 people. The MOVEit explotation by Cl0p in May turned out to be the biggest cyberattack story of the year that affected more than 600 organiztions worldwide. We then saw ransomware attacks on the two biggest names on the Las Vegas Strip in September followed by the fallout of a ransomware attack on ICBC, China's largest bank. Research suggests that there is a significant dwell time before ransomware is deployed. Although the dwell time has reduced over the last couple of years from months to weeks to days, defenders still have a window of opportunity to prevent the deployment of ransomware. This is where, Threat Hunting can play a significant role in unmasking ransomware opertations. In this presentation, we will cover a tactical approach to hunting and unmasking ransomware operations, and explore an intelligence driven framework for threat hunting. We will examine how Cyber Threat Intelligence (CTI) feeds into the threat hunt process enabling the development of hunt packages based on ransomware actors' behaviors and techniques. We will discuss and dive into the creation of specific hunt use cases against tactics heavily used by ransomware operators post compromise. Finally, we will discuss how threat hunting can be used to improve automated detection capabilities over time. Through this discussion, attendees will learn threat hunting techniques to detect ransomware operations, applying intelligence in an iterative manner to drive threat hunts, and explore methods for automating threat hunting for scalability.
Show More
|
10:55 am - 11:30 am ET 2:55 pm - 3:30 pm UTC | From Drone Strike to File Recovery, Outsmarting a Nation State This is our stage, set in early 2023, a nation state is prepping a campaign against several organizations - using similar TTPs. Join us on an exhilarating journey through a massive incident response (IR) in an incredibly intricate setting. Picture this: A drone strike motivates a nation state to attack an organization and launch an InfoOps campaign. With over 30 distinct Business Units, each with its own unique IT structure. Every endpoint directly exposed to the vast expanse of the internet, boasting a class B IP range. And to top it off, varying levels of security hygiene. But wait, there's more! The attackers unleashed a devastating ransomware attack, which, surprise, turned out to be successful. Countless terabytes of data held hostage, with no possibility of a key. Fear not, for we have discovered a remarkable method to exploit this ransomware and reclaim the majority of the encrypted data. Prepare to witness the magic of resourcefulness, innovation, and the art of cracking cryptography. Brace yourself for a talk that will leave you in awe!
Show More
|
11:35 am - 12:10 pm ET 3:35 pm - 4:10 pm UTC | Ransomware Running Wild in the Cloud Threat actors evolved their methods conducting ransomware attacks in the cloud and on-premise during 2023 and show no signs of stopping. This discussion addresses initial access factors and threat actor trends associated with cloud ransomware attacks, including a shift to server-side exploits and prioritization of data exfiltration over data encryption. Content also includes notable incidents, attack models, and examples of how threat actors are adapting their methods to conduct ransomware attacks in the cloud. This presentation is based on technical research and analysis derived from multiple sources, including Google Cloud teams and the cybersecurity industry. Attendees will gain increased awareness of threat actor activity used to conduct ransomware attacks in the cloud along with multiple approaches to help prevent ransomware in cloud environments, including actionable cloud-specific security risk mitigations, resources, and industry best practices for preventing ransomware in the cloud.
Show More
|
12:15 pm - 1:00 pm ET 4:15 pm - 5:00 pm UTC | Lunch |
1:00 pm - 1:35 pm ET 5:00 pm - 5:35 pm UTC | Ransomware Data Leak Sites - The Uncomfortable Truths Jim Walter, Sr. Threat Researcher, SentinelLabs, SentinelOne Openly available ‘data leak sites’ are standard operating procedures for modern ransomware/extortion threat actors. Hosting huge swaths of accessible and searchable data brings about many uncomfortable challenges. This includes organizations (or employees within) being exposed possessing illicit (unlawful) data and imagery. Downstream customer data is frequently compromised in the case of IAM targeting. Victims of these attacks have a seriously compounded problem once their data is presented for all to see. Not to mention, the threat actors use these opportunities as extra points of leverage. What are the legal issues that arise when companies are unwantedly hosting unlawful material (which is subsequently exposed on a DLS)? Just how complex do things get when IAMs are compromised, and downstream customers/clients have their data transitively leaked? How are threat actors using these opportunities for leverage against victims? In this talk, we aim to cover a few specific threat actors and examples (ex: Rhysida and Mount St. Mary’s Seminary) . We will explore high-level, problematic legal issues that may arise in these matters. This also includes discussion around threat actors using laws and regulations ‘against’ the victims (i.e. GDPR-focused leverage and “SEC Filings”)
Show More
|
1:40 pm - 2:25 pm ET 5:40 pm - 6:25 pm UTC | PANEL – How to Best Defend Your Organization Against Ransomware Moderator: Ryan Chapman Stephanie Regan, Principal Cybersecurity Incident Response Consultant, Unit 42 by Palo Alto Networks Jim Walter, Sr. Threat Researcher, SentinelLabs, SentinelOne
Show More
|
2:30 pm - 2:45 pm ET 6:30 pm - 6:45 pm UTC | Break |
2:45 pm - 3:20 pm ET 6:45 pm - 7:20 pm UTC | Defending Against the Cyber Siege: Strategies for Active Defense against Pre-Ransomware and Ransomware Attacks As the threat landscape continues to evolve, organizations face an ever-growing risk of falling victim to ransomware attacks. These malicious attacks not only jeopardize sensitive data but also threaten business continuity and financial stability. In this talk, we delve into the proactive strategies essential for defending against both pre-ransomware and active ransomware attacks. This presentation has 2 sections. In the face of an imminent ransomware attack, organizations are thrust into a race against time to enact swift and decisive measures within the critical first 24 hours. This section of the presentation delves into the urgent actions and strategic decisions necessary upon discovery of an impending ransomware threat. From rapid threat assessment and isolation to mobilizing incident response teams and implementing emergency protocols, we explore the pivotal steps required to mitigate potential damage and safeguard essential systems and data. In the wake of a ransomware attack, organizations face a critical window of opportunity to respond effectively and mitigate damage within the first 24 hours. This section of the talk explores the essential steps and strategic decisions that must be made during the first 24 and 48 hours after being hit by the ransomware attack. From initial detection, incident scoping and containment to communication strategies and recovery planning, we examine the key actions required to minimize disruption and protect critical assets. Drawing upon real-world scenarios and expert insights, attendees will gain invaluable guidance on prioritizing response efforts, communicating with stakeholders, and orchestrating a coordinated defense against the Pre-Ransomware and Active Ransomware attack. By effectively leveraging the initial hours of detection, organizations can bolster their resilience and minimize the impact of ransomware attacks.
Show More
|
3:25 pm - 4:00 pm ET 7:25 pm - 8:00 pm UTC | Atomic Ransomware Emulation Being able to replicate ransomware TTPs is a critical component of a security operations continual training program. Often, access to tools to emulate these TTPs are not readily available, and the time necessary to deploy can eat up what little training time the team has. In this presentation, [presenter] will walk attendees through leveraging the open-source threat emulation tool Atomic Red Team to simulate ransomware threat actors TTPs and provide a construct for continual training and drilling. The major topics will include: - An overview of Atomic Red Team: This will include how to quickly set up a test harness and begin testing on a Windows endpoint. - Using threat intelligence: Open source intelligence such as CISA or theDFIRreport.com provide comprehensive analysis of ransomware attack TTPs. The specific techniques can be extracted and then used to build a threat emulation plan that emulates the specific TTPs using Atomic Red Team tests. - Crafting the Threat Emulation Plan: Atomic Red Team can be run as a single TTP or chained together in a plan to emulate a specific threat actor. Attendees will be guided through a workflow that can assist in building a ransomware emulation. They will then be shown the actual execution of such a plan. - The Atomic Response Drill: Rounding out the discussion will be an exploration of the Atomic Response Drill. This construct is a short exercise (10-15 minutes) that test’s a security operations team to pivot from a detection and response. In conjunction with Atomic Red Team, these drills can be incorporated as a continual training and drilling exercise to ensure detection and response teams can properly respond to ransomware threats. The key take-aways from this session include: - How Atomic Red Team can be leveraged as a low cost threat emulation tool that better prepares security operations and incident response teams to identify and respond to ransomware TTPs. - A construct in which to run scenarios and drills that have a clear learning objective that can better prepare teams to address ransomware activity. Asd part of the presentation, attendees will also be provided links to various resources including scripts to get Atomic Red Team up and running and sample threat emulation plans.
Show More
|
4:00 pm - 4:35 pm ET 8:00 pm - 8:35 pm UTC | Evolution of Ransomware Tactics in 2023 - Insights from The DFIR Report Peter O, Cyber Threat Analyst, The DFIR Report Ransomware goals and objectives have largely remained unchanged, but the underpinning tradecraft has been evolving to counter defensive measures. Throughout 2023, The DFIR Report investigated and analyzed numerous ransomware attacks, uncovering a wealth of valuable insights. In this presentation, we delve into the intriguing tools and techniques that emerged over the past year, from access, lateral movement to methods of concealment. Our discussion will not only highlight these advancements but also shed light on proactive detection methodologies aimed at identifying malicious activity in the early stages of the attack lifecycle. Join us as we explore the evolving landscape of ransomware tactics and strategies, providing actionable insights for bolstering cybersecurity defenses. - Lateral movement by operators - Evasion - Blending in, and other unusual methods - Tooling - Custom tooling, living off the land and bring your own - Hands-on hacking - Command blunders, and other interesting activities
Show More
|
4:40 pm - 5:00 pm ET 8:40 pm - 9:00 pm UTC | Wrap-Up |