As ransomware-as-a-service (RaaS) offerings arose on the scene, the volume and variety of ransomware attacks greatly expanded. Now, dozens of affiliates are deploying the same variant, leading to differing attack chains depending on who's behind the intrusion. This session walks through organizational clustering efforts when it comes to the messy world of ransomware affiliates and highlights how to separate the common tactics from the narrow details that may be indicative of a specific affiliate. Featuring case studies of two Threat Activity Clusters (TACs) tracking ransomware affiliates, this session will demonstrate how identifying unique indicators in attacks can assist in connecting the dots across incidents, thus allowing us to determine a pattern of attacker behavior independent of the ransomware variant deployed. In this talk, analysts will learn how to compare attack chains across incidents and identify overlaps in TTPs and indicators, in turn enabling them to generate actionable intelligence to form effective detections and more quickly identify malicious activity before ransomware is deployed.
View upcoming Summits: www.sans.org/u/DuS
SANS Cyber Threat Intelligence Summit 2024
Clustering Attacker Behavior: Connecting the Dots in the RaaS Ecosystem
Morgan Demboski, Threat Intelligence Analyst, Sophos