Being able to replicate ransomware TTPs is a critical component of a security operations continual training program. Often, access to tools to emulate these TTPs are not readily available, and the time necessary to deploy can eat up what little training time the team has. In this presentation, Gerard will walk attendees through leveraging the open-source threat emulation tool Atomic Red Team to simulate ransomware threat actors TTPs and provide a construct for continual training and drilling. The major topics will include: - An overview of Atomic Red Team: This will include how to quickly set up a test harness and begin testing on a Windows endpoint. - Using threat intelligence: Open source intelligence such as CISA or theDFIRreport.com provide comprehensive analysis of ransomware attack TTPs. The specific techniques can be extracted and then used to build a threat emulation plan that emulates the specific TTPs using Atomic Red Team tests. - Crafting the Threat Emulation Plan: Atomic Red Team can be run as a single TTP or chained together in a plan to emulate a specific threat actor. Attendees will be guided through a workflow that can assist in building a ransomware emulation. They will then be shown the actual execution of such a plan. - The Atomic Response Drill: Rounding out the discussion will be an exploration of the Atomic Response Drill. This construct is a short exercise (10-15 minutes) that test’s a security operations team to pivot from a detection and response. In conjunction with Atomic Red Team, these drills can be incorporated as a continual training and drilling exercise to ensure detection and response teams can properly respond to ransomware threats.
The key take-aways from this session include:
- How Atomic Red Team can be leveraged as a low cost threat emulation tool that better prepares security operations and incident response teams to identify and respond to ransomware TTPs.
- A construct in which to run scenarios and drills that have a clear learning objective that can better prepare teams to address ransomware activity. As part of the presentation, attendees will also be provided links to various resources including scripts to get Atomic Red Team up and running and sample threat emulation plans.
View upcoming Summits: www.sans.org/u/DuS
SANS Ransomware Summit 2024
Atomic Ransomware Emulation
Gerard Johansen, Principal Security Solutions Specialist, Red Canary