《主题演讲 _ 适应攻击手法——展望 2024 年勒索软件攻击——来自 DFIR 报告的洞见.pdf》由会员分享,可在线阅读,更多相关《主题演讲 _ 适应攻击手法——展望 2024 年勒索软件攻击——来自 DFIR 报告的洞见.pdf(24页珍藏版)》请在三个皮匠报告上搜索。
1、SANS Ransomware Summit 2025Peter O _pete_0Angelo Violetti angelo_violettiAdapting Tradecraft:Examining Ransomware Attacks in 2024Insights from The DFIR ReportAgendaReview of Ransomware attacks in 2024Domain Takeover Methods of lateral movementAttacker Tooling LOLBIN and customHands-on Keyboard Obser
2、ving operators on the CLIReal Intrusions by Real Attackers,The Truth Behind the Intrusion2https:/www.first.org/tlp/2024/2025-The DFIR ReportObservedoRansomware activityoExploit vulnerabilities,fake software,phishingoDiverse use of C2 frameworksoMix of LOLBINS&Custom ToolingReportso11 Public Reportso
3、23 Private ReportsDisclosuresoBlackSuit(Royal)RansomwareDetectionsohttps:/ Malware Familieso14k C2 endpointsOtherPodcasts,CTF3https:/www.cisa.gov/news-events/cybersecurity-advisories/aa23-061ahttps:/ Overview in 20244Cobalt StrikeMetasploitBrute RatelTop C2 FrameworksTraffic Tunneling(e.g.,SystemBC)
4、MimikatzPsExecTop Tools UsedT1189:Drive-by CompromiseT1190:Exploit-Public Facing ApplicationT1078:Valid AccountsTop Initial Access Techniques45%22%Black Suit33%Others(e.g.,RansomHub)Top Ransomware FamiliesTime to RansomT0+5D:05H:05M:59ST0+1D:03H:13M:42STime to LateralTime to Hands-OnT0+17H:23M:34ST0
5、+16H:53M:27STime to DiscoveryInitial AccessT0Top Ransomware FamiliesAverage Time to Discover,Hands-On,Lateral&Ransom2/3 of the times,they happen in the first hour of intrusionTLP:CLEARTrends Takedown Operations5August 2023Operation Duck HuntThe FBI along with international partners performed a coord
6、inated takedown of the QakBot infrastructureMay 2024Operation EndgameEuropol conducted the takedown of several malware infrastructure used by ransomware groups:IcedID,SystemBC,Pikabot,Smokeloader and BumbleBeeMajor Takedown OperationsFebruary 2024Operation CronosAn international coalition led by UKs