Ransomware ATT&CK and Defense with the Elastic Stack
2021-08-07, 16:30–18:00, Workshops Track 2

This hands-on training will walk attendees through leveraging the open source Elastic (ELK) Stack to proactively identify common ransomware tactics, techniques, and procedures (TTPs) within diverse log data sets. The blue team tools and techniques taught during this workshop can be used to investigate isolated ransomware incidents or implemented at scale for continuous monitoring and threat hunting.


This hands-on training will walk attendees through leveraging the open source Elastic (ELK) Stack to proactively identify common ransomware tactics, techniques, and procedures (TTPs) within diverse log data sets. The blue team tools and techniques taught during this workshop can be used to investigate isolated ransomware incidents or implemented at scale for continuous monitoring and threat hunting. Attendees will be provided with access to a preconfigured Elastic cluster and extensive sample logs containing malicious endpoint and network events waiting to be discovered on a simulated enterprise network. Ransomware attack artifacts will be mapped to the MITRE ATT&CK Framework and tagged accordingly in the provided logs to help demonstrate the value of log enrichment, showcase real-world attacker TTPs, and leverage a methodological approach to incident response and anomaly detection. Emphasis will be placed on live demos and practical training exercises throughout.

Workshop Outline: * Introduction to Ransomware Digital Forensics and Incident Response (DFIR), Threat Hunting, and Threat Intelligence Principles * Introduction to the ATT&CK Framework and Mapping Ransomware TTPs to Relevant Log Data (live demos and labs) * Introduction to the Elastic Stack and Log Data-Driven Analysis (live demos and labs) * Hallmarks of the Ransomware Attack Lifecycle (live demos and labs) * Identifying Ransomware Adversaries and TTPs from Reconnaissance to Exfiltration (live demos and labs)

Ben Hughes (@CyberPraesidium) brings over 15 years of diverse experience in cyber security, IT, and law. He leads Polito's commercial services including Digital Forensics & Incident Response (DFIR), threat hunting, pen testing, and risk assessment. Prior to joining Polito, Ben worked on APT hunt teams at federal and commercial clients. He holds CISSP, GCFA, and GWAPT certifications.

Pentester, and incdent response engineer with a passion for technology. Founded @politoinc and focuses on assisting customers operate securely.