SEC504: Hacker Tools, Techniques, and Incident Handling
SEC504Offensive Operations
FOR528: Ransomware and Cyber Extortion
FOR528Digital Forensics and Incident Response
- 4 Days (Instructor-Led)
- 24 Hours (Self-Paced)
Course created by:
Ryan Chapman
Course created by:Ryan Chapman
- 24 CPEs
Apply your credits to renew your certifications
- Virtual Live Instruction or Self-Paced
Train from anywhere. Attend a live instructor-led course remotely or train on your time over 4 months.
- Intermediate Skill Level
Course material is geared for cyber security professionals with hands-on experience
- 13 Hands-On Lab(s)
Apply what you learn with hands-on exercises and labs
Analyze real-world attacks and gain the hands-on training you need to respond to ransomware or cyber extortion incidents.
Featured Quote
Ryan makes sure the course content is up-to-date and gives us extra tools that are really helpful. Also, he keeps the class energetic and easy to follow, he's a great instructor.
Course Overview
FOR528: Ransomware and Cyber Extortion™ provides the hands-on ransomware training required for those who may need to respond to such events and/or cyber extortion incidents. The term "Ransomware" no longer refers to a simple encryptor that locks down resources. The advent of Human-Operated Ransomware (HumOR) along with the evolution of Ransomware-as-a-Service (RaaS) have created an entire ecosystem that thrives on hands-on the keyboard, well-planned attack campaigns. Furthermore, some cyber extortion actors carry out the full attack lifecycle yet skip the encryption phase. How do you deal with these threats? Our course uses deftly devised, real-world attacks and their subsequent forensic artifacts to provide you, the analyst, with everything you need to respond when either threat becomes a reality.
What You’ll Learn
- Understand the rise of ransomware as a business and the role of Human-Operated Ransomware (HumOR) groups
- Recognize high-risk industries and targets
- Learn infiltration and post-exploitation tactics used by ransomware actors
- Distinguish between ransomware and cyber extortion
- Respond to active attacks and implement post-incident measures
- Strengthen defenses against HumOR through proactive threat hunting
- Identify tools and techniques used for data access, exfiltration, and exploitation
Business Takeaways
- Implement preventative measures to stop ransomware actors from accessing your organization
- Detect ransomware activity quickly by recognizing common tools and tactics used by attackers
- Identify ransomware attack patterns to develop an effective response plan
- Focus response efforts strategically based on your unique environment
- Ensure successful restoration by selecting the right backups while avoiding threat persistence
- Determine if an identified actor is affiliated with ransomware and assess their activities
- Identify accessed and exfiltrated data to understand the impact of the attack
Meet Your Author
Ryan Chapman
Certified InstructorRyan Chapman has redefined ransomware defense through hands-on leadership in major incidents like Kaseya and by arming thousands with proactive threat hunting tactics now standard across the industry.
Read more about Ryan ChapmanCourse Syllabus
Explore the course syllabus below to view the full range of topics covered in FOR528: Ransomware and Cyber Extortion.
Section 1Ransomware Incident Response Fundamentals
Section 1 begins with a review of ransomware’s history, as we deep-dive into the roles, processes, communication methods, and activities related to these threats. After learning how we can apply incident response practices, we begin our deep-dive into the Windows-based forensic artifacts best suited to ransomware campaign analysis.
Topics covered
- Ransomware Evolution and History
- Forensic Artifact Collection
- Incident Response Processes and Application to Ransomware
- Windows Forensic Artifacts
- Analysis At-Scale via TimeSketch
Labs
- Generate a Ransomware Encryptor Payload
- Review Forensic Artifacts and Parse Data
- Hunt Data Within TimeSketch Interface
Section 2Ransomware Modus Operandi
Ransomware incidents often follow familiar patterns. In Section 2, you'll learn to detect these recurring tactics, techniques, and procedures (TTPs) through hands-on labs and analysis.
Topics covered
- Analysis At-Scale via Kibana
- Malware Infection vs. Credential Harvesting
- Malicious Attachments and Links
- Identifying Malicious RDP Activity
- Scripting
Labs
- Identify Successful Phishing Attacks
- Analyze Encoded PowerShell Payloads
- Decode and Analyze CS Payloads
- Hunt Malicious RDP Activity
Section 3Advanced Ransomware Concepts
Section 3 covers Privilege Escalation, Credential Access, and Lateral Movement, detailing tools ransomware actors use to escalate privileges, access credentials, and dump processes. You’ll explore lateral movement methods like RDP, SMB (PsExec), and WinRM.
Topics covered
- Privilege Escalation and Credential Access
- Lateral Movement Techniques
- Exploiting Active Directory (AD)
- Data Access and Exfiltration Methods
- Hunting Ransomware Operators
Labs
- Identify Lateral Movement via RDP and PsExec
- Hunt and Identify Data Access and Potential Exfiltration
- Use PSTools and Renamed Executables
- Identify Additional Lateral Movement
Section 4Ransomware Incident Response Challenge
Our CTF challenge consists of 50 questions pertaining to a specially crafted attack scenario against our victim organization.
Topics covered
- Digital Forensics Capture the Flag Event
- Review Parsed Artifact and Log Data
- Identify Tools and Processes in Scenario
Labs
- Full Day of Analyzing Forensic Artifacts
- Use SANS ranges.io Platform
Things You Need To Know
Relevant Job Roles
Cyber Incident Responder
European Cybersecurity Skills FrameworkMonitor the organisation’s cybersecurity state, handle incidents during cyber-attacks and assure the continued operations of ICT systems.
Explore learning pathInsider Threat Analysis
NICE: Protection and DefenseResponsible for identifying and assessing the capabilities and activities of cybersecurity insider threats; produces findings to help initialize and support law enforcement and counterintelligence activities and investigations.
Explore learning pathDigital Forensics (OPM 212)
NICE: Protection and DefenseResponsible for analyzing digital evidence from computer security incidents to derive useful information in support of system and network vulnerability mitigation.
Explore learning pathCybercrime Investigation (OPM 221)
NICE: InvestigationResponsible for investigating cyberspace intrusion incidents and crimes. Applies tactics, techniques, and procedures for a full range of investigative tools and processes and appropriately balances the benefits of prosecution versus intelligence gathering.
Explore learning pathMilitary Operations / Law Enforcement Agents
Digital Forensics and Incident ResponseExecute digital forensic operations under demanding conditions, rapidly extracting critical intelligence from diverse devices. Leverage advanced threat hunting and malware analysis skills to neutralize sophisticated cyber adversaries.
Explore learning pathCybersecurity Analyst / Engineer
Cyber DefenseAs this is one of the highest-paid jobs in the field, the skills required to master the responsibilities involved are advanced. You must be highly competent in threat detection, threat analysis, and threat protection. This is a vital role in preserving the security and integrity of an organization’s data.
Explore learning pathCourse Schedule & Pricing
Looking for Group Purchasing Options?Contact Us
OnDemand Bundle
When purchasing a live, instructor-led course, add 4 months of online access. View price in the info icons below.
SANS Skills Quest by NetWars Core Edition
Add 6 months of hands-on skills practice. Add to your cart when purchasing your course.
Filter by:
Location & instructorDate & TimeCourse priceEnrollment options
- Location & instructor
Virtual (OnDemand)
Instructed by Ryan ChapmanDate & TimeOnDemand (Anytime)Self-Paced, 4 months accessCourse price$6,995 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Salt Lake City, UT, US & Virtual (live)
Instructed by Ryan ChapmanDate & TimeFetching schedule..View event detailsCourse price$6,995 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Tokyo, JP & Virtual (live)
Instructed by Ryan ChapmanDate & TimeFetching schedule..View event detailsCourse price$7,085 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Las Vegas, NV, US & Virtual (live)
Instructed by Mari DeGraziaDate & TimeFetching schedule..View event detailsCourse price$6,995 USD*Prices exclude applicable local taxesEnrollment options - Location & instructor
Virtual (live)
Date & TimeFetching schedule..View event detailsCourse price€6,450 EUR*Prices exclude applicable local taxesEnrollment options
Showing 5 of 5
Learn Alongside Leading Cybersecurity Professionals From Around The World
- Slide 1 of 3Great course! I'm happy I chose to take this one. Even those it technically is a "short course", it's so packed full of information that I feel like I took away as much as from any of the longer ones that I have taken.
- Slide 2 of 3This section was highly practical and I will be able to directly implement what I have learned on my next hunt/IR.
- Slide 3 of 3Ryan is infectious which makes following the course OnDemand easy.
Slide 1 of 0
(1/0)
Benefits of Learning with SANS
Get feedback from the world’s best cybersecurity experts and instructors
Choose how you want to learn - online, on demand, or at our live in-person training events
Get access to our range of industry-leading courses and resources