In our latest episode of the Future of Threat Intelligence podcast, David chats with Ryan Chapman, Threat Hunter, Author & Instructor at SANS Institute. They explore the alarming evolution of ransomware tactics, including the rise of multi-extortion strategies where attackers not only encrypt data but also threaten to leak sensitive information.

Ryan emphasizes the critical mistakes organizations make, such as failing to implement basic security practices and allowing administrative privileges for general users. He also discusses the importance of leveraging internal data for effective threat hunting. Tune in to gain insights on strengthening your organization's defenses against ransomware attacks!

Topics discussed:

• The evolution of ransomware tactics, highlighting the shift from simple encryption to sophisticated human-operated attacks.
• The rise of multi-extortion strategies, where attackers threaten to leak sensitive data in addition to encrypting it.
• Why organizations often fail to implement basic security practices, leading to increased vulnerability to ransomware attacks.
• The importance of restricting administrative privileges for general users is emphasized to enhance overall security posture.
• The value of better visibility through proper logging and monitoring to detect and respond to threats effectively.
• Leveraging internal data as intelligence is crucial for effective threat hunting and identifying potential vulnerabilities within the organization.
• The significance of ongoing education and training in cybersecurity to keep defenses robust against evolving threats.

Key Takeaways:

• Implement basic security practices, such as restricting administrative privileges for general users, to reduce the risk of ransomware attacks.
• Conduct regular audits of Active Directory permissions to ensure proper access controls and minimize potential vulnerabilities.
• Utilize full tunnel VPNs for remote users to secure all traffic and enhance protection against external threats.
• Enable comprehensive logging on hosts, including PowerShell and Active Directory events, to improve visibility and incident response capabilities.
• Leverage internal data as intelligence by analyzing alerts and indicators of compromise (IOCs) to identify potential threats.
• Educate employees on recognizing phishing attempts and other social engineering tactics to prevent initial access for attackers.
• Collaborate with threat hunting teams to share insights and findings, fostering a proactive approach to cybersecurity.
• Monitor for unusual service names or processes that appear on fewer devices to identify potential threats in your environment.
• Document all findings during threat hunting sessions, regardless of whether a threat is identified, to build organizational knowledge.
• Stay updated on the latest ransomware tactics and trends to adapt your security strategies and defenses accordingly.