DEF CON Training
Ben Hughes - Ransomware ATT&CK and Defense with Adversary Emulation $2,400
This hands-on training will walk students through performing common Tactics, Techniques, and Procedures (TTPs) frequently used by ransomware threat actors during an attack. From Reconnaissance and Initial Access to Exfiltration and Impact, students will be exposed to a typical ransomware attack lifecycle while being able to leverage attack TTPs including commands, scripts, tools, communication channels, and techniques that we frequently see and use in the wild. TTPs will be mapped to the MITRE ATT&CK Framework, and will be inspired by ATT&CK's Adversary Emulation Plans. The workshop will accordingly incorporate offensive operation elements such as adversary emulation and red teaming, but with some purple team and blue team flair. In other words, we will explore the logs and other artifacts potentially left behind by our attack TTPs and how the blue team might utilize endpoint and network logs and defensive tooling to detect and disrupt our attack kill chain components. Examples of tools that will be incorporated include Atomic Red Team, the CALDERA adversary emulation platform, open-source offensive security tools such as Mimikatz, Living off the Land Binaries and Scripts (LOLBAS) including PowerShell, real-world or Proof-of-Concept malware samples and exploits, leaked ransomware playbooks supplemented by other open-source intelligence (OSINT) sources, and more on the blue team side, popular security log pipeline tools such as Sysmon and Elastic Stack. This is an intermediate training that will impart TTP-based adversary emulation, red/purple team, and detection knowledge and skills.
Day 1 (excluding presumed 1 hr. lunch break):
* Introduction to Ransomware Threat Landscape and Threat Intelligence - key threat actors and incidents, cybercrime ecosystem, ransomware-as-a-service, double/triple extortion scheme and related trends, etc. (0.5 hr.)
* Introduction to the ATT&CK Framework and Adversary Emulation: Adversary Emulation Plans, Mapping Ransomware TTPs to Both Attack Activities and Detection Opportunities (0.5 hr.)
* Ransomware Attack TTPs Walkthrough, from Reconnaissance to Exfiltration and Extortion (Impact) [NOTE: this is essentially adversary emulation training and is the heart of the training; it will involve leading hands-on demos and labs with the attendees executing multiple example tools and techniques as a part of each tactic/phase of the attack lifecycle, and briefly examining any logs or other artifacts generated that could benefit the blue team] (approx. 7 hrs. total on Day 1):
** Reconnaissance (0.5 hr.)
** Resource Development (0.5 hr.)
** Initial Access (1 hr.)
** Execution (1 hr.)
** Persistence (1 hr.)
** Privilege Escalation (1 hr.)
** Defense Evasion (1 hr.)
** Credential Access (1 hr.)
Day 2 (excluding presumed 1 hr. lunch break):
* Review and continuation of Day 1 TTPs (1 hr.)
* Day 2 Ransomware Attack TTPs Walkthrough (approx. 3 hrs.):
** Discovery (0.5 hr.)
** Lateral Movement (0.5 hr.)
** Collection (0.5 hr.)
** Command and Control (0.5 hr.)
** Exfiltration (0.5 hr.)
** Impact (0.5 hr.)
* Ransomware ATT&CK and Defense: CTF Competition (approx. 3.5 hrs.) [NOTE: A friendly CTF will be used as the training capstone to assess students' knowledge and skills in a competitive environment, and will involve both adversary emulation and purple/blue team components.]
* Lessons Learned & Next Steps - adversary emulation, red/purple/blue team recap and recommendations (30 min.)
Student skill level:
Intermediate. A background in red/purple/blue teaming, adversary emulation, penetration testing, Digital Forensics and Incident Response (DFIR), Security Operations Center (SOC), threat hunting, etc. is helpful, but not required. This is a hands-on, deeply technical workshop. Basic familiarity with ransomware, PowerShell, scripting in general, and Windows commands and tools is recommended.
What should students bring to the Training?:
A laptop with Internet (Wi-Fi) access that is capable of comfortably running Virtual Machines and accessing cloud resources. At least 16 GB RAM and 4 modern CPU cores recommended. We will likely direct students to preinstall VirtualBox or VMware and import training VM(s) before the first day of the class to save time.
Ben Hughes (@CyberPraesidium) brings over 15 years of diverse experience in cybersecurity, IT, and law. He leads Polito's commercial services including red teaming, pen testing, DFIR, and threat hunting. Prior to Polito, Ben worked on APT hunt teams at federal and commercial clients. He holds CISSP, GWAPT, GCFA, and endpoint security vendor certs.
With over 15 years of cybersecurity experience, Fred Mastrippolito (@politoinc) was a founding member of an elite group of forensic and intrusion analysts for a major defense contractor. Specializing in web app pen testing, he has performed numerous pen tests for financial services, federal government, and retail clients. He has managed SOCs, responded to incidents, and analyzed malware.
Nick Baker has over 10 years in cybersecurity. Prior to Polito, Nick spent 20 years as a Signal Warrant Officer in the U.S. Army. He performed over 10 years in the cybersecurity field with a heavy focus in computer network defense by providing expertise for the proper employment, support, and defense of strategic and tactical information networks, systems, and services in operations supporting the Army’s cyberspace domain. Nick’s other 10 years was providing IT support, operations, and functions. Nick earned the GIAC Certified Incident Handler (GCIH), GIAC Certified Intrusion Analyst (GCIA), GIAC Penetration Tester (GPEN), and GIAC Certified Forensic Analyst (GCFA) credentials, among others.
Ronny Thammasathiti (@rthammasathiti) started out as an aspiring concert pianist, but later made a big switch to cyber security with Polito Inc in the past 4 years. His main role at the company is as a Detection Engineer using Elastic Stack and developing custom tools and applications using his knowledge of Python
Daniel Chen is a DFIR consultant and penetration tester at Polito Inc. He has investigated numerous ransomware incidents, hunted for adversaries, and assisted with red teaming and social engineering engagements.
Trainer(s) social media links:
DEF CON 29 Blue Team Village (Virtual) (Aug. 7, 2021), Ransomware ATT&CK and Defense with the Elastic Stack, https://cfc.blueteamvillage.org/call-for-content-2021/talk/HUSLSX/
DEF CON 28 Blue Team Village (Aug. 7, 2020), Threat Hunting with the Elastic Stack, https://drive.google.com/drive/folders/1hfINAIESqgznXwwN3nuVRm91FuVTxzgJ?usp=sharing
DEF CON 27 Blue Team Village (Aug. 9, 2019), Threat Hunting With The Elastic Stack, https://www.blueteamvillage.org/events/dc27/workshops/
DEF CON 27 Workshop, Hacking the Android APK (Aug. 8, 2019), https://www.defcon.org/html/defcon-27/dc-27-workshops.html#hughes
DATE: August 14th-15th 2023
TIME: 8am to 5pm PDT
VENUE: Caesars Forum, Las Vegas, NV
TRAINER: Ben Hughes
- 16 hours of training with a certificate of completion
- 2 coffee breaks are provided per day
- Note: Food is not included
Registration terms and conditions:
Trainings are refundable before July 1st, the processing fee is $250.
Trainings are non-refundable after July 10th, 2023.
Training tickets may be transferred. Please email us for specifics.
Failure to attend the Training without prior written notification, will be considered a No-Show. No refund will be given.
By purchasing this ticket you agree to abide by the DCT Code of Conduct and the registration terms and conditions listed above.