Learning Ransomware Response & Recovery. Stopping Ransomware One Restore at a Time - Helion

ebook

Autor: W. Curtis Preston, Michael Saylor
ISBN: 9781098169541
stron: 522, Format: ebook
Data wydania: 2026-01-21
Księgarnia: Helion

Cena książki: 169,14 zł (poprzednio: 198,99 zł)
Oszczędzasz: 15% (-29,85 zł)

Osoby, które kupiły tę książkę, wybierały także »

Tagi: Bezpiecze

Ransomware attacks are no longer a question of if—they're a matter of when. With hackers increasingly targeting backup and disaster recovery (DR) systems, organizations need more than prevention strategies; they need a battle-tested plan for minimizing damage, forensically determining what's happened, and restoring their environment without paying the ransom. Renowned experts W. Curtis Preston and Dr. Mike Saylor offer a comprehensive guide to protecting critical systems and responding effectively when the worst happens.

Whether you're a security professional who's unaware of how exposed your backup systems are or a backup admin in need of stronger security expertise, this book is your essential road map. With actionable advice, clear frameworks, and step-by-step guidance, it bridges the gap between data protection and cybersecurity—empowering teams to deliver decisive, effective responses when faced with ransomware.

Prevent 90% of ransomware attacks with practical, simple steps
Shield your backup systems from also being a victim of the attack
Minimize the blast radius of attacks on your infrastructure
Identify, isolate, and restore compromised systems with confidence
Develop and test a detailed incident response plan

Osoby które kupowały "Learning Ransomware Response & Recovery. Stopping Ransomware One Restore at a Time", wybierały także:

FAIK. Sztuczna inteligencja w s 59,90 zł, (29,95 zł -50%)
Konfiguracja us 89,00 zł, (44,50 zł -50%)
Ransomware w akcji. Przygotuj swoj 79,00 zł, (39,50 zł -50%)
Zosta 89,00 zł, (44,50 zł -50%)
Ataki na AI, 129,00 zł, (64,50 zł -50%)

Spis treści

Learning Ransomware Response & Recovery. Stopping Ransomware One Restore at a Time eBook -- spis treści

Preface
- Why This Book
- A Different Tack
- Bringing in the Cavalry
- Mikes Story
- How This Book Is Organized
- Conventions Used in This Book
- OReilly Online Learning
- How to Contact Us
- Acknowledgments (Curtis)
- Acknowledgments (Mike)
I. Identify
1. What Is Ransomware?
- What Is Ransomware?
- How Do You Get Ransomware?
  - After the Initial Infection
- How Ransomware Avoids Detection
  - Encryption and Obfuscation
  - Polymorphism
  - Fileless Malware Techniques
  - Exploiting Legitimate Tools
  - Stealthy Command-and-Control Channels
  - Delaying Execution
  - Behavioral Evasion
  - Bypassing Endpoint Security
  - Anti-Analysis Techniques
  - Self-Destruction and Anti-Forensic Techniques
- A Brief History of Ransomware
- The Evolution of Ransomware
  - Double Extortion
- Understanding the Attackers: Initial Access Brokers
- Understanding the Typical Attack Sequence
  - Reconnaissance
  - Initial Access
  - Execution and Installation
  - Expanding Scope and Data Gathering
    - Lateral movement
    - Data exfiltration
  - Ransom Demand
    - Ransom note delivery
    - Ransom note contents
    - Ransom amounts
    - Cryptocurrency payments
    - Why double extortion is so scary
  - Negotiation and Payment
  - Decryption and Recovery
- Summary
2. Your Backup System Is Under Attack
- Why Is the Backup System Under Attack?
  - Quick Chat About RTO and RPO
  - Threat Actors Love/Hate Backups
  - How Threat Actors Disable the Backup/DR System
  - The Backup System as an Attack Surface
    - Exfiltration
    - Privilege escalation
    - File access
    - Listen to the hacker
- How Did We Get Here?
  - Disk Backups Made It Worse
  - Sounds Pretty Bleak
- Summary
II. Protect
3. Backup and Recovery Basics
- Backup or Disaster Recovery?
  - The Same System
  - A Different Process
- Defining Backup System Requirements
  - What Does Your Organization Do?
  - IT Does Not Determine Requirements
  - Requirements and Service Levels
    - Gather requirements
    - Review requirements
    - Determine service level agreements
  - Design, Implement, and Document Your System
- Backup and Recovery Basics
  - Recovery Testing
  - Deduplication
  - Backup Levels
  - Metrics
    - Recovery metrics
      - Recovery time objective
      - Recovery point objective
      - Negotiating RTO and RPO
      - Recovery time actual (RTA) and recovery point actual (RPA)
    - Capacity metrics
      - License/workload usage
      - Backup storage capacity and usage
      - Throughput capacity and usage
      - Compute capacity and usage
    - Backup window
    - Backup and recovery success and failure
    - Retention
    - Using metrics
  - Item Versus Image-Level Backups
  - Backup Selection Methods
- Backup Methods
  - Is Everything Backup?
    - Three versions of your data
    - On two different media
    - Somewhere else
    - The 3-2-1-1-0 rule
  - Two Ways to Restore
    - Backup methods supporting a traditional restore
      - Traditional full and incremental backups
      - File-level incremental forever
      - Multiplexing
      - Block-level incremental forever
      - Source deduplication
    - Methods supporting instant recovery
      - Replication
      - Continuous data protection (CDP)
      - Snapshots
      - Near-continuous data protection (Near-CDP)
  - The Bottom Line
- Deciding on a Backup Method
  - Do You Need to Change?
  - Tips for Considering a New Backup System
  - Cloud Considerations
- Backup and Archive Myths
- Summary
4. Stop Most Ransomware
- Table Stakes
  - Continuously Update Your Patches
  - Enforce MFA or Passkeys
    - Passkeys: The future of authentication
  - Enforce Solid Password Management
    - Use a password manager
- People, Process, and Technology
- Know Your Environment
  - What to Document
    - Basic asset information
    - Business context and criticality
    - System dependencies and relationships
    - Data mapping and classification
    - Recovery requirements
    - Ownership and contacts
    - Security context
    - Third-party connections
  - Making Your Inventory Actionable
- Process: Policies and Procedures
  - Configuration Policies and Implementation
  - Authentication and Encryption Policies
  - Patch and Vulnerability Management
- Technology: Technical Controls and Monitoring
  - System Hardening
    - Disable common services
    - Advanced endpoint protection
  - Email Filtering
  - Detect and Monitor
    - Continuous monitoring
    - Comprehensive protection with defense in depth
- People: Building Your Human Defense
  - Employee Training
  - Testing and Reinforcement
- Summary
5. Minimize the Blast Radius
- Know Thyself
- Preparing for a Ransomware Incident
- Endpoint Security: The First Line of Defense
  - Deploying Endpoint Detection and Response Tools
  - Using Next-Gen Anti-Malware Solutions
    - Role of real-time scanning
    - Advanced features
    - Configuration best practices
    - Ensuring anti-malware tools are up-to-date
    - Integrating anti-malware with a broader security ecosystem
    - Common mistakes to avoid
  - Importance of Endpoint Hardening
    - Role-based configurations
    - Disabling unused ports and services
    - Controlling USB device access
    - Harden operating system and software configurations
    - Enforce strong user permissions
    - Perform regular security patching
    - Endpoint isolation
    - Monitor endpoint activity
- Network Security: Limiting Lateral Movement
  - Network Segmentation: Containing the Blast Radius
  - Firewalls and Traffic Control
  - Network Monitoring and Behavioral Analytics
  - DNS Filtering
  - Network Vulnerability Assessments
    - Network vulnerability assessment
    - Network penetration testing
- Access Control and Privilege Management
  - Implementing the Principle of Least Privilege
  - Enforcing Multifactor Authentication
- Data Protection Strategies
  - Data Classification and Segmentation
    - Implement data classification policies
    - Separate critical data
    - Control data proliferation
  - Data Encryption
    - Understanding encryptions role in ransomware defense
    - Encryption that actually helps against ransomware
  - Backup and Recovery Strategies
  - Data Loss Prevention
    - Implement network-based DLP
    - Deploy endpoint DLP
    - Monitor for data staging
  - Database-Level Protections
    - Enable database auditing
    - Restrict database access
  - Shadow Copies and Volume Snapshots
    - Enable Windows Volume Shadow Copy Service (VSS)
    - Protect shadow copies from deletion
    - Implement SAN/storage array snapshots
  - File Access Controls and Monitoring
    - Implement granular file permissions
    - Enable file access auditing
    - Deploy file integrity monitoring (FIM)
  - Virtualization
    - Isolation and containment
    - Snapshots and rollbacks
    - Segmentation and micro-isolation
    - Rapid cloning for recovery
- Summary
6. Get Ready for Battle
- Table Stakes: Do These Five Things First
- Engage with Cyber Professionals
  - Find a Blue Team Now
  - Get a Red Team Too
  - Find a Cyber Insurance Carrier
- Identify Forensic Tools
  - Forensic Imaging Tools
    - Commercial tools
    - Open source/free tools
    - Specialized tools
  - Log Analysis Platforms
    - Enterprise SIEM/log analysis platforms
    - Open source/free tools
    - Specialized analysis tools
    - Cloud-native solutions
  - Learn Your Tools
- Secure the Backup System
  - Taking Backups Out of the Equation
  - Role-Based Administration
  - Secure Your Logins
    - Passwords and password managers for backup systems
    - Multifactor authentication for backup infrastructure
    - Passkeys and FIDO for backup systems
  - Update Your Backup Software
  - Segregate All Backup Infrastructure
  - Shut Off Remote Desktop Protocol
  - Lock Down SMB
- Secure Backup Storage
  - Use Direct Storage Connections (Like Veeams Direct SAN Access)
  - Store Backups in Dedicated Backup Appliances
  - Use Object Storage Instead of File Shares
  - Use Immutable Storage
    - Different meanings of immutability
    - Good: Filesystems that support immutability
    - Better: Purpose-built appliances with immutability features
    - Best: Immutable storage in the cloud
- Encrypt All Backups
  - At-Rest Encryption
  - In-Flight Encryption
  - Key Management
- Watch Everything: Monitoring Your Backup Environment
- Create a Disaster Recovery Plan
  - Full Hot Site
  - Cold Site Recovery
  - Cloud Recovery
  - Failback
    - The dirty secret about failback
    - Data synchronization challenges
    - Network reconfiguration
    - Testing your failback procedures
    - The politics of failback
    - When NOT to failback
- Summary
7. Make Your Incident Response Plan
- Table Stakes: Before Writing Your IRP
  - 1. Get Executive Sponsorship
  - 2. Name Names, Not Job Titles
  - 3. Write the Templates NowNot During the Crisis
  - 4. Contract the Help Before You Need It
  - 5. Know What Tools Youve Got (and Where to Find Them)
- Cybersecurity Resources Around the World
  - Whos Got Your Back?
  - Free Frameworks and Tools
  - Early Warning Systems
  - What They Do When Youre Actually Under Attack
  - How to Actually Use This Stuff
  - The Bottom Line
- Setting Objectives and Scope
  - Defining the Goals of the Incident Response Plan
  - What Does the Incident Response Plan Cover?
    - What types of ransomware are you dealing with?
    - Which systems are you covering?
    - Hows this going to affect the business?
    - Whos in and whos out?
    - Communications
  - Metrics of Effectiveness
  - Matching the Plan to Business Priorities?
- Assembling Your Incident Response Team
  - Sorting Out Who Does What
  - Whos Calling the Shots?
    - Create a RACI matrix
    - How a RACI works
  - Making Sure Youre Covered 24/7
  - Cross-Training and Alternate Plans
  - Teaming Up with Outside Help
    - Law enforcement
    - Insurance company
    - Response firms
    - Recovery pros
- Detection and Initial Response Procedures
  - Initial Detection and Assessment
  - First Moves
- Containment and Evidence Preservation Procedures
  - Forensic Evidence Preservation
    - Forensic imaging methods
    - Get your resources ready now
    - Document everything
    - Forensic imaging
- Communication and Coordination Procedures
  - Notification, Communication, and Escalation Protocols
    - Inside scoop
    - Outside calls
    - Steer the story
  - Engaging External Response and Support
    - Response firms
    - Law enforcement
    - Insurance carrier/broker
- Recovery and Investigation Procedures
  - Data Recovery and Remediation: Assessing the Damage and Recovery Scope
  - Restoring Data from Backups
  - Rebuilding and Restoring Systems
  - Deciding on Ransom Payment
  - Evaluating Decryption Options (and Possibly Life Choices)
    - Free tools first
    - Talking to the bad guys
  - Forensic Investigation and Root Cause Analysis
- Post-Incident Review and Continuous Improvement
  - Conducting a Post-Incident Review
  - Updating the Incident Response Plan
  - Conducting a Root Cause Analysis
  - Training and Awareness Updates
  - Testing and Refining the Plan
- Planning an Annual Ransomware Tabletop Exercise
  - Defining Exercise Goals and Objectives
  - Selecting Participants
  - Scenario Development
  - Facilitating the Exercise
- Conducting a Ransomware War Game
  - Setting Up the War Game Environment
    - Live attack simulation versus discussion-based
    - Real-world consequences and time-based decision-making
    - Involving red team/blue team dynamics
  - Playing in a Sandbox
    - Building your mini disaster zone
    - Making it dangerous (but not really)
    - Baiting the hook with fake data
    - Free resources that arent bad
    - Keeping it contained
  - Evaluating Team Performance
    - The debrief that actually matters
    - Now do something about it
  - Updating the Incident Response Plan
  - Tracking Progress and Maturity
- Summary
III. Detect
8. Detection Tools
- Introduction to Detection Systems
- An Undetected Attack
  - The Numbers Are Scary
- Extended Detection and Response
- Security Information and Event Management
  - Core Functions
  - Typical SIEM Deployment
- XDR Versus SIEM
- Detection Tool Integration
  - Human Integration
  - Elements of Integration
- Detecting Ransomware with Backups
  - Backup System Events and Anomalies
  - Steps to Leverage Your Backup System
- Log Everything and Secure Your Logs
  - Logs for Your Primary Environment
  - Logs for Your Backup Environment
  - Where to Store Your Logs
- Managed Service Providers
  - Expertise Without the Hiring Headache
  - Faster Deployment
  - 24/7 Monitoring
  - Tuning and Maintenance
  - Multi-Client Intelligence
  - Flexible Scaling
  - Compliance Support
  - Making the MSP Relationship Work
- The Future of Detection
- Summary
IV. Respond
9. The First 12 Hours
- The Initial Shock: First Hours of the Attack
  - Discovery and Panic
    - Survival tip
    - Exercise: Feel the chaos
  - Scrambling to Assess
    - Survival tip
    - Exercise: Apply the decision tree
- Decision-Making Under Pressure
  - Containment Dilemmas
    - Survival tip
    - Exercise: Make the containment call
  - The Ransom Dilemma: Legal Landmines and Empty Promises
    - The boardroom debate
    - Survival tip
    - Exercise: Payment dilemma
  - Stakeholder Conflicts
    - Survival tip
    - Exercise: Manage the chaos
- You Survived
- Practical Exercises Summary
- Case Study Review
- Summary
10. The Marathon
- Keeping the Business Running During Crisis
  - The Business Continuity Blind Spot
  - ZapMarts Holiday Sales Crisis
  - Change Healthcares Patient Care Emergency
  - Marias Bakerys Customer Service Challenge
  - Northforges Engineering Productivity Crisis
- Business Continuity Strategies
  - Business-Driven Prioritization
  - Degraded Operations and Manual Workarounds
  - Communication: The Bridge Between Crisis and Customers
  - The Revenue Versus Security Trade-Off
  - Survival Tip
  - Exercise: Plan Your Degraded Operations
  - The Bottom Line on Business Continuity
- The Human Toll: Stress, Communication, and Morale
  - Emotional Rollercoaster
    - Deep dive: Emotional toll
    - Survival tip
    - Exercise: Build resilience
  - Communication Breakdowns
    - Survival tip
    - Exercise: Craft a message
  - Maintaining Morale
    - Survival tip
    - Exercise: Boost morale
- Unexpected Curveballs: What Plans Dont Prepare You For
  - Technical Surprises
    - Survival tip
    - Exercise: Plan for technical surprises
  - External Pressures
    - Exercise: Handle the press
  - Resource Constraints
    - Survival tip
    - Exercise: Allocate resources
- Lessons from the Trenches: Making It Through
  - What Works
  - What Breaks
  - Building Resilience
  - Exercise: Reflect and Improve
- Practical Exercises Summary
- Summary
- Lessons Learned Template
11. Analyzing the Breach
- Beginning the Investigation
- Why Analysis Matters
- Guidance for Small and Medium-Sized Businesses
  - Resource Constraints
  - Limited Tooling and Visibility
  - Knowledge Gaps
  - Tool Complexity
  - Budget Limitations
  - Lack of Preparation
- Sandboxing for Behavior Analysis
  - Real-World Applications of Sandboxing
  - Practical Sandboxing Tools and Techniques
  - Advanced Sandboxing Considerations
  - Best Practices for Effective Sandboxing
    - Survival tip
    - Exercise: Why analysis saves you
- Identifying the Ransomware Variant
  - Step 1: Examine the Ransom Note
    - Online tools
    - Survival tip
  - Step 2: Check File Extensions and System Artifacts
    - Survival tip
    - Exercise: Spot the Variant
  - Step 3: Analyze Logs and Network Traffic
    - What is AWS CloudTrail?
    - How CloudTrail works
    - Why CloudTrail is critical for security
    - Survival tip
    - Exercise: Dig through logs
  - Step 4: Leverage Threat Intelligence Feeds
    - Survival tip
    - Exercise: Hunt with Intel
- Assessing the Attacks Scope
  - Step 1: Inventory Infected Systems
    - Survival tip
    - Exercise: Map infected systems
  - Step 2: Detect Lateral Movement
    - Understanding lateral movement in ransomware
    - Tools and techniques for detecting lateral movement
    - Survival tip
    - Exercise: Track lateral movement
  - Step 3: Confirm Data Exfiltration
    - The threat of double extortion
    - Techniques for confirming data exfiltration
    - Regulatory and public relations considerations
    - Exercise: Find the leak
- Exploring Decryption and Remediation Options
  - Step 1: Check for Public Decryptors
    - Survival tip
    - Exercise: Hunt for a decryptor
  - Step 2: Use Forensic Tools for Remediation
  - Step 3: Evaluate Payment Risks (Last Resort)
    - Payment considerations
    - Survival tip
- Summary
12. Advanced Analysis and Forensics
- Advanced Analysis Techniques
  - Step 5: Craft YARA Rules (Advanced)
    - Survival tip
    - Exercise: Write a YARA rule
  - Step 6: Monitor Dark Web Leak Sites
    - Survival tip
    - Exercise: Check the dark web
- Expanding Identification: Reverse-Engineering Ransomware Samples
  - Why Reverse Engineering Matters
  - How to Reverse-Engineer Safely
    - The importance of safe reverse engineering
    - Tools and workflow for reverse engineering
    - Survival tip
    - Exercise: Reverse a sample
- Expanding Scope Assessment: Cloud-Specific Analysis
  - Why Cloud Scoping Matters
  - How to Scope Cloud Infections
  - Survival Tip
- Expanding Decryption: Negotiating with Attackers
  - Why Negotiation Is Risky
  - How to Negotiate (If You Must)
  - Risks of Negotiation
  - Best Practices for Negotiation
  - Exercise: Plan a Negotiation
- Expanding Advanced Analysis: Volatility Tutorial
  - Volatility Tutorial
  - Best Practices for Volatility Analysis
  - Volatility Workflow
    - Survival Tip
    - Exercise: Use Volatility
- Post-Analysis Reporting
  - Building a Report
  - Sample Report
  - Executive Summary
  - Incident Overview
    - Ransomware variant
    - Scope of infection
  - Response Actions
    - Timeline of Key Events
    - Actions Taken
    - Decryption Efforts
  - Lessons Learned
  - Next Steps and Recommendations
  - Regulatory and Stakeholder Considerations
- Summary
13. Contain the Attack
- What Is Containment and Eradication?
- The Importance of Containment
- The Containment Versus Forensics Dilemma
  - Three Approaches
    - Containment-first approach
    - Forensics-first approach
    - The hybrid approach
    - The cloud/virtualization approach
    - Containment decision tree
  - Make the Decision
- Where to Start Containment
- Snapshot, Suspend, or Pause All Infected VMs
  - Step 1: Suspend VMs Immediately
  - Step 2: Copy VM Files to Isolated Forensic Storage
  - Step 3: Document Everything
  - Create a Panic Button Script
  - The Suspend Versus Shutdown Distinction
  - Testing Your Suspension Process
- Identify Critical Systems
- Rapid Forensic Imaging
- Immediate Containment Actions
  - Step 1: Isolate Infected Devices
    - Disable compromised user accounts
    - Disconnect from network
  - Step 2: Disable Attack Vectors
    - Disable network shares
    - Terminate malicious processes
  - Step 3: Block External Communication
    - Deploy DNS filtering
    - Network monitoring and IDS/SIEM
  - Step 4: Automate Containment
    - SOAR platform capabilities
    - SOAR playbook design
    - Real-time alerts and reporting
    - For organizations without SOAR
  - Verification and Monitoring
- Forensic Disk Preservation
- The Final Shutdown Decision
  - Pull the Plug
- Summary
14. Eradicate the Threat
- Clean, Wipe, or Replace
  - Cleaning
    - Ransomware companion tools
      - Primary loaders
      - Data exfiltration
      - Command-and-control (C2) frameworks
    - Hidden tools
  - Wiping
    - Boot sectors and boot managers
    - Firmware-level infections
    - Hidden partitions and unallocated space
    - Bad sector remapping areas
    - Hypervisor and virtualization layers
    - Network interface card and peripheral firmware
    - SSD overprovisioning areas
  - Replacing
  - Making the Decision
- Reinstall the Operating System
- Clean Data Disks
- Summary
V. Recover
15. Restore and Recover
- The Goals of Recovery
- Prioritize Your Restores
- Choose a Restore Method for OS and Apps
  - Full System Restore
    - Separating OS/application and data disks
    - Booting from alternate media
  - Reinstall and Reconfigure
  - Reimage
- Choose a Restore Method for Databases
- Choose a Restore Method for SaaS Applications
  - The SaaS Recovery Challenge
  - The Delete-and-Restore Approach
  - SaaS Recovery Timeline Expectations
  - Application-Specific Considerations
- Choose a Restore Method for Filesystems
  - Restore Before Infection, Followed by Many Individual Restores
  - Curated Restore
- Use a Sandbox Area for All Restores
- Scan for Malware
  - Scanning During the Restore
  - Scanning After Restore
- Restore Your OS and Data
  - Pick Your Restore Point
  - Test Functionality
  - Monitor for Any Network Activity
- Recover to the Cloud
  - Why Recover to the Cloud?
  - Planning Your Cloud Recovery
  - Setting Up Temporary Cloud Infrastructure
  - Networking Considerations
  - Data Transfer Challenges
- Failover and Failback Concepts
  - Understanding Failover
  - Managing the Transition Period
  - Planning Your Return
  - Testing Failback Procedures
  - Long-Term Considerations
- Summary
16. Post-Mortem Analysis
- The Importance of Post-Mortem Analysis
- Psychological and Organizational Impact
  - Human Factors
  - Communicating Post-Mortem Results to Employees
- Documenting What Happened
  - Key Elements to Document
  - Tools for Documentation
  - Best Practices for Documentation
- Conducting the Post-Mortem Meeting
  - Step 1: Planning the Post-Mortem Meeting
  - Step 2: Structuring the Post-Mortem Meeting
  - Step 3: Facilitating Open Discussion
  - Step 4: Documenting the Meeting
  - Regulatory and Legal Considerations
- Learning from Your Mistakes
  - Common Mistakes
  - Prioritizing Improvements with Limited Resources
- Turning Mistakes into Opportunities
- Adapting Your Incident Response Plan
  - Key Components to Update
    - Testing the updated plan
    - Implementing strict monitoring
  - Key Monitoring Areas
  - Implementing Monitoring Tools
  - Regular Audits and Testing
  - Sharing Threat Intelligence
- Recommendations for Long-Term Resilience
- Post-Mortem Analysis Case Studies
  - The Lorenz Attack
  - Healthcare Breach (2023)
- Summary
Index