SANS 2021 Ransomware Detection and Incident Response Report

Ransomware are a different type of attack and thus require that we approach incident detection and response differently. Security teams cannot afford to wait for the ransom note to be placed on their cloud server or for users to complain that they cannot access resources. We must catch the adversary earlier—as early as possible—to prevent any additional damage to the environment.

This paper is designed to help remind you how security teams should detect and respond to ransomware attacks, which differ from other threats.

Some “tough questions” to ask your security teams or providers about ransomware response may include:

• Has your organization considered how it will respond to a ransomware attack, and are you prepared for such an event?
• If you have your own IR team, do you have a separate response plan for ransomware?
• If you do not have your own team, but outsource security capabilities, ask your managed security service provider (MSSP) if it has specific ransomware response actions.

SANS has also summarized their tips into a checklist at the end of this paper and encourages you to use that checklist with your security team to assess your current ransomware preparedness.

We hope you find this report useful. If you would like to discuss how to deploy robust deep learning-powered ransomware defense for your public cloud or take advantage of a free ransomware assessment email us at inquiries@bluehexagon.ai or contact us.