Anatomy of an Attack – Using System Roles In Your Ransomware Investigation


A challenge with intrusion investigations is knowing when to stop. When have you identified all of the systems and techniques that the attacker used? Without that, it’s hard to know if the attacker is truly out.

In this talk, we will introduce the concept of system roles, which map a phase of an attack to systems that were used in that phase. We’ll give special attention to ransomware attack phases. For example, ransomware attacks have a “Deployer” node that is responsible for distributing the malicious executables to victims. It could be the initial victim system, the domain controller, or another system. For each role type, we’ll cover what kinds of artifacts you’ll find.