SANS Courses

FOR528: Ransomware and Cyber Extortion

NOTE: The video below was recorded when the course had its original name of “Ransomware for Incident Responders.” Though the course has changed a bit, including a course name change, the video still paints a solid picture of what you can expect from the course.

I am the author for the SANS FOR528: Ransomware and Cyber Extortion course.

The FOR528 – Ransomware and Cyber Extortion In-Depth Course will help you understand:

  • How ransomware has evolved to become a major business
  • How human-operated ransomware operators have evolved into well-tuned attack groups
  • Who and what verticals are most at risk of becoming victims of ransom
  • How ransomware operators get into their victims’ environments
  • How best to prepare your organization against the threat of ransomware
  • How to identify the tools that ransomware operators often use to get into and perform post-exploitation activities during a ransomware attack
  • How to hunt for ransomware operators within your network
  • How to respond when ransomware is running actively within your environment
  • What steps to take following a ransomware attack
  • How to identify data exfiltration

Ransomware has become a common occurrence about which we hear in our daily computing lives.  The threat of ransomware has evolved over time from being a single machine infection following an ill-advised click to becoming a booming enterprise capable of crippling even the largest of networks.  Nearly all computer networks are susceptible to ransomware attacks, and ransomware operators are targeting new verticals often.

Thwarting the threat of ransomware attacks requires a coordinated effort among multiple IT teams.  Enterprise network administrators must enable strong protection controls and ensure that backups will be secure in the face of a ransomware event.  The IT security and/or incident response analysts involved must be familiar with hunting for operators who slip past security mechanisms and must know how to respond while ransomware is running actively within the environment.  Management must know how to deal with operators should ransomware be executed successfully within the environment.

You can check my SANS Instructor page for my upcoming courses:

FOR610: Reverse Engineering Malware

Prior to authoring FOR528, I taught the SANS FOR610: Reverse Engineering Malware course.

When training FOR610, I maintain a notes page along with a parking lot for questions that need to be answered. Should you want to take a peek at what kinds of additional things we share throughout this class, feel free to take a look:

Twitch / YouTube Training Sessions

One of my best friends in the world has entered into the #InfoSec realm! I was so dang happy that my good buddy Adam transitioned to my world that I sat with him for various Twitch training sessions. We sat and discussed concepts such as SOC interview fundamentals, email header analysis, and more.

You can view our sessions on my “Twitch Sessions” YouTube Playlist:

WARNING! Some audio may be NSFW! I have a dirty mouth it seems… 🙂

Pluralsight Courses

I have a few courses published on I absolutely love the Pluralsight platform, and while I may not have published any public-facing courses recently, I work with the team on behind-the-scenes content such as curriculum endeavors often.

Hands-On Incident Response Fundamentals

Operationalizing Cyber Threat Intel: Pivoting & Hunting

SOC Baseline Training

During my seven (7) years working for a large engineering, procurement, and construction (EPC) company, I developed and delivered a 5-week baseline training curriculum for new hire SOC analysts. Heck, I ended up delivering the 5-week course over 10 times! Hah!

I eventually gave a presentation at BSides San Francisco 2019 on how to implement such a training program. My talk, entitled “Implementing a Kick-Butt Training Program: BLUE TEAM GO!” can be viewed on YouTube:

GitHub repo with PDFs: