RE: ransomware, I see a lot of folks overly focusing on atomic indicators for ransomware. Ransomware is very easy to write and deploy and when a sophisticated cybercriminal is ready to deploy it, will test it out on a single system before deploying it to all [01/xx] #Ransomware
What you should be focusing on is: 1) The precursors to ransomware, i.e. (not an exhaustive list) Emotet, TrickBot, Cobalt Strike, Empire. 2) Preparing and testing backups so you can recover fast in the event of a ransomware incident across your org. [02/xx]
3) Proactively preparing people (execs, lawyers, PR etc) internally in your org as to how you will handle a ransomware incident. What will you do if someone will attempt to extort your org to pay or else they release your data publicly? How will you respond? [03/xx]
How will you communicate with media/LE/customers? Will you pay? Who will you bring in to help you respond? [04/xx]
4) Ransomware protection and containment. Read @FireEye's great report on that - https://www.fireeye.com/blog/threat-research/2019/09/ransomware-protection-and-containment-strategies.html [05/xx]
Also I recommend checking out a blog post @gregotto wrote for us at @Intel471Inc https://intel471.com/blog/how-to-recover-from-a-ransomware-attack/ [06/xx]