mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-18 21:49:40 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,139 @@
|
||||
# Workflows - Ransomware Tabletop Exercise
|
||||
|
||||
## Workflow 1: Exercise Planning (4-6 weeks before)
|
||||
|
||||
```
|
||||
Start
|
||||
|
|
||||
v
|
||||
[Define exercise objectives] --> What gaps are we testing?
|
||||
|
|
||||
v
|
||||
[Select scenario type]
|
||||
|-- Double extortion (data theft + encryption)
|
||||
|-- Supply chain ransomware (vendor compromise)
|
||||
|-- Cloud ransomware (SaaS/IaaS targeted)
|
||||
|-- Critical infrastructure disruption
|
||||
|
|
||||
v
|
||||
[Choose threat actor model] --> LockBit / ALPHV / Cl0p / Rhysida
|
||||
|
|
||||
v
|
||||
[Identify participants]
|
||||
|-- Executive leadership (CEO, CFO, COO)
|
||||
|-- IT/Security (CISO, SOC, IR team)
|
||||
|-- Legal (General Counsel, external counsel)
|
||||
|-- Communications (PR, media relations)
|
||||
|-- Operations (business unit leaders)
|
||||
|-- HR (employee communications)
|
||||
|-- External partners (IR firm, insurance)
|
||||
|
|
||||
v
|
||||
[Develop scenario with 4 phases and injects]
|
||||
|
|
||||
v
|
||||
[Prepare materials: SITREPs, inject cards, evaluation scorecard]
|
||||
|
|
||||
v
|
||||
[Schedule 3-4 hour block, distribute pre-reading]
|
||||
|
|
||||
v
|
||||
End
|
||||
```
|
||||
|
||||
## Workflow 2: Exercise Execution
|
||||
|
||||
```
|
||||
Exercise Start
|
||||
|
|
||||
v
|
||||
[Facilitator opening brief] (10 min)
|
||||
|-- Ground rules, objectives, scope
|
||||
|-- "This is discussion-based, no wrong answers"
|
||||
|
|
||||
v
|
||||
[Phase 1: Initial Detection] (30 min)
|
||||
|-- Distribute SITREP 1
|
||||
|-- Discussion: Who, what, when, initial actions
|
||||
|-- Inject: Additional information changes situation
|
||||
|-- Document decisions on worksheet
|
||||
|
|
||||
v
|
||||
[Phase 2: Escalation] (30 min)
|
||||
|-- Distribute SITREP 2
|
||||
|-- Discussion: Scope of impact, containment actions
|
||||
|-- Inject: Double extortion element introduced
|
||||
|-- Document decisions
|
||||
|
|
||||
v
|
||||
[Break] (10 min)
|
||||
|
|
||||
v
|
||||
[Phase 3: Critical Decision Points] (45 min)
|
||||
|-- Distribute SITREP 3
|
||||
|-- Discussion: Ransom payment, law enforcement, notification
|
||||
|-- Inject: Public pressure from media/customers
|
||||
|-- Document decisions with rationale
|
||||
|
|
||||
v
|
||||
[Phase 4: Recovery and Communication] (45 min)
|
||||
|-- Distribute SITREP 4
|
||||
|-- Discussion: Recovery priority, timeline, customer comms
|
||||
|-- Inject: Recovery complication (infected backup, key system fails)
|
||||
|-- Document decisions
|
||||
|
|
||||
v
|
||||
[Hot wash / Debrief] (20 min)
|
||||
|-- Each functional area shares top insight
|
||||
|-- Facilitator highlights key observations
|
||||
|-- Immediate gap identification
|
||||
|
|
||||
v
|
||||
Exercise End
|
||||
```
|
||||
|
||||
## Workflow 3: After-Action Report Development
|
||||
|
||||
```
|
||||
Exercise Complete
|
||||
|
|
||||
v
|
||||
[Collect all documentation within 24 hours]
|
||||
|-- Decision worksheets
|
||||
|-- Facilitator notes
|
||||
|-- Evaluation scorecards
|
||||
|-- Observer notes (if separate observers present)
|
||||
|
|
||||
v
|
||||
[Score each evaluation area (1-5)]
|
||||
|
|
||||
v
|
||||
[Identify strengths (what worked well)]
|
||||
|
|
||||
v
|
||||
[Identify gaps with severity rating]
|
||||
|-- Critical: Would prevent effective response
|
||||
|-- High: Would significantly delay/complicate response
|
||||
|-- Medium: Would reduce response quality
|
||||
|-- Low: Minor improvement opportunity
|
||||
|
|
||||
v
|
||||
[Develop remediation actions]
|
||||
|-- Each gap gets: action, owner, deadline, priority
|
||||
|-- Must be specific and measurable
|
||||
|
|
||||
v
|
||||
[Draft AAR within 5 business days]
|
||||
|
|
||||
v
|
||||
[Review AAR with exercise sponsor]
|
||||
|
|
||||
v
|
||||
[Distribute AAR to participants]
|
||||
|
|
||||
v
|
||||
[Track remediation actions quarterly]
|
||||
|
|
||||
v
|
||||
End
|
||||
```
|
||||
Reference in New Issue
Block a user