creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 22:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccce7d4e068efecc2f98c385c8e5c01d969fc9bc
Anthropic-Cybersecurity-Skills/skills/implementing-ransomware-backup-strategy/references/workflows.md
T

176 lines
3.7 KiB
Markdown
Raw Blame History

# Workflows - Ransomware Backup Strategy
## Workflow 1: Initial Backup Architecture Design
```
Start
|
v
[Inventory all systems and data] --> Classify into Tier 1/2/3 by business impact
|
v
[Define RPO/RTO per tier] --> Document in recovery plan
|
v
[Select backup platform] --> Veeam / Rubrik / Commvault / Cohesity
|
v
[Design 3-2-1-1-0 architecture]
|-- Copy 1: Local repository (fast restore)
|-- Copy 2: Secondary site/cloud (different media)
|-- Copy 3: Offsite (geographic separation)
|-- +1: Immutable or air-gapped copy
|-- +0: Automated restore verification
|
v
[Isolate backup credentials]
|-- Remove from production AD
|-- Deploy MFA for backup admin access
|-- Segment backup network
|
v
[Configure immutable storage]
|-- Linux Hardened Repository (XFS immutability)
|-- S3 Object Lock / Azure Immutable Blob
|-- Tape air-gap rotation
|
v
[Set backup schedules per tier]
|
v
[Configure automated restore testing]
|-- SureBackup / SureReplica
|-- Verify boot, network, application health
|
v
[Document recovery runbook]
|
v
End
```
## Workflow 2: Restore Verification Process
```
Start (Scheduled - Weekly for Tier 1, Monthly for Tier 2)
|
v
[SureBackup job triggers VM restore to isolated sandbox]
|
v
[VM boots in isolated network segment]
|
v
[Heartbeat check] -- Fail --> Alert backup team
|
Pass
|
v
[Network ping check] -- Fail --> Alert backup team
|
Pass
|
v
[Application-specific check]
|-- AD: LDAP query test
|-- SQL: Database consistency check
|-- Web: HTTP 200 response
|-- Email: SMTP handshake
|
Fail --> Alert backup team with diagnostic details
|
Pass
|
v
[Log successful restore] --> Update compliance dashboard
|
v
[Clean up sandbox VMs]
|
v
End
```
## Workflow 3: Emergency Ransomware Recovery
```
Ransomware Incident Declared
|
v
[Isolate affected systems from network]
|
v
[Verify backup integrity]
|-- Check immutable copies are unaffected
|-- Validate backup timestamps predate infection
|-- Scan backup files for ransomware artifacts
|
v
[Determine recovery scope]
|-- Full environment rebuild vs. selective restore
|-- Prioritize by tier: AD/DNS first, then Tier 1, then Tier 2/3
|
v
[Rebuild infrastructure in clean environment]
|-- Deploy clean OS images
|-- Restore AD from immutable backup
|-- Validate AD integrity with ADRestore/DSInternals
|
v
[Restore applications in dependency order]
|-- Database servers before application servers
|-- Internal services before external-facing
|
v
[Validate restored systems]
|-- Application functionality testing
|-- Data integrity verification
|-- Security control validation
|
v
[Reconnect to network in phases]
|-- Monitor for re-infection indicators
|-- Validate no persistence mechanisms in restored systems
|
v
[Post-recovery documentation and lessons learned]
|
v
End
```
## Workflow 4: Backup Health Monitoring
```
Daily Automated Check
|
v
[Query backup job status via API/PowerShell]
|
v
[Check for failed or warning jobs]
|-- Failed --> Create P1 ticket, alert backup team
|-- Warning --> Create P3 ticket, investigate within 24hr
|-- Success --> Log and continue
|
v
[Verify backup repository capacity]
|-- >85% utilization --> Alert for capacity planning
|-- >95% utilization --> Critical alert, backup jobs at risk
|
v
[Check immutable copy synchronization]
|-- Verify last immutable copy is within RPO window
|-- Alert if immutable copy is stale
|
v
[Generate weekly backup health report]
|-- Success rate percentage
|-- Data protected volume
|-- Restore test results
|-- Capacity forecast
|
v
End
```
Reference in New Issue View Git Blame Copy Permalink