Files
Anthropic-Cybersecurity-Skills/skills/performing-ransomware-incident-response/references/standards.md
T

85 lines
3.9 KiB
Markdown

# Standards and Framework References - Ransomware Incident Response
## NIST SP 800-61 Rev. 3 - Ransomware Response Alignment
- **Detect (DE)**: Monitoring for ransomware indicators
- DE.CM-01: Networks monitored for ransomware C2 traffic
- DE.AE-02: Anomalous file encryption patterns analyzed
- **Respond (RS)**: Containment and eradication
- RS.AN-03: Analysis performed to determine ransomware variant
- RS.MI-01: Contain ransomware spread via network isolation
- RS.MI-02: Eradicate ransomware persistence mechanisms
- **Recover (RC)**: Restoration from backups
- RC.RP-01: Recovery plan executed during or after incident
- RC.CO-03: Recovery activities communicated to stakeholders
## CISA Ransomware Guide (StopRansomware.gov)
- Joint advisory from CISA, FBI, NSA, MS-ISAC
- Key recommendations:
1. Maintain offline, encrypted backups
2. Create, maintain, and exercise a basic cyber incident response plan
3. Implement Zero Trust Architecture
4. Segment networks to prevent spread
- Reference: https://www.cisa.gov/stopransomware
## NIST Cybersecurity Framework Profile for Ransomware Risk Management
- NISTIR 8374: Provides a Ransomware Profile mapped to CSF
- Key subcategories:
- PR.DS-01: Data-at-rest is protected (backup encryption)
- PR.IP-04: Backups of information are conducted, maintained, and tested
- DE.AE-05: Incident alert thresholds are established
- Reference: https://csrc.nist.gov/publications/detail/nistir/8374/final
## MITRE ATT&CK - Ransomware Techniques
### Pre-Encryption Techniques
| Technique ID | Name | Description |
|-------------|------|-------------|
| T1486 | Data Encrypted for Impact | Core ransomware encryption activity |
| T1490 | Inhibit System Recovery | Deleting shadow copies, disabling recovery |
| T1489 | Service Stop | Stopping AV, backup, database services |
| T1562.001 | Disable or Modify Tools | Disabling security tools before encryption |
| T1047 | Windows Management Instrumentation | WMI used for lateral deployment |
### Ransomware Deployment Techniques
| Technique ID | Name | Description |
|-------------|------|-------------|
| T1570 | Lateral Tool Transfer | Copying ransomware binary across network |
| T1053.005 | Scheduled Task | Scheduled tasks for timed detonation |
| T1484.001 | Group Policy Modification | GPO abuse for mass deployment |
| T1569.002 | Service Execution | Running ransomware as a service |
### Exfiltration (Double Extortion)
| Technique ID | Name | Description |
|-------------|------|-------------|
| T1567 | Exfiltration Over Web Service | Uploading data to cloud storage |
| T1048 | Exfiltration Over Alternative Protocol | DNS/ICMP tunneling for data theft |
| T1041 | Exfiltration Over C2 Channel | Data sent through C2 infrastructure |
## SANS Ransomware Response Checklist
1. Isolate the infected device(s) from the network immediately
2. Identify the ransomware variant
3. Check for decryptors (No More Ransom, Emsisoft, Kaspersky)
4. Report to law enforcement (FBI IC3, local CISA office)
5. Assess backup availability and integrity
6. Determine if data was exfiltrated (double extortion)
7. Restore from clean backups
8. Document lessons learned
## FBI/CISA Joint Advisory Recommendations
- Do NOT pay the ransom (paying does not guarantee recovery)
- Report the attack to FBI IC3 (ic3.gov) and CISA
- Preserve forensic evidence for law enforcement
- Contact CISA for technical assistance
- Share IOCs with sector ISACs
## Known Ransomware Family References
| Family | First Seen | Notable Traits | Decryptor Available |
|--------|-----------|----------------|-------------------|
| LockBit 3.0 | 2022 | RaaS, Bug Bounty program | No |
| BlackCat/ALPHV | 2021 | Rust-based, cross-platform | Partial (FBI tool) |
| Cl0p | 2019 | Mass exploitation campaigns | No |
| Royal/BlackSuit | 2022 | Targets critical infrastructure | No |
| Play | 2022 | Intermittent encryption | No |
| Akira | 2023 | Targets Linux/VMware | Partial |
| Rhysida | 2023 | Targets healthcare, education | No |