creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-16 07:53:18 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccce7d4e068efecc2f98c385c8e5c01d969fc9bc
Anthropic-Cybersecurity-Skills/skills/performing-ransomware-incident-response/references/workflows.md
T

5.2 KiB
Raw Blame History

Ransomware Incident Response - Detailed Workflow

Phase 1: Detection and Initial Assessment (0-30 minutes)

Detection Sources

  1. EDR/AV alert for ransomware behavior (mass file encryption)
  2. User reports of inaccessible files or ransom notes
  3. SIEM correlation of suspicious patterns (VSS deletion + mass file writes)
  4. Backup system alerts for failed or corrupted backups
  5. Canary file monitoring triggers

Initial Assessment Steps

  1. Confirm ransomware activity (not a false positive or legitimate encryption)
  2. Identify patient zero (first infected system)
  3. Determine ransomware variant from ransom note or encrypted file extension
  4. Check if encryption is still in progress or completed
  5. Assess scope: single host, department, or enterprise-wide
  6. Activate incident response team and establish war room

Variant Identification

  1. Upload ransom note to ID Ransomware (id-ransomware.malwarehunterteam.com)
  2. Submit encrypted file sample to identify encryption algorithm
  3. Check file extension against known ransomware database
  4. Cross-reference IOCs with threat intelligence feeds
  5. Search for Bitcoin wallet addresses in threat intel databases

Phase 2: Containment (30-120 minutes)

Immediate Actions

  1. Network-isolate all confirmed infected hosts via EDR
  2. Block known C2 IPs/domains at perimeter firewall
  3. Disable file sharing (SMB, NFS) between network segments
  4. Block lateral movement protocols (RDP, WinRM, PsExec)
  5. Disable compromised user/service accounts
  6. Take backup systems offline (protect from encryption)

Network Segmentation

  1. Implement emergency firewall rules between VLANs
  2. Disable inter-VLAN routing for affected segments
  3. Block east-west traffic for non-essential ports
  4. Enable full packet capture on affected segments
  5. Deploy network honey tokens

Backup Protection Priority

  1. Disconnect backup networks from production
  2. Verify immutable backup copies exist and are intact
  3. Test a sample restoration to confirm backup viability
  4. Document last known good backup date for each system
  5. If using cloud backups, verify object lock/WORM settings

Phase 3: Investigation (2-48 hours)

Determine Initial Access Vector

  1. Review VPN/remote access logs for compromised credentials
  2. Check email logs for phishing delivery
  3. Analyze exploitation of public-facing applications
  4. Review RDP brute force attempts in event logs
  5. Check supply chain/third-party access logs

Map Attack Timeline

  1. Correlate SIEM/EDR data to build attack chronology
  2. Identify dwell time (initial access to encryption)
  3. Map lateral movement path through the network
  4. Identify all systems accessed by the attacker
  5. Determine if data was exfiltrated before encryption

Evidence Collection

  1. Capture memory images from key systems
  2. Create forensic disk images before remediation
  3. Export relevant SIEM logs (authentication, file access, network)
  4. Preserve EDR detection data and timeline
  5. Document all ransom communications

Phase 4: Eradication (24-72 hours)

Remove Attacker Persistence

  1. Identify and remove all backdoors (web shells, RATs, implants)
  2. Remove scheduled tasks created by the attacker
  3. Clean malicious registry entries
  4. Remove unauthorized user accounts
  5. Revoke all compromised credentials (including KRBTGT if needed)
  6. Patch the vulnerability used for initial access

Validate Clean State

  1. Run full AV/EDR scans on all systems
  2. Scan with YARA rules specific to the ransomware family
  3. Verify no unauthorized processes or services
  4. Check for fileless persistence mechanisms
  5. Validate Group Policy objects are clean

Phase 5: Recovery (24 hours - 2 weeks)

Recovery Prioritization

Priority System Category Recovery Target
P1 Domain controllers, DNS, DHCP 4-8 hours
P2 Email, communication systems 8-24 hours
P3 Core business applications 24-72 hours
P4 File shares, secondary systems 3-7 days
P5 Non-critical workstations 1-2 weeks

Recovery Steps

  1. Rebuild systems from known-good images (not infected backups)
  2. Restore data from verified clean backups
  3. Apply all security patches before reconnecting to network
  4. Reset all passwords enterprise-wide
  5. Implement MFA on all remote access
  6. Reconnect systems in phases with enhanced monitoring
  7. Verify data integrity after restoration

Decryption Assessment

  1. Check nomoreransom.org for available decryptors
  2. Contact law enforcement for potential seized decryption keys
  3. Assess if partial decryption is possible
  4. Evaluate third-party decryption services (with caution)
  5. Document any data that cannot be recovered

Phase 6: Post-Incident (1-4 weeks)

Lessons Learned

  1. Conduct formal after-action review
  2. Document complete attack timeline
  3. Identify what worked and what failed in the response
  4. Update incident response playbook based on findings
  5. Brief executive leadership and board

Preventive Improvements

  1. Implement or enhance immutable backups
  2. Deploy additional network segmentation
  3. Improve endpoint detection rules
  4. Conduct security awareness training
  5. Test backup restoration procedures regularly
  6. Implement privileged access management (PAM)
Reference in New Issue View Git Blame Copy Permalink