mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-26 03:34:37 +03:00
mukul975
66 lines
1.4 KiB
Markdown
66 lines
1.4 KiB
Markdown
# Workflows - Recovering from Ransomware Attack
|
|
|
|
## Workflow 1: Recovery Decision and Planning
|
|
|
|
```
|
|
Containment Complete + Forensics Initiated
|
|
|
|
|
v
|
|
[Assess backup availability]
|
|
|-- Immutable copies intact? --> Primary recovery path
|
|
|-- Air-gapped copies available? --> Secondary recovery path
|
|
|-- No clean backups? --> Consider decryption key (paid or NoMoreRansom)
|
|
|
|
|
v
|
|
[Determine recovery scope]
|
|
|-- Full rebuild vs. selective restore
|
|
|-- Identify minimum viable recovery set
|
|
|
|
|
v
|
|
[Map system dependencies]
|
|
|-- AD/DNS -> Database -> Application -> Web
|
|
|
|
|
v
|
|
[Estimate recovery timeline per tier]
|
|
|
|
|
v
|
|
[Brief executive team on recovery plan and timeline]
|
|
|
|
|
v
|
|
[Begin recovery]
|
|
```
|
|
|
|
## Workflow 2: System Recovery Execution
|
|
|
|
```
|
|
[Establish clean recovery VLAN]
|
|
|
|
|
v
|
|
[Phase 1: Identity Recovery]
|
|
|-- Restore DCs from verified backup
|
|
|-- Reset krbtgt (2x)
|
|
|-- Reset all admin passwords
|
|
|-- Validate AD health (dcdiag)
|
|
|
|
|
v
|
|
[Phase 2: Critical Systems]
|
|
|-- Restore databases
|
|
|-- Verify data consistency
|
|
|-- Restore core applications
|
|
|-- Test application functionality
|
|
|
|
|
v
|
|
[Phase 3: Important Systems]
|
|
|-- Restore in groups of 5-10
|
|
|-- Validate each before proceeding
|
|
|
|
|
v
|
|
[Phase 4: Remaining Systems]
|
|
|
|
|
v
|
|
[Each system: Scan for persistence -> Patch -> Deploy EDR -> Connect]
|
|
|
|
|
v
|
|
[Post-recovery monitoring (7-14 days elevated alert)]
|
|
```
|