Anthropic-Cybersecurity-Skills/skills/implementing-ransomware-backup-strategy/references/workflows.md

Workflows - Ransomware Backup Strategy

Workflow 1: Initial Backup Architecture Design

Start
  |
  v
[Inventory all systems and data] --> Classify into Tier 1/2/3 by business impact
  |
  v
[Define RPO/RTO per tier] --> Document in recovery plan
  |
  v
[Select backup platform] --> Veeam / Rubrik / Commvault / Cohesity
  |
  v
[Design 3-2-1-1-0 architecture]
  |-- Copy 1: Local repository (fast restore)
  |-- Copy 2: Secondary site/cloud (different media)
  |-- Copy 3: Offsite (geographic separation)
  |-- +1: Immutable or air-gapped copy
  |-- +0: Automated restore verification
  |
  v
[Isolate backup credentials]
  |-- Remove from production AD
  |-- Deploy MFA for backup admin access
  |-- Segment backup network
  |
  v
[Configure immutable storage]
  |-- Linux Hardened Repository (XFS immutability)
  |-- S3 Object Lock / Azure Immutable Blob
  |-- Tape air-gap rotation
  |
  v
[Set backup schedules per tier]
  |
  v
[Configure automated restore testing]
  |-- SureBackup / SureReplica
  |-- Verify boot, network, application health
  |
  v
[Document recovery runbook]
  |
  v
End

Workflow 2: Restore Verification Process

Start (Scheduled - Weekly for Tier 1, Monthly for Tier 2)
  |
  v
[SureBackup job triggers VM restore to isolated sandbox]
  |
  v
[VM boots in isolated network segment]
  |
  v
[Heartbeat check] -- Fail --> Alert backup team
  |
  Pass
  |
  v
[Network ping check] -- Fail --> Alert backup team
  |
  Pass
  |
  v
[Application-specific check]
  |-- AD: LDAP query test
  |-- SQL: Database consistency check
  |-- Web: HTTP 200 response
  |-- Email: SMTP handshake
  |
  Fail --> Alert backup team with diagnostic details
  |
  Pass
  |
  v
[Log successful restore] --> Update compliance dashboard
  |
  v
[Clean up sandbox VMs]
  |
  v
End

Workflow 3: Emergency Ransomware Recovery

Ransomware Incident Declared
  |
  v
[Isolate affected systems from network]
  |
  v
[Verify backup integrity]
  |-- Check immutable copies are unaffected
  |-- Validate backup timestamps predate infection
  |-- Scan backup files for ransomware artifacts
  |
  v
[Determine recovery scope]
  |-- Full environment rebuild vs. selective restore
  |-- Prioritize by tier: AD/DNS first, then Tier 1, then Tier 2/3
  |
  v
[Rebuild infrastructure in clean environment]
  |-- Deploy clean OS images
  |-- Restore AD from immutable backup
  |-- Validate AD integrity with ADRestore/DSInternals
  |
  v
[Restore applications in dependency order]
  |-- Database servers before application servers
  |-- Internal services before external-facing
  |
  v
[Validate restored systems]
  |-- Application functionality testing
  |-- Data integrity verification
  |-- Security control validation
  |
  v
[Reconnect to network in phases]
  |-- Monitor for re-infection indicators
  |-- Validate no persistence mechanisms in restored systems
  |
  v
[Post-recovery documentation and lessons learned]
  |
  v
End

Workflow 4: Backup Health Monitoring

Daily Automated Check
  |
  v
[Query backup job status via API/PowerShell]
  |
  v
[Check for failed or warning jobs]
  |-- Failed --> Create P1 ticket, alert backup team
  |-- Warning --> Create P3 ticket, investigate within 24hr
  |-- Success --> Log and continue
  |
  v
[Verify backup repository capacity]
  |-- >85% utilization --> Alert for capacity planning
  |-- >95% utilization --> Critical alert, backup jobs at risk
  |
  v
[Check immutable copy synchronization]
  |-- Verify last immutable copy is within RPO window
  |-- Alert if immutable copy is stale
  |
  v
[Generate weekly backup health report]
  |-- Success rate percentage
  |-- Data protected volume
  |-- Restore test results
  |-- Capacity forecast
  |
  v
End