creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 05:34:55 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/implementing-ransomware-backup-strategy/scripts/process.py
T

583 lines
22 KiB
Python
Raw Blame History

#!/usr/bin/env python3
"""
Ransomware Backup Strategy Assessment and Monitoring Tool
Audits backup infrastructure for ransomware resilience by checking:
- 3-2-1-1-0 compliance (copies, media types, offsite, immutable, restore testing)
- Backup credential isolation from production AD
- Immutable storage configuration
- Restore test history and success rates
- RPO/RTO compliance per tier
Supports Veeam, AWS Backup, and Azure Backup via API integration.
"""
import json
import subprocess
import sys
import os
import socket
import ssl
import datetime
from dataclasses import dataclass, field, asdict
from typing import Optional
from pathlib import Path
@dataclass
class BackupCopy:
location: str
media_type: str
is_offsite: bool
is_immutable: bool
is_airgapped: bool
retention_days: int
last_successful: Optional[str] = None
encryption_algorithm: Optional[str] = None
@dataclass
class RecoveryTier:
name: str
tier_level: int
systems: list
rpo_hours: float
rto_hours: float
backup_frequency: str
restore_test_frequency: str
last_restore_test: Optional[str] = None
last_restore_result: Optional[str] = None
@dataclass
class BackupAssessment:
organization: str
assessment_date: str
backup_solution: str
copies: list = field(default_factory=list)
tiers: list = field(default_factory=list)
credential_isolation: dict = field(default_factory=dict)
findings: list = field(default_factory=list)
score: float = 0.0
class BackupStrategyAuditor:
"""Audits backup infrastructure for ransomware resilience."""
def __init__(self, org_name: str, backup_solution: str):
self.assessment = BackupAssessment(
organization=org_name,
assessment_date=datetime.datetime.now().strftime("%Y-%m-%d"),
backup_solution=backup_solution,
)
self.max_score = 0
self.earned_score = 0
def add_backup_copy(self, copy: BackupCopy):
self.assessment.copies.append(copy)
def add_recovery_tier(self, tier: RecoveryTier):
self.assessment.tiers.append(tier)
def set_credential_isolation(
self,
domain_joined: bool,
mfa_enabled: bool,
separate_network: bool,
rdp_disabled: bool,
dedicated_admin_accounts: bool,
):
self.assessment.credential_isolation = {
"domain_joined": domain_joined,
"mfa_enabled": mfa_enabled,
"separate_network": separate_network,
"rdp_disabled": rdp_disabled,
"dedicated_admin_accounts": dedicated_admin_accounts,
}
def _add_finding(self, severity: str, category: str, title: str, detail: str, recommendation: str):
self.assessment.findings.append({
"severity": severity,
"category": category,
"title": title,
"detail": detail,
"recommendation": recommendation,
})
def audit_321_10_compliance(self):
"""Check compliance with the 3-2-1-1-0 backup rule."""
copies = self.assessment.copies
# 3 - At least 3 copies
self.max_score += 20
if len(copies) >= 3:
self.earned_score += 20
else:
self._add_finding(
"CRITICAL", "3-2-1-1-0",
f"Insufficient backup copies: {len(copies)} of 3 required",
f"Only {len(copies)} backup copies configured. Minimum 3 required.",
"Add additional backup copies to meet 3-2-1-1-0 minimum.",
)
# 2 - At least 2 different media types
self.max_score += 15
media_types = set(c.media_type for c in copies)
if len(media_types) >= 2:
self.earned_score += 15
else:
self._add_finding(
"HIGH", "3-2-1-1-0",
f"Insufficient media diversity: {len(media_types)} type(s)",
f"All backups use {media_types}. Need at least 2 different media types.",
"Add backup copy on different media (e.g., tape, cloud object storage, SAN).",
)
# 1 - At least 1 offsite copy
self.max_score += 15
offsite_copies = [c for c in copies if c.is_offsite]
if offsite_copies:
self.earned_score += 15
else:
self._add_finding(
"CRITICAL", "3-2-1-1-0",
"No offsite backup copy",
"All backup copies are stored on-premises. A site-level disaster would destroy all copies.",
"Configure at least one offsite backup copy (cloud, remote site, or tape vaulting).",
)
# 1 - At least 1 immutable or air-gapped copy
self.max_score += 25
immutable_copies = [c for c in copies if c.is_immutable or c.is_airgapped]
if immutable_copies:
self.earned_score += 25
else:
self._add_finding(
"CRITICAL", "3-2-1-1-0",
"No immutable or air-gapped backup copy",
"No backup copies are protected against modification or deletion. "
"Ransomware operators routinely delete accessible backups.",
"Deploy immutable storage (S3 Object Lock, Hardened Linux Repository) "
"or air-gapped backup (tape with physical separation).",
)
# 0 - Restore testing with zero errors
self.max_score += 25
if self.assessment.tiers:
tested_tiers = [t for t in self.assessment.tiers if t.last_restore_result == "Success"]
all_tiers = len(self.assessment.tiers)
if len(tested_tiers) == all_tiers:
self.earned_score += 25
elif tested_tiers:
partial_score = int(25 * len(tested_tiers) / all_tiers)
self.earned_score += partial_score
self._add_finding(
"HIGH", "3-2-1-1-0",
f"Incomplete restore testing: {len(tested_tiers)}/{all_tiers} tiers verified",
f"Only {len(tested_tiers)} of {all_tiers} recovery tiers have successful restore tests.",
"Implement automated restore testing (SureBackup) for all tiers.",
)
else:
self._add_finding(
"CRITICAL", "3-2-1-1-0",
"No successful restore tests recorded",
"No recovery tiers have documented successful restore verification.",
"Implement automated restore testing immediately. Untested backups "
"should be considered unreliable.",
)
def audit_credential_isolation(self):
"""Check backup credential isolation from production AD."""
creds = self.assessment.credential_isolation
if not creds:
self._add_finding(
"CRITICAL", "Credential Isolation",
"Credential isolation not assessed",
"No information provided about backup credential isolation.",
"Assess backup admin account configuration and network isolation.",
)
return
self.max_score += 10
if not creds.get("domain_joined", True):
self.earned_score += 10
else:
self._add_finding(
"CRITICAL", "Credential Isolation",
"Backup servers joined to production AD domain",
"Backup infrastructure is domain-joined. Ransomware operators compromise "
"backup credentials via Kerberoasting, DCSync, or GPO manipulation.",
"Remove backup servers from production AD. Use local accounts or a "
"dedicated management domain.",
)
self.max_score += 5
if creds.get("mfa_enabled", False):
self.earned_score += 5
else:
self._add_finding(
"HIGH", "Credential Isolation",
"MFA not enabled for backup administration",
"Backup admin accounts do not require multi-factor authentication.",
"Enable MFA for all backup console access using hardware tokens.",
)
self.max_score += 5
if creds.get("separate_network", False):
self.earned_score += 5
else:
self._add_finding(
"HIGH", "Credential Isolation",
"Backup infrastructure not on separate network segment",
"Backup servers share the production network segment.",
"Segment backup infrastructure into a dedicated VLAN with strict firewall rules.",
)
self.max_score += 3
if creds.get("rdp_disabled", False):
self.earned_score += 3
else:
self._add_finding(
"MEDIUM", "Credential Isolation",
"RDP enabled on backup servers",
"Remote Desktop Protocol is accessible on backup servers.",
"Disable RDP and use out-of-band management (iLO/iDRAC) for emergency access.",
)
self.max_score += 2
if creds.get("dedicated_admin_accounts", False):
self.earned_score += 2
else:
self._add_finding(
"HIGH", "Credential Isolation",
"No dedicated backup admin accounts",
"Backup administration uses shared or production admin accounts.",
"Create dedicated backup admin accounts with least-privilege access.",
)
def audit_rpo_rto_compliance(self):
"""Check if backup frequency meets RPO targets and document RTO validation."""
for tier in self.assessment.tiers:
self.max_score += 5
# Check if restore test is recent enough
if tier.last_restore_test:
try:
last_test = datetime.datetime.strptime(tier.last_restore_test, "%Y-%m-%d")
days_since_test = (datetime.datetime.now() - last_test).days
frequency_map = {
"weekly": 7,
"monthly": 30,
"quarterly": 90,
}
expected_days = frequency_map.get(tier.restore_test_frequency.lower(), 30)
if days_since_test <= expected_days * 1.5:
self.earned_score += 5
else:
self._add_finding(
"HIGH", "RPO/RTO",
f"Tier {tier.tier_level} ({tier.name}): Restore test overdue",
f"Last test was {days_since_test} days ago. "
f"Expected frequency: {tier.restore_test_frequency}.",
f"Run restore test for {tier.name} tier immediately.",
)
except ValueError:
self._add_finding(
"MEDIUM", "RPO/RTO",
f"Tier {tier.tier_level}: Invalid restore test date format",
f"Date '{tier.last_restore_test}' could not be parsed.",
"Use YYYY-MM-DD format for restore test dates.",
)
else:
self._add_finding(
"CRITICAL", "RPO/RTO",
f"Tier {tier.tier_level} ({tier.name}): No restore test recorded",
"No restore test has been documented for this recovery tier.",
f"Implement {tier.restore_test_frequency} automated restore testing.",
)
def audit_encryption(self):
"""Check backup encryption configuration."""
for copy in self.assessment.copies:
self.max_score += 3
if copy.encryption_algorithm:
if copy.encryption_algorithm.upper() in ("AES-256", "AES256", "AES-256-GCM"):
self.earned_score += 3
else:
self._add_finding(
"MEDIUM", "Encryption",
f"Weak backup encryption: {copy.encryption_algorithm}",
f"Backup copy at {copy.location} uses {copy.encryption_algorithm}.",
"Upgrade to AES-256 encryption for all backup copies.",
)
else:
self._add_finding(
"HIGH", "Encryption",
f"Unencrypted backup: {copy.location}",
f"Backup copy at {copy.location} is not encrypted.",
"Enable AES-256 encryption for all backup copies, both at rest and in transit.",
)
def audit_immutable_retention(self):
"""Check immutable retention period against typical ransomware dwell time."""
avg_dwell_time_days = 21 # Average ransomware dwell time
for copy in self.assessment.copies:
if copy.is_immutable:
self.max_score += 5
if copy.retention_days > avg_dwell_time_days:
self.earned_score += 5
else:
self._add_finding(
"CRITICAL", "Immutable Retention",
f"Immutable retention too short: {copy.retention_days} days",
f"Immutable retention at {copy.location} is {copy.retention_days} days. "
f"Average ransomware dwell time is {avg_dwell_time_days} days. "
"Attackers may wait for immutability to expire.",
f"Increase immutable retention to at least {avg_dwell_time_days * 2} days.",
)
def run_full_audit(self) -> dict:
"""Execute all audit checks and calculate overall score."""
self.audit_321_10_compliance()
self.audit_credential_isolation()
self.audit_rpo_rto_compliance()
self.audit_encryption()
self.audit_immutable_retention()
if self.max_score > 0:
self.assessment.score = round((self.earned_score / self.max_score) * 100, 1)
return asdict(self.assessment)
def generate_report(self) -> str:
"""Generate human-readable assessment report."""
result = self.run_full_audit()
lines = []
lines.append("=" * 70)
lines.append("RANSOMWARE BACKUP STRATEGY ASSESSMENT REPORT")
lines.append("=" * 70)
lines.append(f"Organization: {result['organization']}")
lines.append(f"Date: {result['assessment_date']}")
lines.append(f"Backup Solution: {result['backup_solution']}")
lines.append(f"Overall Score: {result['score']}%")
lines.append("")
# Score interpretation
score = result["score"]
if score >= 90:
rating = "EXCELLENT - Ransomware-resilient backup architecture"
elif score >= 75:
rating = "GOOD - Minor gaps in ransomware resilience"
elif score >= 50:
rating = "FAIR - Significant gaps require remediation"
else:
rating = "POOR - Critical ransomware backup risks present"
lines.append(f"Rating: {rating}")
lines.append("")
# 3-2-1-1-0 Summary
lines.append("-" * 40)
lines.append("3-2-1-1-0 COMPLIANCE")
lines.append("-" * 40)
copies = result["copies"]
lines.append(f"Total copies: {len(copies)} (minimum 3)")
media_types = set(c["media_type"] for c in copies)
lines.append(f"Media types: {', '.join(media_types)} ({len(media_types)} types, minimum 2)")
offsite = sum(1 for c in copies if c["is_offsite"])
lines.append(f"Offsite copies: {offsite} (minimum 1)")
immutable = sum(1 for c in copies if c["is_immutable"] or c["is_airgapped"])
lines.append(f"Immutable/Air-gapped copies: {immutable} (minimum 1)")
lines.append("")
# Recovery Tiers
lines.append("-" * 40)
lines.append("RECOVERY TIERS")
lines.append("-" * 40)
for tier in result["tiers"]:
lines.append(f" Tier {tier['tier_level']}: {tier['name']}")
lines.append(f" Systems: {len(tier['systems'])}")
lines.append(f" RPO: {tier['rpo_hours']}h | RTO: {tier['rto_hours']}h")
lines.append(f" Backup: {tier['backup_frequency']}")
lines.append(f" Restore test: {tier['restore_test_frequency']} "
f"(Last: {tier['last_restore_test'] or 'Never'}, "
f"Result: {tier['last_restore_result'] or 'N/A'})")
lines.append("")
# Credential Isolation
lines.append("-" * 40)
lines.append("CREDENTIAL ISOLATION")
lines.append("-" * 40)
creds = result["credential_isolation"]
for key, val in creds.items():
status = "PASS" if (val if key != "domain_joined" else not val) else "FAIL"
lines.append(f" {key}: {'Yes' if val else 'No'} [{status}]")
lines.append("")
# Findings
lines.append("-" * 40)
lines.append(f"FINDINGS ({len(result['findings'])} total)")
lines.append("-" * 40)
severity_order = {"CRITICAL": 0, "HIGH": 1, "MEDIUM": 2, "LOW": 3, "INFO": 4}
sorted_findings = sorted(result["findings"], key=lambda f: severity_order.get(f["severity"], 5))
for i, finding in enumerate(sorted_findings, 1):
lines.append(f"\n [{finding['severity']}] #{i}: {finding['title']}")
lines.append(f" Category: {finding['category']}")
lines.append(f" Detail: {finding['detail']}")
lines.append(f" Recommendation: {finding['recommendation']}")
lines.append("")
lines.append("=" * 70)
lines.append("END OF REPORT")
lines.append("=" * 70)
return "\n".join(lines)
def check_veeam_api(server: str, port: int = 9419) -> dict:
"""Check Veeam Backup & Replication API availability."""
result = {"reachable": False, "tls": False, "api_version": None}
try:
sock = socket.create_connection((server, port), timeout=5)
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
ssock = context.wrap_socket(sock, server_hostname=server)
result["reachable"] = True
result["tls"] = True
ssock.close()
except (socket.timeout, ConnectionRefusedError, OSError):
try:
sock = socket.create_connection((server, port), timeout=5)
result["reachable"] = True
sock.close()
except (socket.timeout, ConnectionRefusedError, OSError):
pass
return result
def check_s3_object_lock(bucket_name: str) -> dict:
"""Check AWS S3 bucket for Object Lock configuration."""
result = {"bucket": bucket_name, "object_lock_enabled": False, "retention_mode": None, "retention_days": None}
try:
output = subprocess.run(
["aws", "s3api", "get-object-lock-configuration", "--bucket", bucket_name],
capture_output=True, text=True, timeout=30,
)
if output.returncode == 0:
config = json.loads(output.stdout)
lock_config = config.get("ObjectLockConfiguration", {})
result["object_lock_enabled"] = lock_config.get("ObjectLockEnabled") == "Enabled"
rule = lock_config.get("Rule", {}).get("DefaultRetention", {})
result["retention_mode"] = rule.get("Mode")
result["retention_days"] = rule.get("Days")
except (subprocess.TimeoutExpired, FileNotFoundError, json.JSONDecodeError):
pass
return result
def main():
"""Run example backup strategy assessment."""
auditor = BackupStrategyAuditor(
org_name="Example Financial Services",
backup_solution="Veeam Backup & Replication 12",
)
# Define backup copies
auditor.add_backup_copy(BackupCopy(
location="On-premises NAS (Building A)",
media_type="NAS/NFS",
is_offsite=False,
is_immutable=False,
is_airgapped=False,
retention_days=14,
last_successful="2026-02-22",
encryption_algorithm="AES-256",
))
auditor.add_backup_copy(BackupCopy(
location="Veeam Hardened Linux Repository",
media_type="Linux/XFS",
is_offsite=False,
is_immutable=True,
is_airgapped=False,
retention_days=30,
last_successful="2026-02-22",
encryption_algorithm="AES-256",
))
auditor.add_backup_copy(BackupCopy(
location="AWS S3 (us-west-2) Object Lock",
media_type="Cloud Object Storage",
is_offsite=True,
is_immutable=True,
is_airgapped=False,
retention_days=60,
last_successful="2026-02-22",
encryption_algorithm="AES-256",
))
# Define recovery tiers
auditor.add_recovery_tier(RecoveryTier(
name="Critical",
tier_level=1,
systems=["DC01", "DC02", "DNS01", "ERP-DB", "CoreBanking"],
rpo_hours=1,
rto_hours=4,
backup_frequency="Hourly incremental, Daily full",
restore_test_frequency="weekly",
last_restore_test="2026-02-20",
last_restore_result="Success",
))
auditor.add_recovery_tier(RecoveryTier(
name="Important",
tier_level=2,
systems=["Exchange", "FileServer01", "WebApp01", "SharePoint"],
rpo_hours=4,
rto_hours=12,
backup_frequency="4-hour incremental, Daily full",
restore_test_frequency="monthly",
last_restore_test="2026-02-01",
last_restore_result="Success",
))
auditor.add_recovery_tier(RecoveryTier(
name="Standard",
tier_level=3,
systems=["DevServer01", "TestDB", "ArchiveNAS"],
rpo_hours=24,
rto_hours=48,
backup_frequency="Daily incremental, Weekly full",
restore_test_frequency="quarterly",
last_restore_test="2025-12-15",
last_restore_result="Success",
))
# Set credential isolation status
auditor.set_credential_isolation(
domain_joined=False,
mfa_enabled=True,
separate_network=True,
rdp_disabled=True,
dedicated_admin_accounts=True,
)
# Generate and print report
report = auditor.generate_report()
print(report)
# Export JSON for integration
result = auditor.run_full_audit()
output_path = Path(__file__).parent / "assessment_result.json"
with open(output_path, "w") as f:
json.dump(result, f, indent=2)
print(f"\nJSON report saved to: {output_path}")
if __name__ == "__main__":
main()
Reference in New Issue View Git Blame Copy Permalink