creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/performing-ransomware-tabletop-exercise/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

2.6 KiB
Raw Blame History

Ransomware Tabletop Exercise - API Reference

Scenario Framework

Phase Structure

Each phase contains:

Field Type Description
phase string Phase name: detection, containment, escalation, eradication, recovery
inject string Narrative scenario inject read to participants
expected_actions list Correct response actions for scoring
time_pressure_minutes int Simulated time window for decisions

Exercise Variants

  • standard - Normal time pressure, full scenario
  • accelerated - Half time windows, tests rapid decision-making

Scoring Algorithm

phase_score = (correct_actions / expected_actions) * 100
overall_score = mean(all_phase_scores)

Rating thresholds:

  • = 90%: Excellent

  • = 70%: Good

  • = 50%: Needs Improvement

  • < 50%: Critical Gaps

Expected Actions by Phase

Detection

  • isolate_host - Quarantine affected endpoint
  • preserve_evidence - Capture memory dump and disk image
  • notify_ir_lead - Escalate to incident response lead

Containment

  • network_segmentation - Restrict lateral movement paths
  • disable_compromised_accounts - Lock affected credentials
  • block_c2_domains - Update firewall/proxy deny lists
  • preserve_shadow_copies - Protect backup snapshots

Escalation

  • notify_executive_team - Brief C-suite leadership
  • engage_legal_counsel - Activate legal response team
  • contact_law_enforcement - Report to FBI IC3 or local CIRT
  • activate_crisis_comms - Prepare stakeholder communications

Eradication

  • remove_persistence - Clean scheduled tasks, registry keys, WMI subscriptions
  • reset_all_credentials - Reset passwords domain-wide
  • rebuild_compromised_hosts - Reimage from gold images
  • reset_krbtgt_twice - Invalidate all Kerberos tickets

Recovery

  • restore_from_backup - Use verified clean backup sets
  • validate_restored_systems - Run integrity checks
  • monitor_for_reinfection - Enhanced monitoring for 72+ hours
  • staged_network_reconnection - Reconnect systems in phases

After-Action Report Schema

{
  "report": "ransomware_tabletop_aar",
  "evaluation": {
    "overall_score_pct": 78.5,
    "rating": "good",
    "phase_scores": [{"phase": "detection", "score_pct": 66.7}]
  },
  "recommendations": [{"phase": "detection", "gap": "Missed: preserve_evidence"}]
}

CLI Usage

python agent.py --mode demo --output aar.json
python agent.py --mode generate --variant accelerated --output scenario.json
python agent.py --mode score --responses-file responses.json --output aar.json
Reference in New Issue View Git Blame Copy Permalink