mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 13:44:56 +03:00
mukul975
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
85 lines
2.6 KiB
Markdown
85 lines
2.6 KiB
Markdown
# Ransomware Tabletop Exercise - API Reference
|
|
|
|
## Scenario Framework
|
|
|
|
### Phase Structure
|
|
Each phase contains:
|
|
|
|
| Field | Type | Description |
|
|
|-------|------|-------------|
|
|
| `phase` | string | Phase name: detection, containment, escalation, eradication, recovery |
|
|
| `inject` | string | Narrative scenario inject read to participants |
|
|
| `expected_actions` | list | Correct response actions for scoring |
|
|
| `time_pressure_minutes` | int | Simulated time window for decisions |
|
|
|
|
### Exercise Variants
|
|
|
|
- **standard** - Normal time pressure, full scenario
|
|
- **accelerated** - Half time windows, tests rapid decision-making
|
|
|
|
## Scoring Algorithm
|
|
|
|
```
|
|
phase_score = (correct_actions / expected_actions) * 100
|
|
overall_score = mean(all_phase_scores)
|
|
```
|
|
|
|
Rating thresholds:
|
|
- >= 90%: Excellent
|
|
- >= 70%: Good
|
|
- >= 50%: Needs Improvement
|
|
- < 50%: Critical Gaps
|
|
|
|
## Expected Actions by Phase
|
|
|
|
### Detection
|
|
- `isolate_host` - Quarantine affected endpoint
|
|
- `preserve_evidence` - Capture memory dump and disk image
|
|
- `notify_ir_lead` - Escalate to incident response lead
|
|
|
|
### Containment
|
|
- `network_segmentation` - Restrict lateral movement paths
|
|
- `disable_compromised_accounts` - Lock affected credentials
|
|
- `block_c2_domains` - Update firewall/proxy deny lists
|
|
- `preserve_shadow_copies` - Protect backup snapshots
|
|
|
|
### Escalation
|
|
- `notify_executive_team` - Brief C-suite leadership
|
|
- `engage_legal_counsel` - Activate legal response team
|
|
- `contact_law_enforcement` - Report to FBI IC3 or local CIRT
|
|
- `activate_crisis_comms` - Prepare stakeholder communications
|
|
|
|
### Eradication
|
|
- `remove_persistence` - Clean scheduled tasks, registry keys, WMI subscriptions
|
|
- `reset_all_credentials` - Reset passwords domain-wide
|
|
- `rebuild_compromised_hosts` - Reimage from gold images
|
|
- `reset_krbtgt_twice` - Invalidate all Kerberos tickets
|
|
|
|
### Recovery
|
|
- `restore_from_backup` - Use verified clean backup sets
|
|
- `validate_restored_systems` - Run integrity checks
|
|
- `monitor_for_reinfection` - Enhanced monitoring for 72+ hours
|
|
- `staged_network_reconnection` - Reconnect systems in phases
|
|
|
|
## After-Action Report Schema
|
|
|
|
```json
|
|
{
|
|
"report": "ransomware_tabletop_aar",
|
|
"evaluation": {
|
|
"overall_score_pct": 78.5,
|
|
"rating": "good",
|
|
"phase_scores": [{"phase": "detection", "score_pct": 66.7}]
|
|
},
|
|
"recommendations": [{"phase": "detection", "gap": "Missed: preserve_evidence"}]
|
|
}
|
|
```
|
|
|
|
## CLI Usage
|
|
|
|
```bash
|
|
python agent.py --mode demo --output aar.json
|
|
python agent.py --mode generate --variant accelerated --output scenario.json
|
|
python agent.py --mode score --responses-file responses.json --output aar.json
|
|
```
|