mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-12 06:04:56 +03:00
mukul975
140 lines
3.1 KiB
Markdown
140 lines
3.1 KiB
Markdown
# Workflows - Ransomware Tabletop Exercise
|
|
|
|
## Workflow 1: Exercise Planning (4-6 weeks before)
|
|
|
|
```
|
|
Start
|
|
|
|
|
v
|
|
[Define exercise objectives] --> What gaps are we testing?
|
|
|
|
|
v
|
|
[Select scenario type]
|
|
|-- Double extortion (data theft + encryption)
|
|
|-- Supply chain ransomware (vendor compromise)
|
|
|-- Cloud ransomware (SaaS/IaaS targeted)
|
|
|-- Critical infrastructure disruption
|
|
|
|
|
v
|
|
[Choose threat actor model] --> LockBit / ALPHV / Cl0p / Rhysida
|
|
|
|
|
v
|
|
[Identify participants]
|
|
|-- Executive leadership (CEO, CFO, COO)
|
|
|-- IT/Security (CISO, SOC, IR team)
|
|
|-- Legal (General Counsel, external counsel)
|
|
|-- Communications (PR, media relations)
|
|
|-- Operations (business unit leaders)
|
|
|-- HR (employee communications)
|
|
|-- External partners (IR firm, insurance)
|
|
|
|
|
v
|
|
[Develop scenario with 4 phases and injects]
|
|
|
|
|
v
|
|
[Prepare materials: SITREPs, inject cards, evaluation scorecard]
|
|
|
|
|
v
|
|
[Schedule 3-4 hour block, distribute pre-reading]
|
|
|
|
|
v
|
|
End
|
|
```
|
|
|
|
## Workflow 2: Exercise Execution
|
|
|
|
```
|
|
Exercise Start
|
|
|
|
|
v
|
|
[Facilitator opening brief] (10 min)
|
|
|-- Ground rules, objectives, scope
|
|
|-- "This is discussion-based, no wrong answers"
|
|
|
|
|
v
|
|
[Phase 1: Initial Detection] (30 min)
|
|
|-- Distribute SITREP 1
|
|
|-- Discussion: Who, what, when, initial actions
|
|
|-- Inject: Additional information changes situation
|
|
|-- Document decisions on worksheet
|
|
|
|
|
v
|
|
[Phase 2: Escalation] (30 min)
|
|
|-- Distribute SITREP 2
|
|
|-- Discussion: Scope of impact, containment actions
|
|
|-- Inject: Double extortion element introduced
|
|
|-- Document decisions
|
|
|
|
|
v
|
|
[Break] (10 min)
|
|
|
|
|
v
|
|
[Phase 3: Critical Decision Points] (45 min)
|
|
|-- Distribute SITREP 3
|
|
|-- Discussion: Ransom payment, law enforcement, notification
|
|
|-- Inject: Public pressure from media/customers
|
|
|-- Document decisions with rationale
|
|
|
|
|
v
|
|
[Phase 4: Recovery and Communication] (45 min)
|
|
|-- Distribute SITREP 4
|
|
|-- Discussion: Recovery priority, timeline, customer comms
|
|
|-- Inject: Recovery complication (infected backup, key system fails)
|
|
|-- Document decisions
|
|
|
|
|
v
|
|
[Hot wash / Debrief] (20 min)
|
|
|-- Each functional area shares top insight
|
|
|-- Facilitator highlights key observations
|
|
|-- Immediate gap identification
|
|
|
|
|
v
|
|
Exercise End
|
|
```
|
|
|
|
## Workflow 3: After-Action Report Development
|
|
|
|
```
|
|
Exercise Complete
|
|
|
|
|
v
|
|
[Collect all documentation within 24 hours]
|
|
|-- Decision worksheets
|
|
|-- Facilitator notes
|
|
|-- Evaluation scorecards
|
|
|-- Observer notes (if separate observers present)
|
|
|
|
|
v
|
|
[Score each evaluation area (1-5)]
|
|
|
|
|
v
|
|
[Identify strengths (what worked well)]
|
|
|
|
|
v
|
|
[Identify gaps with severity rating]
|
|
|-- Critical: Would prevent effective response
|
|
|-- High: Would significantly delay/complicate response
|
|
|-- Medium: Would reduce response quality
|
|
|-- Low: Minor improvement opportunity
|
|
|
|
|
v
|
|
[Develop remediation actions]
|
|
|-- Each gap gets: action, owner, deadline, priority
|
|
|-- Must be specific and measurable
|
|
|
|
|
v
|
|
[Draft AAR within 5 business days]
|
|
|
|
|
v
|
|
[Review AAR with exercise sponsor]
|
|
|
|
|
v
|
|
[Distribute AAR to participants]
|
|
|
|
|
v
|
|
[Track remediation actions quarterly]
|
|
|
|
|
v
|
|
End
|
|
```
|