Anthropic-Cybersecurity-Skills/skills/testing-ransomware-recovery-procedures/references/api-reference.md

# API Reference: Testing Ransomware Recovery Procedures

## CLI Usage

```bash
# Generate hash manifest for a directory (pre-backup baseline)
python agent.py --hash-dir /data/critical-app -o manifest_baseline.json

# Compare original manifest against restored data
python agent.py --compare manifest_baseline.json manifest_restored.json

# Check if a service is running after restore
python agent.py --check-service postgresql

# Check database connectivity after restore
python agent.py --check-db postgresql:localhost:5432

# Run full recovery drill from config
python agent.py --config drill_config.json -o recovery_report.json
```

## Drill Configuration Format

```json
{
  "systems": [
    {
      "name": "core-database",
      "tier": 1,
      "rto_target_seconds": 3600,
      "rpo_target_seconds": 900,
      "backup_timestamp_epoch": 1711000000,
      "restore_directory": "/restored/core-db",
      "manifest_file": "/manifests/core-db-baseline.json",
      "services": ["postgresql"],
      "database": {
        "type": "postgresql",
        "host": "localhost",
        "port": 5432
      }
    },
    {
      "name": "web-application",
      "tier": 2,
      "rto_target_seconds": 14400,
      "rpo_target_seconds": 3600,
      "restore_directory": "/restored/webapp",
      "services": ["nginx", "gunicorn"]
    }
  ]
}
```

## Recovery Phases Tracked

| Phase | Timestamp Key | Description |
|-------|--------------|-------------|
| Incident Declaration | `incident_declared` | Simulated ransomware detection time |
| Backup Identification | `backup_identified` | Clean restore point located |
| Restore Initiated | `restore_initiated` | Backup restore process started |
| Restore Completed | `restore_completed` | Data fully written to target |
| Service Restored | `service_restored` | Application validated and operational |

## RTO/RPO Calculation

```
Actual RTO = service_restored - incident_declared
Actual RPO = incident_declared - backup_timestamp

RTO Met = Actual RTO <= RTO Target
RPO Met = Actual RPO <= RPO Target
```

## Tier Definitions

| Tier | RTO Range | RPO Range | System Classification |
|------|-----------|-----------|----------------------|
| 1 | < 1 hour | < 15 min | Mission-critical (AD, core DB) |
| 2 | < 4 hours | < 1 hour | Business-critical (ERP, email) |
| 3 | < 24 hours | < 4 hours | Business-operational (file shares) |
| 4 | < 72 hours | < 24 hours | Non-critical (dev/test, analytics) |

## Hash Manifest Format

```json
{
  "config/app.yaml": "a3f2b8c9d1e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0",
  "data/users.db": "1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
  "bin/server": "PERMISSION_DENIED"
}
```

## Validation Checks

| Check | Description | Pass Criteria |
|-------|-------------|---------------|
| file_count | Files present in restored directory | count > 0 |
| integrity_check | Hash comparison vs baseline manifest | No missing or modified files |
| service_* | System service running post-restore | Service status is RUNNING/active |
| database_connectivity | Database port reachable | TCP connection succeeds |

## Report Output Schema

```json
{
  "report_date": "2026-03-19T12:00:00+00:00",
  "drill_type": "ransomware_recovery_validation",
  "systems_tested": 2,
  "systems_meeting_rto": 2,
  "systems_meeting_rpo": 1,
  "overall_pass": false,
  "results": [
    {
      "system_name": "core-database",
      "tier": 1,
      "rto_target_seconds": 3600,
      "actual_rto_seconds": 2400.5,
      "rto_met": true,
      "rpo_met": true,
      "validations": {},
      "errors": []
    }
  ]
}
```

## References

- NIST SP 800-184: Guide for Cybersecurity Event Recovery
- NIST SP 800-34 Rev 1: Contingency Planning Guide
- CISA Ransomware Guide: https://www.cisa.gov/stopransomware
- Veeam Recovery Best Practices: https://www.veeam.com/blog/recovery-time-recovery-point-objectives.html