npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
When to Use
- An organization needs to create or update its ransomware incident response playbook following CISA guidelines
- A security team is conducting a ransomware readiness assessment against the CISA StopRansomware framework
- Compliance requires documenting ransomware response procedures aligned with NIST CSF and CISA recommendations
- During tabletop exercises to validate that the organization's ransomware response steps match industry best practices
- After a ransomware incident to update the playbook with lessons learned and close identified gaps
Do not use as a substitute for legal counsel regarding ransom payment decisions, breach notification timelines, or regulatory obligations specific to your jurisdiction.
Prerequisites
- Familiarity with the CISA StopRansomware Guide (cisa.gov/stopransomware/ransomware-guide)
- NIST Cybersecurity Framework (CSF) understanding (Identify, Protect, Detect, Respond, Recover)
- Inventory of critical assets, backup infrastructure, and communication channels
- Defined roles and responsibilities for incident response team members
- Python 3.8+ for playbook generation and compliance checking automation
- Access to organization's asset inventory and backup configuration documentation
Workflow
Step 1: Preparation Phase (CISA Part 1 - Prevention)
Establish ransomware-specific defenses before an incident:
CISA Preparation Checklist:
━━━━━━━━━━━━━━━━━━━━━━━━━━
[ ] Maintain offline, encrypted backups tested for restoration
[ ] Create and exercise a cyber incident response plan (IRP)
[ ] Implement network segmentation between IT and OT networks
[ ] Enable MFA on all remote access and privileged accounts
[ ] Deploy endpoint detection and response (EDR) on all endpoints
[ ] Disable or restrict RDP; require VPN for remote access
[ ] Maintain a software/hardware asset inventory
[ ] Apply patches within 48 hours for internet-facing systems
[ ] Configure email filtering and disable macro execution by default
[ ] Conduct regular phishing awareness training
[ ] Implement application allowlisting (AppLocker/WDAC)
[ ] Test backup restoration quarterly and document RTO/RPOStep 2: Detection and Analysis Phase
Identify ransomware indicators and assess scope:
Detection Indicators:
━━━━━━━━━━━━━━━━━━━━
- Mass file rename operations with new extensions (.locked, .encrypted)
- Ransom notes appearing in directories (README.txt, DECRYPT.html)
- Volume Shadow Copy deletion (vssadmin delete shadows)
- Abnormal CPU usage from encryption processes
- EDR/AV alerts for known ransomware signatures
- Network connections to known C2 infrastructure
- Unusual lateral movement via SMB or PsExec
- Sysmon Event ID 11 (file creation) spikes
Initial Analysis Steps (CISA):
1. Take system images and memory captures of affected devices
2. Identify patient zero and initial access vector
3. Determine the ransomware family (ID Ransomware, ransom note analysis)
4. Assess encryption scope: which systems, shares, and data are affected
5. Check if data exfiltration occurred (double extortion indicator)Step 3: Containment Phase
Stop the spread and preserve evidence:
Immediate Containment (First 1-4 hours):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Isolate affected systems from the network (disable NICs, VLAN quarantine)
2. If unable to disconnect, power down affected systems
3. Disable shared drives to prevent encryption spread
4. Reset credentials for compromised accounts (especially admin/service accounts)
5. Block known ransomware IOCs at firewall/proxy (C2 domains, IPs)
6. Preserve forensic evidence (memory dumps, disk images, logs)
7. Engage legal counsel and prepare breach notification if data exfiltrated
Extended Containment:
- Identify and patch the initial access vector (phishing, RDP, VPN vuln)
- Audit all Active Directory accounts for persistence (scheduled tasks, services)
- Check for backdoors or additional malware beyond the ransomware payloadStep 4: Eradication and Recovery Phase
Remove the threat and restore operations:
CISA Recovery Steps:
━━━━━━━━━━━━━━━━━━━
1. Rebuild affected systems from known-clean images (do NOT decrypt in place)
2. Restore data from offline backups (verify backup integrity first)
3. Reset ALL passwords including service accounts, krbtgt (twice, 12h apart)
4. Scan restored systems with updated AV/EDR before reconnecting to network
5. Re-enable services in priority order based on business criticality
6. Monitor restored systems intensively for 72 hours for reinfection
Recovery Priority Matrix:
P1 (0-4h): Domain controllers, DNS, authentication infrastructure
P2 (4-24h): Email, critical business applications, databases
P3 (1-3d): File servers, departmental applications
P4 (3-7d): Non-critical systems, development environmentsStep 5: Post-Incident Activity
Document lessons learned and improve defenses:
Post-Incident Report Template:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Executive summary: What happened, impact, resolution
2. Timeline: Detection to full recovery with timestamps
3. Root cause analysis: Initial access vector and propagation path
4. Scope: Number of systems, data volumes, business impact in hours/dollars
5. Response effectiveness: What worked, what failed, what was missing
6. Recommendations: Specific technical and procedural improvements
7. Compliance actions: Notification timeline, regulatory obligations met
8. Updated playbook: Revisions based on lessons learnedVerification
- Validate playbook completeness against CISA StopRansomware checklist items
- Conduct tabletop exercise using the playbook with all stakeholders
- Verify backup restoration procedures work within documented RTO targets
- Test communication plans including out-of-band channels
- Confirm legal and regulatory notification procedures are current
- Review and update the playbook at least annually or after any incident
Key Concepts
| Term | Definition |
|---|---|
| CISA StopRansomware Guide | Joint CISA/MS-ISAC/NSA/FBI guide providing ransomware prevention best practices and response checklists |
| RTO/RPO | Recovery Time Objective (max downtime) and Recovery Point Objective (max data loss); critical metrics for backup planning |
| Double Extortion | Ransomware tactic where attackers both encrypt data and threaten to publish stolen data unless paid |
| Patient Zero | The first system compromised in an incident; identifying it reveals the initial access vector |
| Tabletop Exercise | Simulated incident scenario walked through by the response team to validate the playbook without live systems |
Tools & Systems
- CISA StopRansomware Guide: Primary framework for ransomware response planning and prevention
- NIST CSF: Cybersecurity Framework providing the Identify/Protect/Detect/Respond/Recover structure
- ID Ransomware: Service for identifying ransomware families from encrypted files and ransom notes
- MITRE ATT&CK: Technique framework for mapping ransomware TTPs to detection opportunities
- Velociraptor: Endpoint visibility tool for rapid triage and forensic artifact collection during incidents
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md3.1 KB
API Reference: CISA Ransomware Playbook Framework
CISA StopRansomware Guide
Primary Resource
URL: https://www.cisa.gov/stopransomware/ransomware-guide
PDF: https://www.cisa.gov/sites/default/files/2025-03/StopRansomware-Guide%20508.pdfGuide Structure
| Part | Content | Focus |
|---|---|---|
| Part 1 | Ransomware and Data Extortion Prevention Best Practices | Preparation |
| Part 2 | Ransomware and Data Extortion Response Checklist | Response |
CISA Reporting
Report an Incident
URL: https://report.cisa.govFBI Internet Crime Complaint Center
URL: https://www.ic3.govNIST Cybersecurity Framework Mapping
| NIST Function | Ransomware Application |
|---|---|
| Identify | Asset inventory, risk assessment, data classification |
| Protect | Backups, MFA, patching, email filtering, AppLocker |
| Detect | EDR alerts, SIEM monitoring, anomaly detection |
| Respond | Containment, forensics, notification, communication |
| Recover | Backup restoration, system rebuild, validation |
ID Ransomware Service
Identify Ransomware Family
URL: https://id-ransomware.malwarehunterteam.com/
Upload: Encrypted file sample + ransom noteResponse
Returns ransomware family name, available decryptors, and known TTPs.
CISA Preparation Checklist Controls
| Control ID | Control | Priority |
|---|---|---|
| PREP-01 | Offline encrypted backups | Critical |
| PREP-02 | Incident response plan | Critical |
| PREP-03 | Network segmentation | High |
| PREP-04 | Multi-factor authentication | Critical |
| PREP-05 | Endpoint detection and response | High |
| PREP-06 | RDP restrictions | Critical |
| PREP-07 | Patch management | High |
| PREP-08 | Email security (DMARC/DKIM/SPF) | High |
| PREP-09 | Application allowlisting | Medium |
| PREP-10 | Security awareness training | Medium |
Response Phase Timelines (CISA Recommended)
| Phase | Target Timeline | Key Actions |
|---|---|---|
| Detection | 0-2 hours | Identify scope, capture evidence |
| Containment | 1-4 hours | Isolate systems, block IOCs |
| Eradication | 1-7 days | Rebuild, restore, reset credentials |
| Recovery | 1-4 weeks | Monitor, validate, document |
| Post-Incident | 30-90 days | Lessons learned, playbook updates |
Regulatory Notification Timelines
| Regulation | Timeline | Authority |
|---|---|---|
| GDPR | 72 hours | Data Protection Authority |
| HIPAA | 60 days | HHS Office for Civil Rights |
| SEC | 4 business days | Securities and Exchange Commission |
| PCI DSS | Immediately | Card brands / acquiring bank |
| State breach laws | Varies (30-90 days) | State Attorney General |
MITRE ATT&CK Ransomware Techniques
| Technique ID | Name | Phase |
|---|---|---|
| T1486 | Data Encrypted for Impact | Impact |
| T1490 | Inhibit System Recovery | Impact |
| T1489 | Service Stop | Impact |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1059.001 | PowerShell | Execution |
| T1566.001 | Spearphishing Attachment | Initial Access |
Scripts 1
agent.py11.8 KB
#!/usr/bin/env python3
"""CISA ransomware playbook builder and compliance checker agent.
Generates a structured ransomware incident response playbook aligned with the
CISA StopRansomware Guide. Assesses organizational readiness against CISA
checklist items and produces gap analysis reports.
"""
import json
import sys
from datetime import datetime
CISA_PREPARATION_CHECKLIST = {
"PREP-01": {
"control": "Offline encrypted backups",
"description": "Maintain offline, encrypted backups of critical data tested quarterly",
"cisa_ref": "StopRansomware Guide Part 1, Section 1",
"priority": "Critical",
},
"PREP-02": {
"control": "Incident response plan",
"description": "Create, maintain, and exercise a cyber incident response plan with ransomware annex",
"cisa_ref": "StopRansomware Guide Part 1, Section 2",
"priority": "Critical",
},
"PREP-03": {
"control": "Network segmentation",
"description": "Implement network segmentation between IT, OT, and critical asset zones",
"cisa_ref": "StopRansomware Guide Part 1, Section 3",
"priority": "High",
},
"PREP-04": {
"control": "Multi-factor authentication",
"description": "Enable MFA on all remote access, privileged accounts, and email",
"cisa_ref": "StopRansomware Guide Part 1, Section 4",
"priority": "Critical",
},
"PREP-05": {
"control": "Endpoint detection and response",
"description": "Deploy EDR on all endpoints with automated response capabilities",
"cisa_ref": "StopRansomware Guide Part 1, Section 5",
"priority": "High",
},
"PREP-06": {
"control": "RDP restrictions",
"description": "Disable or restrict RDP; require VPN with MFA for remote access",
"cisa_ref": "StopRansomware Guide Part 1, Section 6",
"priority": "Critical",
},
"PREP-07": {
"control": "Patch management",
"description": "Apply patches within 48 hours for internet-facing systems, 30 days for internal",
"cisa_ref": "StopRansomware Guide Part 1, Section 7",
"priority": "High",
},
"PREP-08": {
"control": "Email security",
"description": "Configure email filtering, disable macros by default, implement DMARC/DKIM/SPF",
"cisa_ref": "StopRansomware Guide Part 1, Section 8",
"priority": "High",
},
"PREP-09": {
"control": "Application allowlisting",
"description": "Implement AppLocker or WDAC to restrict unauthorized executables",
"cisa_ref": "StopRansomware Guide Part 1, Section 9",
"priority": "Medium",
},
"PREP-10": {
"control": "Security awareness training",
"description": "Conduct regular phishing simulation and security awareness training",
"cisa_ref": "StopRansomware Guide Part 1, Section 10",
"priority": "Medium",
},
}
RESPONSE_PHASES = {
"detection": {
"name": "Detection and Analysis",
"steps": [
"Identify initial indicators (mass file renames, ransom notes, EDR alerts)",
"Take system images and memory captures of affected devices",
"Identify patient zero and initial access vector",
"Determine ransomware family using ID Ransomware or sample analysis",
"Assess encryption scope: systems, shares, data classification impacted",
"Check for data exfiltration indicators (double extortion)",
"Notify incident response team and escalate per IRP",
],
"time_target": "0-2 hours",
},
"containment": {
"name": "Containment",
"steps": [
"Isolate affected systems (disable NIC, VLAN quarantine, firewall block)",
"If unable to disconnect, power down affected systems immediately",
"Disable shared drives and mapped network shares",
"Reset credentials for compromised and service accounts",
"Block known IOCs at firewall and proxy (C2 domains, IPs, hashes)",
"Preserve forensic evidence (do not wipe or rebuild yet)",
"Engage legal counsel for breach notification assessment",
"Activate out-of-band communication channel for response team",
],
"time_target": "1-4 hours",
},
"eradication": {
"name": "Eradication and Recovery",
"steps": [
"Rebuild affected systems from known-clean images",
"Restore data from verified offline backups",
"Reset ALL domain passwords including krbtgt (twice, 12h apart)",
"Scan restored systems with updated AV and EDR before reconnection",
"Re-enable services in priority order (DC/DNS first, then business apps)",
"Monitor restored systems for 72 hours for reinfection signals",
"Validate data integrity of restored files against known checksums",
],
"time_target": "1-7 days",
},
"post_incident": {
"name": "Post-Incident Activity",
"steps": [
"Conduct root cause analysis with full incident timeline",
"Document lessons learned with all response team stakeholders",
"Update incident response playbook based on findings",
"Implement new controls to address identified gaps",
"File regulatory notifications within required timeframes",
"Report to CISA at report.cisa.gov and FBI at ic3.gov",
"Schedule follow-up review in 30, 60, and 90 days",
],
"time_target": "1-4 weeks",
},
}
def assess_readiness(current_controls):
"""Assess ransomware readiness against CISA checklist."""
results = {"total_controls": len(CISA_PREPARATION_CHECKLIST), "implemented": 0,
"gaps": [], "score": 0.0, "details": []}
for ctrl_id, ctrl in CISA_PREPARATION_CHECKLIST.items():
status = current_controls.get(ctrl_id, "not_implemented")
is_implemented = status in ("implemented", "partial")
if is_implemented:
results["implemented"] += 1
else:
results["gaps"].append({
"id": ctrl_id,
"control": ctrl["control"],
"priority": ctrl["priority"],
"cisa_ref": ctrl["cisa_ref"],
})
results["details"].append({
"id": ctrl_id,
"control": ctrl["control"],
"status": status,
"priority": ctrl["priority"],
})
results["score"] = round(
(results["implemented"] / results["total_controls"]) * 100, 1
)
return results
def generate_playbook(org_name="Organization"):
"""Generate a full ransomware response playbook."""
playbook = {
"title": f"Ransomware Incident Response Playbook - {org_name}",
"framework": "CISA StopRansomware Guide + NIST CSF",
"version": "1.0",
"generated": datetime.now().isoformat(),
"preparation": CISA_PREPARATION_CHECKLIST,
"response_phases": RESPONSE_PHASES,
"escalation_matrix": {
"severity_1_critical": {
"criteria": "Encryption active, spreading across network, critical systems affected",
"notify": ["CISO", "CEO", "Legal Counsel", "External IR Firm", "CISA", "FBI"],
"response_time": "Immediate",
},
"severity_2_high": {
"criteria": "Encryption contained to single segment, no critical systems affected",
"notify": ["CISO", "IT Director", "Legal Counsel"],
"response_time": "Within 1 hour",
},
"severity_3_medium": {
"criteria": "Ransomware detected but not yet executed (pre-encryption)",
"notify": ["SOC Manager", "IT Director"],
"response_time": "Within 4 hours",
},
},
"communication_plan": {
"internal": "Use out-of-band channel (Signal, phone tree) - assume email compromised",
"external_stakeholders": "Prepared holding statement; legal review before public disclosure",
"regulatory": "GDPR 72h, HIPAA 60d, SEC 4 business days, state-specific breach laws",
"cisa_reporting": "Report to report.cisa.gov within 24 hours",
},
}
return playbook
def generate_markdown_playbook(playbook):
"""Render playbook as Markdown document."""
lines = [f"# {playbook['title']}", "", f"**Framework:** {playbook['framework']}",
f"**Version:** {playbook['version']}", f"**Generated:** {playbook['generated']}", ""]
lines.append("## Preparation Checklist (CISA Part 1)")
lines.append("")
for ctrl_id, ctrl in playbook["preparation"].items():
lines.append(f"- [ ] **{ctrl_id}**: {ctrl['control']} - {ctrl['description']} "
f"[{ctrl['priority']}]")
lines.append("")
lines.append("## Response Phases (CISA Part 2)")
lines.append("")
for phase_id, phase in playbook["response_phases"].items():
lines.append(f"### {phase['name']} (Target: {phase['time_target']})")
lines.append("")
for i, step in enumerate(phase["steps"], 1):
lines.append(f"{i}. {step}")
lines.append("")
lines.append("## Escalation Matrix")
lines.append("")
for sev, details in playbook["escalation_matrix"].items():
lines.append(f"### {sev.replace('_', ' ').title()}")
lines.append(f"- **Criteria:** {details['criteria']}")
lines.append(f"- **Notify:** {', '.join(details['notify'])}")
lines.append(f"- **Response Time:** {details['response_time']}")
lines.append("")
return "\n".join(lines)
if __name__ == "__main__":
print("=" * 60)
print("CISA Ransomware Playbook Builder Agent")
print("Playbook generation and readiness assessment")
print("=" * 60)
if len(sys.argv) < 2:
print("\nUsage:")
print(" python agent.py generate [org_name] Generate playbook")
print(" python agent.py assess <controls.json> Assess readiness")
print(" python agent.py checklist Print CISA checklist")
sys.exit(0)
command = sys.argv[1]
if command == "generate":
org = sys.argv[2] if len(sys.argv) > 2 else "Organization"
playbook = generate_playbook(org)
md = generate_markdown_playbook(playbook)
output_file = f"ransomware_playbook_{org.lower().replace(' ', '_')}.md"
with open(output_file, "w") as f:
f.write(md)
print(f"\n[+] Playbook generated: {output_file}")
print(f"[+] Contains {len(CISA_PREPARATION_CHECKLIST)} preparation controls")
print(f"[+] Contains {len(RESPONSE_PHASES)} response phases")
print(f"\n{md[:500]}...")
elif command == "assess":
if len(sys.argv) < 3:
print("[!] Provide a JSON file with current control statuses")
print(' Format: {"PREP-01": "implemented", "PREP-02": "not_implemented", ...}')
sys.exit(1)
with open(sys.argv[2]) as f:
controls = json.load(f)
results = assess_readiness(controls)
print(f"\n--- Ransomware Readiness Assessment ---")
print(f" Score: {results['score']}% ({results['implemented']}/{results['total_controls']})")
if results["gaps"]:
print(f"\n Critical Gaps:")
for gap in results["gaps"]:
print(f" [{gap['priority']}] {gap['id']}: {gap['control']}")
print(f"\n{json.dumps(results, indent=2)}")
elif command == "checklist":
print("\n--- CISA Ransomware Preparation Checklist ---")
for ctrl_id, ctrl in CISA_PREPARATION_CHECKLIST.items():
print(f" [{ctrl['priority']:8s}] {ctrl_id}: {ctrl['control']}")
print(f" {ctrl['description']}")
else:
print(f"[!] Unknown command: {command}")