Back to Details

building-ransomware-playbook-with-cisa-framework

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Building Ransomware Playbook with CISA Framework

基于CISA框架构建勒索软件响应手册

When to Use

适用场景

  • An organization needs to create or update its ransomware incident response playbook following CISA guidelines
  • A security team is conducting a ransomware readiness assessment against the CISA StopRansomware framework
  • Compliance requires documenting ransomware response procedures aligned with NIST CSF and CISA recommendations
  • During tabletop exercises to validate that the organization's ransomware response steps match industry best practices
  • After a ransomware incident to update the playbook with lessons learned and close identified gaps
Do not use as a substitute for legal counsel regarding ransom payment decisions, breach notification timelines, or regulatory obligations specific to your jurisdiction.
  • 企业需要遵循CISA指南创建或更新勒索软件事件响应手册
  • 安全团队针对CISA StopRansomware框架开展勒索软件就绪性评估
  • 合规要求记录符合NIST CSF和CISA建议的勒索软件响应流程
  • 在桌面演练中验证企业的勒索软件响应步骤是否符合行业最佳实践
  • 勒索软件事件发生后,根据经验教训更新手册并弥补已发现的漏洞
请勿用于替代法律顾问就赎金支付决策、 breach通知时限或您所在司法管辖区特有的监管义务提供的意见。

Prerequisites

前提条件

  • Familiarity with the CISA StopRansomware Guide (cisa.gov/stopransomware/ransomware-guide)
  • NIST Cybersecurity Framework (CSF) understanding (Identify, Protect, Detect, Respond, Recover)
  • Inventory of critical assets, backup infrastructure, and communication channels
  • Defined roles and responsibilities for incident response team members
  • Python 3.8+ for playbook generation and compliance checking automation
  • Access to organization's asset inventory and backup configuration documentation
  • 熟悉CISA StopRansomware指南(cisa.gov/stopransomware/ransomware-guide)
  • 了解NIST网络安全框架(CSF)的识别、保护、检测、响应、恢复五大核心功能
  • 拥有关键资产、备份基础设施和沟通渠道清单
  • 已定义事件响应团队成员的角色与职责
  • Python 3.8+环境(用于手册生成和合规性检查自动化)
  • 可访问企业的资产清单和备份配置文档

Workflow

工作流程

Step 1: Preparation Phase (CISA Part 1 - Prevention)

步骤1:准备阶段(CISA第一部分 - 预防)

Establish ransomware-specific defenses before an incident:
CISA Preparation Checklist:
━━━━━━━━━━━━━━━━━━━━━━━━━━
[ ] Maintain offline, encrypted backups tested for restoration
[ ] Create and exercise a cyber incident response plan (IRP)
[ ] Implement network segmentation between IT and OT networks
[ ] Enable MFA on all remote access and privileged accounts
[ ] Deploy endpoint detection and response (EDR) on all endpoints
[ ] Disable or restrict RDP; require VPN for remote access
[ ] Maintain a software/hardware asset inventory
[ ] Apply patches within 48 hours for internet-facing systems
[ ] Configure email filtering and disable macro execution by default
[ ] Conduct regular phishing awareness training
[ ] Implement application allowlisting (AppLocker/WDAC)
[ ] Test backup restoration quarterly and document RTO/RPO
在事件发生前建立针对勒索软件的防御措施:
CISA准备检查清单:
━━━━━━━━━━━━━━━━━━━━━━━━━━
[ ] 维护离线加密备份并测试恢复功能
[ ] 创建并演练网络事件响应计划(IRP)
[ ] 在IT与OT网络之间实施网络分段
[ ] 为所有远程访问和特权账户启用MFA
[ ] 在所有终端部署终端检测与响应(EDR)工具
[ ] 禁用或限制RDP;要求通过VPN进行远程访问
[ ] 维护软硬件资产清单
[ ] 面向互联网的系统需在48小时内安装补丁
[ ] 配置邮件过滤并默认禁用宏执行
[ ] 定期开展钓鱼意识培训
[ ] 实施应用程序白名单(AppLocker/WDAC)
[ ] 每季度测试备份恢复并记录RTO/RPO

Step 2: Detection and Analysis Phase

步骤2:检测与分析阶段

Identify ransomware indicators and assess scope:
Detection Indicators:
━━━━━━━━━━━━━━━━━━━━
- Mass file rename operations with new extensions (.locked, .encrypted)
- Ransom notes appearing in directories (README.txt, DECRYPT.html)
- Volume Shadow Copy deletion (vssadmin delete shadows)
- Abnormal CPU usage from encryption processes
- EDR/AV alerts for known ransomware signatures
- Network connections to known C2 infrastructure
- Unusual lateral movement via SMB or PsExec
- Sysmon Event ID 11 (file creation) spikes

Initial Analysis Steps (CISA):
  1. Take system images and memory captures of affected devices
  2. Identify patient zero and initial access vector
  3. Determine the ransomware family (ID Ransomware, ransom note analysis)
  4. Assess encryption scope: which systems, shares, and data are affected
  5. Check if data exfiltration occurred (double extortion indicator)
识别勒索软件指标并评估影响范围:
检测指标:
━━━━━━━━━━━━━━━━━━━━
- 大规模文件重命名操作,带有新扩展名(.locked, .encrypted)
- 目录中出现勒索通知(README.txt, DECRYPT.html)
- 卷影副本被删除(vssadmin delete shadows)
- 加密进程导致CPU使用率异常
- EDR/AV触发已知勒索软件特征警报
- 与已知C2基础设施建立网络连接
- 通过SMB或PsExec进行异常横向移动
- Sysmon事件ID 11(文件创建)激增

CISA初始分析步骤:
  1. 对受影响设备进行系统镜像和内存捕获
  2. 确定零号病人(首个受感染系统)和初始入侵途径
  3. 识别勒索软件家族(通过ID Ransomware、勒索通知分析)
  4. 评估加密范围:哪些系统、共享资源和数据受到影响
  5. 检查是否发生数据泄露(双重勒索的指标)

Step 3: Containment Phase

步骤3:遏制阶段

Stop the spread and preserve evidence:
Immediate Containment (First 1-4 hours):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Isolate affected systems from the network (disable NICs, VLAN quarantine)
2. If unable to disconnect, power down affected systems
3. Disable shared drives to prevent encryption spread
4. Reset credentials for compromised accounts (especially admin/service accounts)
5. Block known ransomware IOCs at firewall/proxy (C2 domains, IPs)
6. Preserve forensic evidence (memory dumps, disk images, logs)
7. Engage legal counsel and prepare breach notification if data exfiltrated

Extended Containment:
  - Identify and patch the initial access vector (phishing, RDP, VPN vuln)
  - Audit all Active Directory accounts for persistence (scheduled tasks, services)
  - Check for backdoors or additional malware beyond the ransomware payload
阻止勒索软件扩散并保留证据:
即时遏制(1-4小时内):
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. 将受影响系统从网络隔离(禁用网卡、VLAN隔离)
2. 若无法断开连接,关闭受影响系统电源
3. 禁用共享驱动器以防止加密扩散
4. 重置已泄露账户的凭据(尤其是管理员/服务账户)
5. 在防火墙/代理处阻止已知勒索软件IOC(C2域名、IP地址)
6. 保存取证证据(内存转储、磁盘镜像、日志)
7. 联系法律顾问,若发生数据泄露则准备 breach通知

扩展遏制:
  - 识别并修复初始入侵途径(钓鱼、RDP、VPN漏洞)
  - 审计所有Active Directory账户以排查持久化手段(计划任务、服务)
  - 检查是否存在后门或勒索软件 payload之外的其他恶意软件

Step 4: Eradication and Recovery Phase

步骤4:根除与恢复阶段

Remove the threat and restore operations:
CISA Recovery Steps:
━━━━━━━━━━━━━━━━━━━
1. Rebuild affected systems from known-clean images (do NOT decrypt in place)
2. Restore data from offline backups (verify backup integrity first)
3. Reset ALL passwords including service accounts, krbtgt (twice, 12h apart)
4. Scan restored systems with updated AV/EDR before reconnecting to network
5. Re-enable services in priority order based on business criticality
6. Monitor restored systems intensively for 72 hours for reinfection

Recovery Priority Matrix:
  P1 (0-4h):  Domain controllers, DNS, authentication infrastructure
  P2 (4-24h): Email, critical business applications, databases
  P3 (1-3d):  File servers, departmental applications
  P4 (3-7d):  Non-critical systems, development environments
清除威胁并恢复业务运营:
CISA恢复步骤:
━━━━━━━━━━━━━━━━━━━
1. 从已知干净的镜像重建受影响系统(请勿原地解密)
2. 从离线备份恢复数据(先验证备份完整性)
3. 重置所有密码,包括服务账户、krbtgt(分两次重置,间隔12小时)
4. 重新连接网络前,用更新后的AV/EDR扫描恢复的系统
5. 根据业务优先级重新启用服务
6. 对恢复后的系统进行72小时密集监控,防止再次感染

恢复优先级矩阵:
  P1(0-4小时): 域控制器、DNS、认证基础设施
  P2(4-24小时): 邮件系统、关键业务应用、数据库
  P3(1-3天): 文件服务器、部门级应用
  P4(3-7天): 非关键系统、开发环境

Step 5: Post-Incident Activity

步骤5:事后活动

Document lessons learned and improve defenses:
Post-Incident Report Template:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. Executive summary: What happened, impact, resolution
2. Timeline: Detection to full recovery with timestamps
3. Root cause analysis: Initial access vector and propagation path
4. Scope: Number of systems, data volumes, business impact in hours/dollars
5. Response effectiveness: What worked, what failed, what was missing
6. Recommendations: Specific technical and procedural improvements
7. Compliance actions: Notification timeline, regulatory obligations met
8. Updated playbook: Revisions based on lessons learned
记录经验教训并改进防御措施:
事后报告模板:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. 执行摘要:事件概况、影响、解决情况
2. 时间线:从检测到完全恢复的时间戳记录
3. 根本原因分析:初始入侵途径和传播路径
4. 影响范围:受影响系统数量、数据量、业务影响(时长/金额)
5. 响应有效性:哪些措施有效、哪些失效、存在哪些缺失
6. 改进建议:具体的技术和流程改进方案
7. 合规行动:通知时间线、已履行的监管义务
8. 更新后的手册:基于经验教训修订的内容

Verification

验证

  • Validate playbook completeness against CISA StopRansomware checklist items
  • Conduct tabletop exercise using the playbook with all stakeholders
  • Verify backup restoration procedures work within documented RTO targets
  • Test communication plans including out-of-band channels
  • Confirm legal and regulatory notification procedures are current
  • Review and update the playbook at least annually or after any incident
  • 对照CISA StopRansomware检查清单验证手册完整性
  • 联合所有利益相关方使用手册开展桌面演练
  • 验证备份恢复流程是否符合记录的RTO目标
  • 测试包括备用渠道在内的沟通计划
  • 确认法律和监管通知流程是最新的
  • 至少每年或在事件发生后审查并更新手册

Key Concepts

核心概念

TermDefinition
CISA StopRansomware GuideJoint CISA/MS-ISAC/NSA/FBI guide providing ransomware prevention best practices and response checklists
RTO/RPORecovery Time Objective (max downtime) and Recovery Point Objective (max data loss); critical metrics for backup planning
Double ExtortionRansomware tactic where attackers both encrypt data and threaten to publish stolen data unless paid
Patient ZeroThe first system compromised in an incident; identifying it reveals the initial access vector
Tabletop ExerciseSimulated incident scenario walked through by the response team to validate the playbook without live systems
术语定义
CISA StopRansomware Guide由CISA/MS-ISAC/NSA/FBI联合发布的指南,提供勒索软件预防最佳实践和响应检查清单
RTO/RPO恢复时间目标(最大停机时长)和恢复点目标(最大数据损失量);备份规划的关键指标
Double Extortion勒索软件战术:攻击者既加密数据,又威胁泄露窃取的数据,以此索要赎金
Patient Zero事件中首个被攻陷的系统;确定它可揭示初始入侵途径
Tabletop Exercise由响应团队模拟事件场景、演练手册流程的活动,无需使用真实系统

Tools & Systems

工具与系统

  • CISA StopRansomware Guide: Primary framework for ransomware response planning and prevention
  • NIST CSF: Cybersecurity Framework providing the Identify/Protect/Detect/Respond/Recover structure
  • ID Ransomware: Service for identifying ransomware families from encrypted files and ransom notes
  • MITRE ATT&CK: Technique framework for mapping ransomware TTPs to detection opportunities
  • Velociraptor: Endpoint visibility tool for rapid triage and forensic artifact collection during incidents
  • CISA StopRansomware Guide: 勒索软件响应规划和预防的核心框架
  • NIST CSF: 提供识别/保护/检测/响应/恢复结构的网络安全框架
  • ID Ransomware: 通过加密文件和勒索通知识别勒索软件家族的服务
  • MITRE ATT&CK: 用于映射勒索软件TTP(战术、技术与流程)以发现检测机会的技术框架
  • Velociraptor: 事件期间用于快速分类和取证 artifact收集的终端可见性工具