Step 6, Long-term: Conduct tabletop exercises simulating ransomware detonation and data exfiltration; review and update network segmentation to limit blast radius; align detection rules to MITRE ATT&CK techniques T1566, T1190, T1078, T1021.001, T1021.002, T1003, T1486, and T1490.
Post-Incident
NIST 800-61r3 §3.5 (Post-incident activities); NIST 800-53 IR-3(2), SI-12(1), CA-7(1)
NIST 800-53 AU-1(b), IR-4(2), SI-4(2)
CIS v8 1.3, 4.1, 8.5
Compensating Control
Tabletop: use NIST Cybersecurity Framework worksheets (free, ncsc.gov) or SANS incident handling posters as scenario templates. Conduct annual 4-hour exercise with representatives from IT, security, legal, finance, communications; document assumptions, decisions, timelines, and gaps. Network segmentation without SDN: use VLAN trunking and firewall ACLs to isolate critical systems (healthcare databases, finance, manufacturing control systems) on separate subnets; deny lateral movement by default (implicit deny all inter-VLAN traffic). Detection rules: map each ATT&CK technique to Windows Event Log signature: T1566 (phishing) → 4688 (PowerShell w/ suspicious cmdlets), T1190 (exploit) → 4688 + 4720 (new local account), T1078 (valid creds) → 4625 repeated failures, T1021.001 (RDP) → Event 4624 (Logon Type 10), T1021.002 (SMB) → 5140 + unusual share, T1003 (credential dump) → Sysmon Event 10 (CreateRemoteThread on lsass.exe), T1486 (encryption) → file activity spikes in %TEMP% + bulk file extension change, T1490 (backup deletion) → 4688 (vssadmin delete shadows) or 4659 (backup deletion events).
Preserve Evidence
Document tabletop exercise results: scenario narrative, timeline of simulated decisions, identified gaps, assigned remediation owners and dates. Preserve network segmentation baseline: current firewall rules, VLAN assignments, access control list audit. Capture baseline detection rule tuples: SIEM query logic for each ATT&CK technique, false positive rate, alert volume. Create detection engineering backlog with rule tuning priorities. Document any manual detection procedures for low-signal techniques (file extension enumeration, backup system audit).
