Step 5, Long-term: Test backup integrity and recovery time objectives against ransomware scenarios, including encrypted-backup and shadow-copy-deletion conditions (T1490). Implement network segmentation to limit lateral movement blast radius. Integrate RaaS TTP profiles from CISA and MITRE ATT&CK into detection rule backlog and tabletop exercise scenarios on a recurring basis.
Recovery
NIST 800-61r3 §3.4 (Recovery) and §2.1 (Preparation: tools and techniques)
NIST 800-53 CP-4 (Contingency Plan Testing)
NIST 800-53 SC-7 (Boundary Protection)
NIST 800-53 CP-9 (Information System Backup)
NIST 800-53 IR-4 (Incident Handling)
CIS 11.3 (Address Unauthorized Software)
CIS 3.6 (Ensure Adequate Audit Log Storage)
Compensating Control
Backup testing: perform monthly restore drills on a sandbox network; validate backup files are read-only and immutable (test `attrib +r` on Windows or filesystem ACLs on Linux), and confirm shadow copies are protected (disable user deletion via `vssadmin list shadows` audit). For network segmentation without enterprise appliances: use Windows Firewall with Advanced Security (WFAS) Group Policies to restrict traffic between subnets (e.g., workstations block port 445/139 to servers outside their segment, isolate SCADA networks on separate VLANs with manual air-gap if possible). Build detection rules from MITRE ATT&CK profiles: download MITRE Navigator JSON for ransomware campaigns (Conti, LockBit, Cl0p), extract technique IDs (T1490=inhibit system recovery, T1027.010=encrypted files, T1083=file enumeration), and map to available logs (PowerShell Script Block Logging for obfuscation, Windows Defender quarantine logs, Sysmon Event ID 11 for file creation patterns ending in .crypted/.locked/.paid, etc.). Schedule tabletop exercises quarterly: simulate double-extortion scenario, track detection time-to-first-alert, test backup recovery, measure RTO/RPO against business tolerance.
Preserve Evidence
Before long-term implementation: baseline backup metadata (size, date, restore-test results, storage location and retention), document network topology and current segmentation (firewall rules, VLAN assignments, data flow diagrams), preserve MITRE ATT&CK baseline detection rules (rule version, coverage map, false-positive rates from prior quarter), and record tabletop exercise outcomes (detection gaps, recovery time actual vs. target, communication delays).
