Skip to main content

Free audit program · v0.1.0

Ransomware Incident — Audit Program

Confirmed ransomware encryption + extortion event. Calls for the full playbook: MFA on remote access, immutable backups, EDR on every endpoint, network segmentation, PAM and a tested IR playbook.

  • ransomware target area
  • CIS v8, ISO 27001, NIST CSF framework
  • 6 controls in this program
  • Mustafa Ahmed Practitioner
Sign in to run → Back to library

About this program

Threat context: Ransomware Incident

This program audits the controls that mitigate the above threat. Each procedure references one mapped control. Run the program to score your exposure.

Risks addressed

Controls (6)

  1. MFA enforced for remote / VPN access

    High

    This control mandates that all users connecting to organizational networks via remote access methods (VPN, remote desktop gateways, or cloud-based remote access solutions) must authenticate using multi-factor authentication (MFA). MFA requires presentation of at least two distinct authentication factors—typically something…

    How to test + evidence

    Testing procedure: Review VPN auth config and conditional-access rule for off-network sign-ins.

    Evidence to collect: VPN auth config screenshot; CA policy export.

  2. Immutable backups

    Immutable backups are write-once-read-many (WORM) backup copies that cannot be altered, encrypted, or deleted by any user or process—including administrators and attackers—for a defined retention period. This is typically implemented using object lock features in cloud storage (e.g., AWS S3…

    How to test + evidence

  3. EDR on every endpoint

    Endpoint Detection and Response (EDR) software must be deployed on all workstations, servers, and mobile devices within the organization's asset inventory. EDR agents continuously monitor endpoint activity, detect suspicious behaviors using signature-based and behavioral analytics, provide forensic visibility into security…

    How to test + evidence

  4. Network segmentation between user and server tiers

    Network segmentation logically separates the user workstation tier from the server / data tier so that compromise of a single endpoint cannot grant direct lateral movement into critical infrastructure. Effective segmentation uses VLANs, host-based firewalls, identity-aware proxies and explicit east-west…

    How to test + evidence

  5. Privileged access management (PAM)

    Privileged Access Management (PAM) controls the lifecycle of accounts with elevated system, application, or data permissions through dedicated tooling and processes. PAM solutions typically vault privileged credentials, enforce session recording, require just-in-time access requests with approval workflows, and rotate passwords…

    How to test + evidence

  6. Incident response playbook

    An incident response playbook is a documented, structured set of procedures that define step-by-step actions for detecting, analyzing, containing, eradicating, and recovering from specific types of security incidents. Playbooks operationalize the organization's incident response plan by providing actionable guidance tailored…

    How to test + evidence