Step 1:
When potential ransomware is detected in a tool or reported by a user, the analyst triggers D3’s NIST-based ransomware playbook.
Step 2:
D3 checks the reputation of the URL and IP address against threat intelligence sources and sends any files to a sandbox.
Step 3:
Simultaneously, a nested playbook runs to check network logs IOCs related to known ransomware group.
Step 4:
Also simultaneously, D3 gathers information from Active Directory on the affected user and determine data criticality.
Step 5:
Next, in the containment and recovery phase, D3 sends a notification to stakeholders, quarantines affected hosts, and blacklists URLs and file hashes.
Step 6:
Next, in the containment and recovery phase, D3 sends a notification to stakeholders, quarantines affected hosts, and blacklists URLs and file hashes.