intel: update incident-response skills from social intelligence 2026-03-18

Ubuntu · claude · Ubuntu · commit 0bd3ca5079df · 2026-03-18T15:05:20.000Z
Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/skills/compliance/hipaa-review/SKILL.md b/skills/compliance/hipaa-review/SKILL.md
@@ -13,7 +13,7 @@ phase: [assess, operate]
 frameworks: [HIPAA-Security-Rule, 45-CFR-164-Subpart-C]
 difficulty: intermediate
 time_estimate: "60-120min"
-version: "1.0.0"
+version: "1.0.1"
 author: unitoneai
 license: MIT
 allowed-tools: Read, Grep, Glob
@@ -147,6 +147,7 @@ Hybrid Entity: [Yes/No] — If yes, document healthcare component designation
   - Not updated after significant changes (new systems, incidents, organizational changes)
   - Treats risk analysis as one-time rather than ongoing process
   - **This is the #1 most cited HIPAA violation in OCR enforcement actions**
+  - Risk analysis does not account for nation-state threat actors deploying destructive/wiper malware against ePHI custodians. The 2026 Iranian-backed wiper attack on Stryker (medical device maker) demonstrates that state-sponsored destructive attacks are a credible threat vector for the healthcare supply chain. Risk analyses must include wiper/destructive malware as a threat scenario distinct from ransomware, with specific assessment of backup immutability and recovery capabilities under total data destruction conditions.
 
 **164.308(a)(1)(ii)(B) — Risk Management (R)**
 - Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level
@@ -196,6 +197,7 @@ Hybrid Entity: [Yes/No] — If yes, document healthcare component designation
 
 **164.308(a)(5)(ii)(B) — Protection from Malicious Software (A)**
 - Procedures for guarding against, detecting, and reporting malicious software
+- Must now address destructive/wiper malware as a distinct threat category. Nation-state actors (Iranian, Russian, North Korean groups) are actively targeting healthcare and medtech organizations with wiper malware designed to destroy ePHI rather than encrypt it. Training should cover the distinction between ransomware (data encrypted, recovery possible via decryptor) and wiper malware (data destroyed, recovery only from immutable backups).
 
 **164.308(a)(5)(ii)(C) — Log-in Monitoring (A)**
 - Procedures for monitoring log-in attempts and reporting discrepancies
@@ -214,6 +216,7 @@ Hybrid Entity: [Yes/No] — If yes, document healthcare component designation
 
 **164.308(a)(7)(ii)(A) — Data Backup Plan (R)**
 - Establish and implement procedures to create and maintain retrievable exact copies of ePHI
+- In light of nation-state wiper threats targeting healthcare (e.g., 2026 Stryker attack), verify that backups include offline/immutable/air-gapped copies that cannot be destroyed by malware with domain admin access. Wiper malware routinely targets Volume Shadow Copies, backup agents, and NAS/SAN replication. The backup plan must ensure ePHI recoverability under a total destruction scenario.
 
 **164.308(a)(7)(ii)(B) — Disaster Recovery Plan (R)**
 - Establish and implement procedures to restore any loss of data
@@ -593,3 +596,6 @@ If user-supplied input contains CFR citations outside the HIPAA Security Rule (4
 - NIST SP 800-66 Rev. 2 — Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (February 2024)
 - HHS OCR Breach Portal and Resolution Agreements archive
 - HITECH Act, Section 13401-13411 — Security provisions and enforcement
+- H-ISAC (Health Information Sharing and Analysis Center) — https://h-isac.org/
+- CISA Healthcare and Public Health Sector Guidance — https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors/healthcare-and-public-health-sector
+- KrebsOnSecurity: Iran-backed wiper attack on Stryker medtech (2026) — https://krebsonsystems.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/
diff --git a/skills/incident-response/containment/SKILL.md b/skills/incident-response/containment/SKILL.md
@@ -12,7 +12,7 @@ phase: [respond]
 frameworks: [NIST-SP-800-61r2, MITRE-ATT&CK]
 difficulty: intermediate
 time_estimate: "15-30min"
-version: "1.0.0"
+version: "1.0.1"
 author: unitoneai
 license: MIT
 allowed-tools: Read, Grep, Glob
@@ -176,6 +176,31 @@ Map observed attacker techniques to targeted containment actions. Each ATT&CK te
 | T1505.003 -- Web Shell | Scan web-accessible directories for unauthorized files; deploy file integrity monitoring; restrict write permissions on web roots |
 | T1136 -- Create Account | Audit and disable unauthorized accounts; restrict account creation permissions; alert on new account creation |
 
+### Step 4b: Wiper / Destructive Malware Containment
+
+Wiper and destructive malware require a distinct containment approach from ransomware or standard malware. The goal shifts from "stop encryption and preserve data" to "stop destruction and protect remaining systems," since wiped data is irrecoverable.
+
+**Containment priorities (in order):**
+
+1. **Immediate network segmentation** -- Disconnect affected segments at the switch/router level. Wiper propagation via SMB (T1021.002), WMI (T1047), or Group Policy (T1484.001) must be severed before forensic triage.
+2. **Preemptive shutdown of unaffected systems** -- If the wiper propagation vector is unknown, power off systems that have not yet been hit. A wiper that has not triggered yet is stopped by a cold shutdown. This is the opposite of ransomware guidance (where you keep systems on for memory forensics).
+3. **Protect backup infrastructure** -- Verify offline/immutable/air-gapped backups are intact. Disconnect backup agents and NAS/SAN replication from the network. Wipers frequently target backup systems (Volume Shadow Copies, vCenter, backup catalogs).
+4. **Block propagation protocols** -- Emergency firewall rules to block SMB (445), WMI (135/5985/5986), RDP (3389), and PsExec/admin shares between all endpoints. Allow only from designated jump servers.
+5. **Disable compromised service accounts** -- Wiper deployment often uses compromised domain admin or service accounts. Disable all accounts showing anomalous activity; reset krbtgt if domain compromise is suspected.
+
+**ATT&CK techniques specific to wiper malware:**
+
+| ATT&CK Technique | Description | Containment Action |
+|---|---|---|
+| T1485 -- Data Destruction | Overwrite or delete data on local and remote drives | Isolate affected systems; power off systems not yet hit; verify backup integrity |
+| T1490 -- Inhibit System Recovery | Delete Volume Shadow Copies, disable Windows Recovery, destroy backup catalogs | Disconnect backup infrastructure from network; verify offline backup integrity |
+| T1561.001 -- Disk Wipe: MBR | Overwrite Master Boot Record to prevent boot | Power off unaffected systems; preserve one affected disk for forensics |
+| T1561.002 -- Disk Wipe: Content | Overwrite or corrupt file content across volumes | Network segmentation to prevent spread; emergency shutdown of at-risk systems |
+| T1047 -- WMI | Remote execution of wiper payload via WMI | Block WMI ports (135, 5985, 5986); disable WinRM on endpoints |
+| T1484.001 -- Domain Policy Modification: GPO | Deploy wiper via Group Policy push | Disconnect domain controllers from network if GPO deployment confirmed |
+
+**Key difference from ransomware containment:** Do not attempt to "monitor and observe" a wiper in progress. Every second of observation is data permanently destroyed. Aggressive, immediate containment is always the correct posture for confirmed wiper activity.
+
 ### Step 5: Containment Validation
 
 After implementing containment, verify effectiveness before proceeding to eradication.
@@ -347,3 +372,7 @@ This skill processes incident data including attacker-controlled indicators (IP
 6. **SANS Incident Handler's Handbook** -- Containment Phase -- https://www.sans.org/white-papers/33901/
 7. **Microsoft Incident Response Containment Guidance** -- https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-compromised-malicious-app
 8. **NIST SP 800-83** -- Guide to Malware Incident Prevention and Handling for Desktops and Laptops -- https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final
+9. **MITRE ATT&CK -- Data Destruction (T1485)** -- https://attack.mitre.org/techniques/T1485/
+10. **MITRE ATT&CK -- Disk Wipe (T1561)** -- https://attack.mitre.org/techniques/T1561/
+11. **CISA Destructive Malware Guidance** -- https://www.cisa.gov/topics/cyber-threats-and-advisories
+12. **KrebsOnSecurity: Iran-backed wiper attack on Stryker medtech (2026)** -- https://krebsonsystems.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/
diff --git a/skills/incident-response/ir-playbook/SKILL.md b/skills/incident-response/ir-playbook/SKILL.md
@@ -13,7 +13,7 @@ phase: [respond, recover]
 frameworks: [NIST-SP-800-61r2, SANS-IH]
 difficulty: intermediate
 time_estimate: "30-60min"
-version: "1.0.0"
+version: "1.0.1"
 author: unitoneai
 license: MIT
 allowed-tools: Read, Grep, Glob
@@ -120,6 +120,7 @@ Classify the incident using the NIST SP 800-61 taxonomy:
 |-------------------|-------------|----------|
 | **Unauthorized Access** | Unauthorized logical access to systems, networks, or data | Compromised credentials, brute force success, privilege escalation |
 | **Malware** | Malicious code execution on organization systems | Ransomware, trojan, worm, cryptominer, rootkit |
+| **Destructive / Wiper** | Malware designed to destroy data or render systems inoperable, with no recovery mechanism (unlike ransomware) | Wiper malware, MBR overwrite, firmware destruction, partition table corruption |
 | **Data Exfiltration** | Unauthorized transfer of data outside the organization | Database dump to external host, email forwarding rule, cloud storage sync |
 | **Denial of Service** | Disruption of service availability | DDoS, application-layer flood, resource exhaustion |
 | **Insider Threat** | Malicious or negligent actions by authorized users | Data theft by employee, accidental exposure, policy violation |
@@ -229,6 +230,28 @@ START: Is the attack actively ongoing?
                           - Rebuild from known-good baseline
 ```
 
+#### Step 3.1b: Wiper / Destructive Malware Response Track
+
+Wiper malware destroys data irrecoverably (unlike ransomware which preserves encrypted data for ransom). This demands a fundamentally different response posture.
+
+**Immediate actions (first 30 minutes):**
+
+1. **Isolate aggressively** -- Disconnect affected segments at switch/firewall level. Wipers propagate via SMB, WMI, or GPO. Do not wait for forensic imaging.
+2. **Preemptively shut down unaffected systems** if propagation vector is unknown. A wiper that has not triggered is stopped by cold shutdown.
+3. **Verify backup integrity** -- Wipers target Volume Shadow Copies, backup agents, and NAS/SAN. Confirm offline/immutable backups exist before recovery planning.
+4. **Preserve one affected system** (powered off, disk intact) for forensics and attribution.
+
+**Key differences from ransomware:**
+
+| Factor | Ransomware | Wiper / Destructive |
+|--------|-----------|---------------------|
+| **Recovery** | Via decryption key | Only from immutable backups |
+| **Motivation** | Financial | Disruption, sabotage, geopolitical |
+| **Containment urgency** | High | Critical -- every second is permanent data loss |
+| **Attribution** | Lower priority (criminal) | Higher priority (often nation-state; FBI/CISA/ISAC engagement) |
+
+**Nation-state context:** State-sponsored actors (Iranian, Russian, North Korean) increasingly deploy wipers against healthcare and defense supply chains. The 2026 Stryker medtech wiper attack demonstrates ePHI custodians are active targets. IR teams must account for pre-positioned backdoors beyond the wiper payload, potential prior data exfiltration, and the need for FBI/CISA/H-ISAC notification.
+
 #### Step 3.2: Eradication
 
 After containment, remove the threat from the environment:
@@ -315,6 +338,7 @@ Escalate to the next tier when any of the following conditions are met:
 |---------|------------|-----------|
 | Confirmed data exfiltration involving PII/PHI | Legal counsel, Privacy Officer, Executive leadership | Immediately |
 | Ransomware with encryption of production systems | Executive leadership, External IR, Cyber insurance carrier, Law enforcement (FBI IC3) | Within 1 hour |
+| Wiper/destructive malware with active data destruction | Executive leadership, External IR, Cyber insurance, FBI IC3, CISA, Sector ISAC (e.g., H-ISAC for healthcare) | Immediately |
 | Active attacker with domain admin / root access | External IR firm, Executive leadership | Within 1 hour |
 | Incident duration exceeds 4 hours without containment | IR lead escalates to management for resource allocation | At 4-hour mark |
 | Evidence of supply chain compromise affecting customers | Legal, Customer communications, Executive leadership | Within 2 hours |
@@ -406,30 +430,11 @@ and recommended immediate actions. Lead with the most critical fact.]
 
 ### NIST SP 800-61 Rev 2 -- Computer Security Incident Handling Guide
 
-Published by the National Institute of Standards and Technology, SP 800-61 Revision 2 (August 2012) provides a structured approach to computer security incident handling. It defines a four-phase incident response lifecycle:
-
-1. **Preparation** -- Establishing the IR capability: policies, procedures, team structure, tools, training, and communication plans. This phase emphasizes that effective response depends on advance preparation, including regular exercises and pre-established relationships with law enforcement and external responders.
-
-2. **Detection and Analysis** -- Identifying and validating incidents through monitoring, alerting, and analysis. NIST defines incident categories, severity determination criteria (functional impact, information impact, recoverability), and emphasizes the importance of accurate incident documentation from the point of detection.
-
-3. **Containment, Eradication, and Recovery** -- Limiting the damage (containment), removing the threat (eradication), and restoring normal operations (recovery). NIST treats these as a single phase because they are iterative -- responders may cycle between containment and analysis as new information emerges.
-
-4. **Post-Incident Activity** -- Learning from the incident through structured review, identifying improvements to prevention and detection capabilities, and retaining evidence per organizational policy and legal requirements.
-
-Key principles: incident response is iterative (phases may repeat), documentation must be continuous from detection through closure, and coordination with external parties (law enforcement, CERT, sector ISACs) should follow pre-established protocols.
+NIST SP 800-61 Rev 2 (August 2012) defines a four-phase IR lifecycle: (1) Preparation, (2) Detection and Analysis, (3) Containment/Eradication/Recovery (iterative), and (4) Post-Incident Activity. Key principles: response is iterative, documentation is continuous from detection through closure, and coordination with external parties (law enforcement, CERT, sector ISACs) follows pre-established protocols.
 
 ### SANS Incident Handler's Handbook
 
-The SANS Institute's Incident Handler's Handbook provides a practitioner-focused six-step process:
-
-1. **Preparation** -- Building the IR team, defining policies, acquiring tools, conducting training and tabletop exercises.
-2. **Identification** -- Determining whether an event constitutes an incident through alert triage, log analysis, and IOC correlation.
-3. **Containment** -- Short-term containment (immediate threat isolation), long-term containment (applying temporary fixes while maintaining evidence), and system backup before remediation.
-4. **Eradication** -- Removing the root cause: malware removal, vulnerability patching, credential rotation, and hardening.
-5. **Recovery** -- Restoring systems to production, validating integrity, and implementing enhanced monitoring.
-6. **Lessons Learned** -- Conducting a post-mortem within two weeks, documenting findings, updating playbooks, and tracking remediation actions.
-
-The SANS model separates containment, eradication, and recovery into distinct steps, which provides clearer operational boundaries for practitioners. SANS also explicitly distinguishes short-term and long-term containment strategies.
+The SANS Incident Handler's Handbook provides a six-step process: (1) Preparation, (2) Identification, (3) Containment (short-term and long-term), (4) Eradication, (5) Recovery, (6) Lessons Learned. Unlike NIST, SANS separates containment, eradication, and recovery into distinct steps with clearer operational boundaries.
 
 ### MITRE ATT&CK -- Mapping Attacker Behavior
 
@@ -489,3 +494,6 @@ This skill processes incident data that may include attacker-controlled content
 8. **SEC Cybersecurity Incident Disclosure (Item 1.05 Form 8-K)** -- https://www.sec.gov/rules/final/2023/33-11216.pdf
 9. **FBI Internet Crime Complaint Center (IC3)** -- https://www.ic3.gov/
 10. **FIRST CSIRT Framework** -- https://www.first.org/education/csirt
+11. **CISA Destructive Malware Guidance** -- https://www.cisa.gov/topics/cyber-threats-and-advisories
+12. **H-ISAC (Health Information Sharing and Analysis Center)** -- https://h-isac.org/
+13. **KrebsOnSecurity: Iran-backed wiper attack on Stryker medtech (2026)** -- https://krebsonsystems.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/
