Besides the small introduction, subscribers and consulting clients within this management domain have access to:
Use this step-by-step guide to assess your ransomware readiness and implement controls that will improve your ability to prevent incursions and defend against attacks.
Use this assessment tool to assess existing protection, detection, response, and recovery capabilities and identify potential improvements.
Use this threat preparedness workbook to evaluate the threats and tactics in the ransomware kill chain using the MITRE framework and device appropriate countermeasures.
Adapt this tabletop planning session template to plan and practice the response of your internal IT team to a ransomware scenario.
Adapt these workflow and runbook templates to coordinate the actions of different stakeholders through each stage of the ransomware incident response process.
Adapt this tabletop planning session template to plan leadership contributions to the ransomware response workflow. This second tabletop planning session will focus on communication strategy, business continuity plan, and deciding whether the organization should pay a ransom.
Summarize your current state and present a prioritized project roadmap to improve ransomware resilience over time.
Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Set workshop goals, review ransomware trends and risk scenarios, and assess the organization’s resilience to ransomware attacks.
Develop a solid understanding of the likelihood and impact of a ransomware attack on your organization.
Complete a current state assessment of key security controls in a ransomware context.
1.1 Review incidents, challenges, and project drivers.
1.2 Diagram critical systems and dependencies and build risk scenario.
1.3 Assess ransomware resilience.
Workshop goals
Ransomware Risk Scenario
Ransomware Resilience Assessment
Improve your capacity to protect your organization from ransomware and detect attacks along common vectors.
Identify targeted countermeasures that improve protection and detection capabilities.
2.1 Assess ransomware threat preparedness.
2.2 Determine the impact of ransomware techniques on your environment.
2.3 Identify countermeasures to improve protection and detection capabilities.
Targeted ransomware countermeasures to improve protection and detection capabilities.
Targeted ransomware countermeasures to improve protection and detection capabilities.
Targeted ransomware countermeasures to improve protection and detection capabilities.
· Improve your organization’s capacity to respond to ransomware attacks and recover effectively.
Build response and recovery capabilities that reduce the potential business disruption of successful ransomware attacks.
3.1 Review the workflow and runbook templates.
3.2 Update/define your threat escalation protocol.
3.3 Define scenarios for a range of incidents.
3.4 Run a tabletop planning exercise (IT).
3.5 Update your ransomware response runbook.
Security Incident Response Plan Assessment.
Tabletop Planning Session (IT)
Ransomware Workflow and Runbook.
Identify prioritized initiatives to improve ransomware resilience.
Identify the role of leadership in ransomware response and recovery.
Communicate workshop outcomes and recommend initiatives to improve ransomware resilience.
4.1 Run a tabletop planning exercise (Leadership).
4.2 Identify initiatives to close gaps and improve resilience.
4.3 Review broader strategies to improve your overall security program.
4.4 Prioritize initiatives based on factors such as effort, cost, and risk.
4.5 Review the dashboard to fine tune your roadmap.
4.6 Summarize status and next steps in an executive presentation.
Tabletop Planning Session (Leadership)
Ransomware Resilience Roadmap and Metrics
Ransomware Workflow and Runbook
Ransomware is a high-profile threat that demands immediate attention:
Ransomware is more complex than other security threats:
To prevent a ransomware attack:
Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges. Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, respond effectively, and recovery quickly.
As I write, the frequency and impact of ransomware attacks continue to increase, with no end in sight. Most organizations will experience ransomware in the next 24 months, some more than once, and business leaders know it. You will never have a better chance to implement best practice security controls as you do now.
The opportunity comes with important challenges. Hackers need to spend less time in discovery before they deploy an attack, which have become much more effective. You can't afford to rely solely on your ability to respond and recover. You need to build a resilient organization that can withstand a ransomware event and recover quickly.
Resilient organizations are not impervious to attack, but they have tools to protect assets, detect incursions, and respond effectively. Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to overcome challenges and work through problems. But eventually you reach the top and look back at how far you've come.
Michel Hébert
Research Director, Security and Privacy
Info-Tech Research Group
Three factors contribute to the threat:
Elementus maps ransomware payments made through bitcoin. Since 2019, victims made at least $2B in payments.
A handful of criminal organizations, many of whom operate out of cybercrime hotbeds in Russia, are responsible for most of the damage. The numbers capture only the ransom paid, not the clean-up cost and economic fallout over attacks during this period.
Emerging strains can exfiltrate sensitive data, encrypt systems and destroy backups in only a few hours, which makes recovery a grueling challenge.
Sophos commissioned a vendor agnostic study of the real-world experience of 5,600 IT professionals in mid-sized organizations across 31 countries and 15 industries.
The survey was conducted in Jan – Feb 2022 and asked about the experience of respondents over the previous year.
66%
Hit by ransomware in 2021
(up from 37% in 2020)
90%
Ransomware attack affected their ability to operate
$812,360 USD
Average ransom payment
$4.54M
Average remediation cost
(not including ransom)
ONE MONTH
Average recovery time
Meanwhile, organizations continue to put their faith in ineffective ransomware defenses.
Of the respondents whose organizations weren't hit by ransomware in 2021 and don't expect to be hit in the future, 72% cited either backups or cyberinsurance as reasons why they anticipated an attack.
While these elements can help recover from an attack, they don't prevent it in the first place.
Source: Sophos, State of Ransomware (2022)
IBM, Cost of A Data Breach (2022)
At each point of the playbook, malicious agents need to achieve something before they can move to the next step.
Resilient organizations look for opportunities to:
Initial access Execution |
Privilege Escalation Credential Access |
Lateral Movement Collection |
Data Exfiltration |
Data encryption |
---|---|---|---|---|
Deliver phishing email designed to avoid spam filter. Launch malware undetected. |
Identify user accounts. Target an admin account. Use brute force tactics to crack it. |
Move through the network and collect data. Infect as many critical systems and backups as possible to limit recovery options. |
Exfiltrate data to gain leverage. |
Encrypt data, which triggers alert. Deliver ransom note. |
Ransomware groups thrive through extortion tactics.
Ransom is only a small part of the equation. Four process-related activities drive ransomware recovery costs:
Source: IBM, Cost of a Data Breach (2022)
An effective response with strong, available backups will reduce the operational impact of an attack, but it won't spare you from its reputational and regulatory impact.
Put controls in place to disrupt each stage of the attack workflow to protect the organization from intrusion, enhance detection, respond quickly, and recover effectively.
Ransomware dwell times and average encryption rates are improving dramatically.
Hackers spend less time in your network before they attack, and their attacks are much more effective.
Avg dwell time
3-5 Days
Avg encryption rate
70 GB/h
Avg detection time
11 Days
Dwell time is the time between when a malicious agent gains access to your environment and when they are detected. In a ransomware attack, most organizations don't detect malicious agents until they deploy ransomware, encrypt their files, and lock them out until they pay the ransom.
Effective time is a measure of the effectiveness of the encryption algorithm. Encryption rates vary by ransomware family. Lockbit has the fastest encryption rate, clocking in at 628 GB/h.
It's more critical than ever to build ransomware resilience. Most organizations do not detect ransomware incursions in time to prevent serious business disruption.
References: Bleeping Computers (2022), VentureBeat, Dark Reading, ZDNet.
This blueprint will focus on improving your ransomware resilience to:
Response |
Recovery |
---|---|
For in-depth assistance with disaster recovery planning, refer to Info-Tech's Create a Right-Sized Disaster Recovery. |
Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.
Put controls in place to harden your environment, train savvy end users, and prevent incursions.
Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.
Protect | Detect | Respond |
Recover |
Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.
Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.
Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.
Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.
Review the user access management program, policies and procedures to ensure they are ransomware-ready.
Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.
Assess resilience | Protect and detect | Respond and recover | Improve resilience | |
---|---|---|---|---|
Phase steps |
|
|
|
|
Phase outcomes |
|
|
|
|
Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges.
Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, and respond and recover quickly
Build risk scenarios that describe how a ransomware attack would impact organizational goals.
Understand possible outcomes to motivate initiatives, protect your organization, plan your response, and practice recovery.
Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.
The frequency and impact of ransomware attacks continue to increase, and business leaders know it. You will never have a better chance to implement best practice security controls than you do now.
The anatomy of ransomware attack is relatively simple: malicious agents get in, spread, and profit. Deploy ransomware protection metrics to measure ransomware resilience at each stage.
The resilience roadmap captures the key insights your work will generate, including:
Info-Tech supports project and workshop activities with deliverables to help you accomplish your goals and accelerate your success.
Ransomware Resilience Assessment
Measure ransomware resilience, identify gaps, and draft initiatives.
Enterprise Threat Preparedness Workbook
Analyze common ransomware techniques and develop countermeasures.
Ransomware Response Workflow & Runbook
Capture key process steps for ransomware response and recovery.
Run tabletops for your IT team and your leadership team to gather lessons learned.
Capture project insights and measure resilience over time.
Organizations worldwide spent on average USD 4.62M in 2021 to rectify a ransomware attack. These costs include escalation, notification, lost business and response costs, but did not include the cost of the ransom. Malicious ransomware attacks that destroyed data in destructive wiper-style attacks cost an average of USD 4.69M.
Building better now is less expensive than incurring the same costs in addition to the clean-up and regulatory and business disruption costs associated with successful ransomware attacks.
After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research and advisory services helped them achieve.
Source: IBM, Cost of a Data Breach (2022)
See what members have to say about the ransomware resilience blueprint:
"Our advisor was well-versed and very polished. While the blueprint alone was a good tool to give us direction, his guidance made it significantly faster and easier to accomplish than if we had tried to tackle it on our own."
CIO, Global Manufacturing Organization
IT benefits |
Business benefits |
---|---|
|
|
"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."
"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."
"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."
"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."
SOURCE: Interview with CIO of large enterprise
Organizations who "build back better" after a ransomware attack often wish they had used relevant controls sooner.
In February 2020, a large organization found a ransomware note on an admin's workstation. They had downloaded a local copy of the organization's identity management database for testing and left a port open on their workstation. Hackers exfiltrated it and encrypted the data on the workstation. They demanded a ransom payment to decrypt the data.
Because private information was breached, the organization informed the state-level regulator. With 250,000 accounts affected, plans were made to require password changes en masse. A public announcement was made two days after the breach to ensure that everyone affected could be reached.
The organization decided not to pay the ransom because it had a copy on an unaffected server.
The organization was praised for its timely and transparent response.
The breach motivated the organization to put more protections in place, including:
SOURCE: Info-Tech Workshop Results
iNDUSTRY: Government
Regional government runs an Info-Tech workshop to fast-track its ransomware incident response planning
The organization was in the middle of developing its security program, rolling out security awareness training for end users, and investing in security solutions to protect the environment and detect incursions. Still, the staff knew they still had holes to fill. They had not yet fully configured and deployed security solutions, key security policies were missing, and they had didn't have a documented ransomware incident response plan.
Info-Tech advisors helped the organization conduct a systematic review of existing processes, policies, and technology, with an eye to identify key gaps in the organization's ransomware readiness. The impact analysis quantified the potential impact of a ransomware attack on critical systems to improve the organizational awareness ransomware risks and improve buy-in for investment in the security program.
Info-Tech's tabletop planning exercise provided a foundation for the organization's actual response plan. The organization used the results to build a ransomware response workflow and the framework for a more detailed runbook. The workshop also helped staff identifies ways to improve the backup strategy and bridge further gaps in their ability to recover.
The net result was a current-state response plan, appropriate capability targets aligned with business requirements, and a project roadmap to achieve the organization's desired state of ransomware readiness.
Scoping Call | Phase 1 | Phase 2 | Phase 3 | Phase 4 |
---|---|---|---|---|
Call #1: Discuss context, identify challenges, and scope project requirements. Identify ransomware resilience metrics. |
Call #2: Build ransomware risk scenario. |
Call #4: Review common ransomware attack vectors. Identify and assess mitigation controls. |
Call #5: Document ransomware workflow and runbook. |
Call #7: Run tabletop test with leadership. |
Call #3: Assess ransomware resilience. |
Call #6: Run tabletop test with IT. |
Call #8: Build ransomware roadmap. Measure ransomware resilience metrics. |
A guided implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
A typical GI is 6 to 8 calls over the course of 4 to 6 months.
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
Day 1 | Day 2 | Day 3 | Day 4 | Day 5 | |
---|---|---|---|---|---|
Activities |
Assess ransomware resilience |
Protect and detect |
Respond and recover |
Improve ransomware resilience |
Wrap-up (offsite and offline) |
1.1 1 Review incidents, challenges, and project drivers. 1.1.2 Diagram critical systems and dependencies. 1.1.3 Build ransomware risk scenario. |
2.1 1. Assess ransomware threat preparedness. 2.2 2. Determine the impact of ransomware techniques on your environment. 2.3 3. Identify countermeasures to improve protection and detection capabilities. |
3.1.1 Review the workflow and runbook templates. 3.1.2 Update/define your threat escalation protocol. 3.2.1 Define scenarios for a range of incidents. 3.2.2 Run a tabletop planning exercise (IT). 3.3.1 Update your ransomware response workflow. |
4.1.1 Run a tabletop planning exercise (leadership). 4.1.2 Identify initiatives to close gaps and improve resilience. 4.1.3 Review broader strategies to improve your overall security program. 4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk. 4.2.2 Review the dashboard to fine tune your roadmap. 4.3.1 Summarize status and next steps in an executive presentation. |
5.1 Complete in-progress deliverables from previous four days. 5.2 Set up review time for workshop deliverables and to discuss next steps. 5.3 Revisit ransomware resilience metrics in three months. |
|
Deliverables |
|
|
|
|
|
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
---|---|---|---|
1.1 Build ransomware risk scenario 1.2 Conduct resilience assessment |
2.1 Assess attack vectors 2.2 Identify countermeasures |
3.1 Review Security Incident Management Plan 3.2 Run Tabletop Test (IT) 3.3 Document Workflow and Runbook |
4.1 Run Tabletop Test (Leadership) 4.2 Prioritize resilience initiatives 4.3 Measure resilience metrics |
This phase will walk you through the following activities:
This phase involves the following participants:
1.1.1 Review incidents, challenges and project drivers
1.1.2 Diagram critical systems and dependencies
1.1.3 Build ransomware risk scenario
This step will guide you through the following activities:
This step involves the following participants:
Brainstorm the challenges you need to address in the project. Avoid producing solutions at this stage, but certainly record suggestions for later. Use the categories below to get the brainstorming session started.
Brainstorm critical systems and their dependencies to build a ransomware risk scenario. The scenario will help you socialize ransomware risks with key stakeholders and discuss the importance of ransomware resilience.
Focus on a few key critical systems.
Start with a WAN diagram, then your production data center, and then each critical
system. Use the next three slides as your guide.
When you get to this level of detail, use this opportunity to level-set with the team. Consider the following:
For now, make a note of these gaps and continue with the next step.
Risk scenarios are further distilled into a single sentence or risk statement that communicates the essential elements from the scenario.
Risk identification → Risk scenario → Risk statement
The slides walk through how to build a ransomware risk scenario
An actor capable of harming an asset |
Anything of value that can be affected and results in loss |
Technique an actor uses to affect an asset |
How loss materializes |
---|---|---|---|
Examples: Malicious or untrained employees, cybercriminal groups, malicious state actors |
Examples: Systems, regulated data, intellectual property, people |
Examples: Credential compromise, privilege escalation, data exfiltration |
Examples: Loss of data confidentiality, integrity, or availability; impact on staff health and safety |
Risk scenarios are concise, four to six sentence narratives that describe the core elements of forecasted adverse events.
Use them to engage stakeholders with the right questions and guide them to make informed decisions about how to address ransomware risks.
In a ransomware risk scenario, the threat, their motivations, and their methods are known. Malicious agents are motivated to compromise critical systems, sabotage recovery, and exfiltrate data for financial gain.
The purpose of building the risk scenario is to highlight the assets at risk and the potential effect of a ransomware attack.
As a group, consider critical or mission-essential systems identified in step 1.1.2. On a whiteboard, brainstorm the potential adverse effect of a loss of system availability, confidentiality or integrity.
Consider the impact on:
Inputs for risk scenario identification
Risk analysis |
|||
---|---|---|---|
Critical assets |
ERP, CRM, FMS, LMS |
Operational technology |
Sensitive or regulated data |
Threat agents |
Cybercriminals |
||
Methods |
Compromise end user devices through social engineering attacks,. Compromise networks through external exposures and software vulnerabilities. Identify and crack administrative account. Escalate privileges. Move laterally. Collect data, destroy backups, exfiltrate data for leverage, encrypt systems,. Threaten to publish exfiltrated data and demand ransom. |
||
Adverse effect |
Serious business disruption Financial damage Reputational damage Potential litigation Average downtime: 30 Days Average clean-up costs: USD 1.4M |
Likelihood: Medium
Impact: High
Cyber-criminals penetrate the network, exfiltrate critical or sensitive data, encrypt critical systems, and demand a ransom to restore access.
They threaten to publish sensitive data online to pressure the organization to pay the ransom, and reach out to partners, staff, and students directly to increase the pressure on the organization.
Network access likely occurs through a phishing attack, credential compromise, or remote desktop protocol session.
Cybercriminals penetrate the network, compromise backups, exfiltrate and encrypt data, and disrupt computer systems for financial gain.
Threat Actor:
Assets:
Effect:
Methods:
1.2.1 Complete resilience assessment
1.2.2 Establish resilience metrics
The maturity levels are based on the Capability Maturity Model Integration framework. We outline our modifications below.
CMMI Maturity Level – Default Descriptions: |
CMMI Maturity Level – Modified for This Assessment: |
---|---|
|
|
(Source: CMMI Institute, CMMI Levels of Capability and Performance)
Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.
Put controls in place to harden your environment, train savvy end users, and prevent incursions.
Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.
Protect | Detect | Respond |
Recover |
Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.
Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.
Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.
Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.
Review the user access management program, policies and procedures to ensure they are ransomware-ready.
Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.
Use the Ransomware Resilience Assessment Tool to assess maturity of existing controls, establish a target state, and identify an initial set of initiatives to improve ransomware resilience.
Keep the assessment tool on hand to add gap closure initiatives as you proceed through the project.
Download the Ransomware Resilience Assessment
Ransomware resilience metrics track your ability to disrupt a ransomware attack at each stage of its workflow.
Measure metrics at the start of the project to establish a baseline, as the project nears completion to measure progress.
Attack workflow | Process | Metric | Target trend | Current | Goal |
---|---|---|---|---|---|
GET IN | Vulnerability Management | % Critical patches applied | Higher is better | ||
Vulnerability Management | # of external exposures | Fewer is better | |||
Security Awareness Training | % of users tested for phishing | Higher is better | |||
SPREAD | Identity and Access Management | Adm accounts / 1000 users | Lower is better | ||
Identity and Access Management | % of users enrolled for MFA | Higher is better | |||
Security Incident Management | Avg time to detect | Lower is better | |||
PROFIT | Security Incident Management | Avg time to resolve | Lower is better | ||
Backup and Disaster Recovery | % critical assets with recovery test | Higher is better | |||
Backup and Disaster Recovery | % backup to immutable storage | Higher is better |
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
---|---|---|---|
1.1 Build ransomware risk scenario 1.2 Conduct resilience assessment | 2.1 Assess attack vectors 2.2 Identify countermeasures | 3.1 Review Security Incident Management Plan 3.2 Run Tabletop Test (IT) 3.3 Document Workflow and Runbook | 4.1 Run Tabletop Test (Leadership) 4.2 Prioritize resilience initiatives 4.3 Measure resilience metrics |
This phase will walk you through the following activities:
This phase involves the following participants:
2.1.1 Assess ransomware threat preparedness
2.1.2 Determine the impact of ransomware techniques on your environment
This step involves the following activities:
This step involves the following participants:
Assess risks associated with common ransomware attack vectors.
Download the Enterprise Threat Preparedness Workbook
Deliver phishing email designed to avoid spam filter. Launch malware undetected. | Identify user accounts. Target an admin account. Use brute force tactics to crack it. | Move through the network. Collect data. Infect critical systems and backups to limit recovery options. | Exfiltrate data to gain leverage. | Encrypt data, which triggers alert. Deliver ransom note. |
Once you're comfortable, follow the instructions on the following pages to configure the MITRE ransomware analysis and identify how to improve your protection and detection capabilities.
Download the Enterprise Threat Preparedness Workbook
If you would like to change the set-up, go through the following steps.
The following slides walk you through the process with screenshots from the workbook.
Download the Enterprise Threat Preparedness Workbook
Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.
As you fill out the Tactic tabs with your evaluation, the overall reading will display the average of your overall preparedness for that tactic.
Choosing the Technique Domain level will increase the accuracy of the reporting at the cost of speed.
The Technique level is faster but provides less specifics for each control and analyzes them as a group.
The Sub-Technique level is much more granular, but each tactic and technique has several sub-techniques that you will need to account for.
Check with the dashboard to see the associated risk level for each of the tactics based on the legend. Tactics that appear white have not yet been assessed or are rated as "N/A" (not applicable).
When you select your Technique Domain, you cannot change it again. Changing the domain mid-analysis will introduce inaccuracies in your security preparedness.
How an attacker will attempt to achieve their goals through a specific action.
The corresponding ID number on the MITRE ATT&CK® Matrix for quick reference.
If an attack of this type is successful on your network, how deep does the damage run?
What security protocols do you have in place right now that can help prevent an attacker from successfully executing this attack technique? The rating is based on the CMMI scale.
We highly recommend that you write comments about your current-state security protocols. First, it's great to have documented your thought processes in the event of a threat modeling session. Second, you can speak to deficits clearly, when asked.
You may discover that you have little to no mitigation actions in place to deal with one or many of these techniques. However, look at this discovery as a positive: You've learned more about the potential vectors and can actively work toward remediating them rather than hoping that a breach never happens through one of these avenues.
If you have chosen the Sub-Technique level, the tool should resemble this image.
Each sub-technique has a note for additional context and understanding about what the techniques are seeking to do and how they may impact your enterprise.
|
2.2.1 Identify countermeasures
Identification of countermeasures to common ransomware techniques, and tactics to improve protection and detection capabilities.
As you work through the tool, your dashboard will prioritize your threat preparedness for each of the various attack techniques to give you an overall impression of your preparedness.
For each action, the tool includes detection and remediation actions for you to consider either for implementation or as table stakes for your next threat modeling sessions.
Note: Some sheets will have the same controls. However, the context of the attack technique may change your answers. Be sure to read the tactic and technique that you are on when responding to the controls.
Prioritize the analysis of ransomware tactics and sub-techniques identified on slide 45. If your initial analysis in Activity 2.2.1 determined that you have robust security protocols for some of the attack vectors, set these domains aside.
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
---|---|---|---|
1.1 Build ransomware risk scenario 1.2 Conduct resilience assessment | 2.1 Assess attack vectors 2.2 Identify countermeasures | 3.1 Review Security Incident Management Plan 3.2 Run Tabletop Test (IT) 3.3 Document Workflow and Runbook | 4.1 Run Tabletop Test (Leadership) 4.2 Prioritize resilience initiatives 4.3 Measure resilience metrics |
This phase will guide you through the following steps:
This phase involves the following participants:
3.1.1 Review the workflow and runbook templates
3.1.2 Update/define your threat escalation protocol
This step will walk you through the following activities:
This step involves the following participants:
This blueprint includes sample information in the Ransomware Response Workflow Template and Ransomware Response Runbook Template to use as a starting points for the steps in Phase 3, including documenting your threat escalation protocol.
Download the Ransomware Response Workflow Template
Download the Ransomware Response Runbook Template
Document the Threat Escalation Protocol sections in the Ransomware Response Workflow Template or review/update your existing runbook. The threat escalation protocol defines which stakeholders to involve in the incident management process, depending on impact and scope. Specifically, you will need to define the following:
Impact and scope criteria: Impact considers factors such as the criticality of the system/data, whether PII is at risk, and whether public notification is required. Scope considers how many systems or users are impacted.
Severity assessment: Define the severity levels based on impact and scope criteria.
Relevant stakeholders: Identify stakeholders to notify for each severity level, which can include external stakeholders.
If you need additional guidance, see Info-Tech's Develop and Implement a Security Incident Management Program blueprint, which takes a broader look at security incidents.
3.2.1 Define scenarios for a range of incidents
3.2.2 Run a tabletop planning exercise
As a group, collaborate to define scenarios that enable you to develop incident response details for a wide range of potential incidents. Below are example scenarios:
Note: The above is too much to execute in one 30-minute session, so plan a series of exercises as outlined on the next slide.
Schedule these sessions well in advance to ensure appropriate resources are available. Document this in an annual test plan summary that outlines the scope, participants, and dates and times for the planned sessions.
Remember that the goal is a deeper dive into how you would respond to an attack so you can clarify steps and gaps. This is not meant to just be a read-through of your plan. Follow the guidelines below:
Refer to the Ransomware Tabletop Planning Results – Example as a guide for what to capture. Aim for more detail than found in your Ransomware Response Workflow (but not runbook-level detail).
Download the Ransomware Tabletop Planning Results – Example
3.3.1 Update your ransomware response workflow
3.3.2 Update your ransomware response runbook
Use the results from your tabletop planning exercises (Activity 3.2.2) to update and clarify your ransomware response workflow. For example:
Use the results from your tabletop planning exercises (Activity 3.2.2) to update your ransomware response runbook. For example:
Phase 1 | Phase 2 | Phase 3 | Phase 4 |
---|---|---|---|
1.1 Build ransomware risk scenario 1.2 Conduct resilience assessment | 2.1 Assess attack vectors 2.2 Identify countermeasures | 3.1 Review Security Incident Management Plan 3.2 Run Tabletop Test (IT) 3.3 Document Workflow and Runbook | 4.1 Run Tabletop Test (Leadership) 4.2 Prioritize resilience initiatives 4.3 Measure resilience metrics |
In addition to applying your existing security practices to your backup solution (e.g. anti-malware, restricted access), consider:
This example strategy combines multiple restore points, offsite backup, different storage media, and immutable backups.
Zero trust is a strategy that reduces reliance on perimeter security and moves controls to where your user accesses resources. It often consolidates security solutions, reduces operating costs, and enables business mobility.
IT security needs to determine how zero trust initiatives will affect core business processes. It's not a one-size-fits-all approach to IT security. Zero trust is the goal – but some organizations can only get so close to that ideal.
For more information, see Build a Zero-Trust Roadmap.
A successful zero-trust strategy should evolve. Use an iterative and repeatable process to assess available zero-trust technologies and principles and secure the most relevant protect surfaces. Collaborate with stakeholders to develop a roadmap with targeted solutions and enforceable policies.
Download the Ransomware Resilience Assessment
Prioritize initiatives in the Ransomware Resilience Assessment.
Review and update the roadmap dashboard in your Ransomware Resilience Assessment.
4.3.1 Summarize status and next steps in an executive presentation
Gain stakeholder buy-in by communicating the risk of the status quo and recommendations to reduce that risk. Specifically, capture and present the following from this blueprint:
Overall key findings and next steps.
Download the Ransomware Readiness Summary Presentation Template
Ransomware resilience metrics track your ability to disrupt a ransomware attack at each stage of its workflow.
Revisit metrics as the project nears completion and compare them against your baseline to measure progress.
Attack workflow | Process | Metric | Target trend | Current | Goal |
---|---|---|---|---|---|
GET IN | Vulnerability Management | % Critical patches applied | Higher is better | ||
Vulnerability Management | # of external exposures | Fewer is better | |||
Security Awareness Training | % of users tested for phishing | Higher is better | |||
SPREAD | Identity and Access Management | Adm accounts / 1000 users | Lower is better | ||
Identity and Access Management | % of users enrolled for MFA | Higher is better | |||
Security Incident Management | Avg time to detect | Lower is better | |||
PROFIT | Security Incident Management | Avg time to resolve | Lower is better | ||
Backup and Disaster Recovery | % critical assets with recovery test | Higher is better | |||
Backup and Disaster Recovery | % backup to immutable storage | Higher is better |
Project overview |
Project deliverables |
---|---|
This blueprint helped you create a ransomware incident response plan for your organization, as well as identify ransomware prevention strategies and ransomware prevention best practices. |
|
Project phases |
|
Phase 1: Assess ransomware resilience Phase 2: Protect and detect Phase 3: Respond and recover Phase 4: Improve ransomware resilience |
Tab 3. Initiative List in the Ransomware Resilience Assessment identifies relevant Info-Tech Research to support common ransomware resilience initiatives.
Jimmy Tom
AVP of Information Technology and Infrastructure
Financial Horizons
Dan Reisig
Vice President of Technology
UV&S
Samuel Sutton
Computer Scientist (Retired)
FBI
Ali Dehghantanha
Canada Research Chair in Cybersecurity and Threat Intelligence,
University of Guelph
Gary Rietz
CIO
Blommer Chocolate Company
Mark Roman
CIO
Simon Fraser University
Derrick Whalen
Director, IT Services
Halifax Port Authority
Stuart Gaslonde
Director of IT & Digital Services
Falmouth-Exeter Plus
Deborah Curtis
CISO
Placer County
Deuce Sapp
VP of IT
ISCO Industries
Trevor Ward
Information Security Assurance Manager
Falmouth-Exeter Plus
Brian Murphy
IT Manager
Placer County
Arturo Montalvo
CISO
Texas General Land Office and Veterans Land Board
Mduduzi Dlamini
IT Systems Manager
Eswatini Railway
Mike Hare
System Administrator
18th Circuit Florida Courts
Linda Barratt
Director of Enterprise architecture, IT Security, and Data Analytics, Toronto Community Housing Corporation
Josh Lazar
CIO
18th Circuit Florida Courts
Douglas Williamson
Director of IT
Jamaica Civil Aviation Authority
Ira Goldstein
Chief Operating Officer
Herjavec Group
Celine Gravelines
Senior Cybersecurity Analyst
Encryptics
Dan Mathieson
Mayor
City of Stratford
Jacopo Fumagalli
CISO
Omya
Matthew Parker
Program Manager
Utah Transit Authority
Two Additional Anonymous Contributors
2019-Data-Breach-Investigations-Report.-Verizon,-May-2019.
2019-Midyear-Security-Roundup:-Evasive-Threats,-Persistent-Effects.-Trend-Micro,-2019.
Abrams,-Lawrence.-"Ryuk-Ransomware-Uses-Wake-on-Lan-to-Encrypt-Offline-Devices."-Bleeping-Computer,-14-Jan.-2020.
Abrams,-Lawrence.-"Sodinokibi-Ransomware-Publishes-Stolen-Data-for-the-First-Time."-Bleeping-Computer,-11-Jan.-2020.
Canadian-Center-for-Cyber-Security,-"Ransomware-Playbook,"-30-November-2021.-Accessed-21-May-2022.-
Carnegie-Endowment-for-International-Peace.-"Ransomware:-Prevention-and-Protection."-Accessed-May-2022.-
Cawthra,-Jennifer,-Michael-Ekstrom,-Lauren-Lusty,-Julian-Sexton,-John-Sweetnam.-Special-Publication-1800-26-Data-Integrity:-Detecting-and-Responding-to-Ransomware-and-Other-Destructive-Events.-NIST,-Jan.-2020.
Cawthra,-Jennifer,-Michael-Ekstrom,-Lauren-Lusty,-Julian-Sexton,-John-Sweetnam.-Special-Publication-1800-25-Data-Integrity:-Identifying-and-Protecting-Assets-Against-Ransomware-and-Other-Destructive-Events.-NIST,-Jan.-2020.-
Cichonski,-P.,-T.-Millar,-T.-Grance,-and-K.-Scarfone.-"Computer-Security-Incident-Handling-Guide."-SP-800-61-Rev.-2.-NIST,-Aug.-2012.
Cimpanu,-Catalin.-"Company-shuts-down-because-of-ransomware,-leaves-300-without-jobs-just-before-holidays."-ZDNet,-3-Jan.-2020.
Cimpanu,-Catalin.-"Ransomware-attack-hits-major-US-data-center-provider."-ZDNet,-5-Dec.-2019.
CISA,-"Stop-Ransomware,"-Accessed-12-May-2022.
"CMMI-Levels-of-Capability-and-Performance."-CMMI-Institute.-Accessed-May-2022.-
Connolly,-Lena-Yuryna,-"An-empirical-study-of-ransomware-attacks-on-organizations:-an-assessment-of-severity-and-salient-factors-affecting-vulnerability."-Journal-of-Cybersecurity,-2020,.-1-18.
"Definitions:-Backup-vs.-Disaster-Recovery-vs.-High-Availability."-CVM-IT-&-Cloud-Services,-12-Jan.-2017.
"Don't-Become-a-Ransomware-Target-–-Secure-Your-RDP-Access-Responsibly."-Coveware,-2019.-
Elementus,-"Rise-of-the-Ransomware-Cartels-"(2022).-YouTube.-Accessed-May-2022.-
Global-Security-Attitude-Survey.-CrowdStrike,-2019.
Graham,-Andrew.-"September-Cyberattack-cost-Woodstock-nearly-$670,00:-report."-
Global-News,-10-Dec.-2019.
Harris,-K.-"California-2016-Data-Breach-Report."-California-Department-of-Justice,-Feb.-2016.
Hiscox-Cyber-Readiness-Report-2019.-Hiscox-UK,-2019.
Cost-of-A-Data-Breach-(2022).-IBM.-Accessed-June-2022.--
Ikeda,-Scott.-"LifeLabs-Data-Breach,-the-Largest-Ever-in-Canada,-May-Cost-the-Company-Over-$1-Billion-in-Class-Action-Lawsuit."-CPO-Magazine,-2020.
Kessem,-Limor-and-Mitch-Mayne.-"Definitive-Guide-to-Ransomware."-IBM,-May-2022.
Krebs,-Brian.-"Ransomware-Gangs-Now-Outing-Victim-Businesses-That-Don't-Pay-Up."-Krebson-Security,-16-Dec.-2019.
Jaquith,-Andrew-and-Barnaby-Clarke,-"Security-metrics-to-help-protect-against-ransomware."-Panaseer,-July-29,-2021,-Accessed-3-June-2022.
"LifeLabs-pays-ransom-after-cyberattack-exposes-information-of-15-million-customers-in-B.C.-and-Ontario."-CBC-News,-17-Dec.-2019.
Matthews,-Lee.-"Louisiana-Suffers-Another-Major-Ransomware-Attack."-Forbes,-20-Nov.-2019.
NISTIR-8374,-"Ransomware-Risk-Management:-A-Cybersecurity-Framework-Profile."-NIST-Computer-Security-Resource-Center.-February-2022.-Accessed-May-2022.-
"Ransomware-attack-hits-school-district-twice-in-4-months."-Associated-Press,-10-Sept.-2019.
"Ransomware-Costs-Double-in-Q4-as-Ryuk,-Sodinokibi-Proliferate."-Coveware,-2019.
Ransomware-Payments-Rise-as-Public-Sector-is-Targeted,-New-Variants-Enter-the-Market."-Coveware,-2019.
Rector,-Kevin.-"Baltimore-to-purchase-$20M-in-cyber-insurance-as-it-pays-off-contractors-who-helped-city-recover-from-ransomware."-The-Baltimore-Sun,-16-Oct.-2019.
"Report:-Average-time-to-detect-and-contain-a-breach-is-287-days."-VentureBeat,-May-25,-2022.-Accessed-June-2022.-
"Five-Lessons-Learned-from-over-600-Ransomware-Attacks."-Riskrecon.-Mar-2022.-Accessed-May-2022.-
Rosenberg,-Matthew,-Nicole-Perlroth,-and-David-E.-Sanger.-"-'Chaos-is-the-Point':-Russian-Hackers-and-Trolls-Grow-Stealthier-in-2020."-The-New-York-Times,-10-Jan.-2020.
Rouse,-Margaret.-"Data-Archiving."-TechTarget,-2018.
Siegel,-Rachel.-"Florida-city-will-pay-hackers-$600,000-to-get-its-computer-systems-back."-The-Washington-Post,-20-June-2019.
Sheridan,-Kelly.-"Global-Dwell-Time-Drops-as-Ransomware-Attacks-Accelerate."-DarkReading,-13-April-2021.-Accessed-May-2022.-
Smith,-Elliot.-"British-Banks-hit-by-hacking-of-foreign-exchange-firm-Travelex."-CNBC,-9-Jan.-2020.
"The-State-of-Ransomware-2022."-Sophos.-Feb-2022.-Accessed-May-2022.-
"The-State-of-Ransomware-in-the-U.S.:-2019-Report-for-Q1-to-Q3."-Emsisoft-Malware-Lab,-1-Oct.2019.
"The-State-of-Ransomware-in-the-U.S.:-Report-and-Statistics-2019."-Emsisoft-Lab,-12-Dec.-2019.
"The-State-of-Ransomware-in-2020."-Black-Fog,-Dec.-2020.
Toulas,-Bill.-"Ten-notorious-ransomware-strains-put-to-the-encryption-speed-test."-Bleeping-Computers,-23-Mar-2022.-Accessed-May-2022.
Tung,-Liam-"This-is-how-long-hackers-will-hide-in-your-network-before-deploying-ransomware-or-being-spotted."-zdnet.-May-19,-2021.-Accessed-June-2022.-