Build Resilience Against Ransomware Attacks

Build Ransomware Resilience

Prevent ransomware incursions and defend against ransomware attacks

EXECUTIVE BRIEF

Executive Summary

Your Challenge

Ransomware is a high-profile threat that demands immediate attention:

• Sophisticated ransomware attacks are on the rise and evolving quickly.
• Emerging strains can exfiltrate sensitive data, encrypt systems, and destroy backups in only a few hours, which makes recovery a grueling challenge.
• Executives want reassurance but aren't ready to write a blank check. Improvements must be targeted and justified.

Common Obstacles

Ransomware is more complex than other security threats:

• Malicious agents design progressive, disruptive attacks to pressure organizations to pay a ransom.
• Organizations misunderstand ransomware risk scenarios, which obscures the likelihood and impact of an attack.
• Conventional approaches focus on response and recovery, which do nothing to prevent an attack and are often ineffective against sophisticated attacks.

Info-Tech's Approach

To prevent a ransomware attack:

• Conduct a through assessment of your current state, identify potential gaps, and assess the possible outcomes of an attack.
• Analyze attack vectors and prioritize controls that prevent ransomware attacks, and implement ransomware protection and detection to reduce your attack surface.
• Visualize, plan, and practice your response and recovery to reduce the potential impact of an attack.

Info-Tech Insight

Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges. Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, respond effectively, and recovery quickly.

Analyst Perspective

Ransomware is an opportunity and a challenge.

As I write, the frequency and impact of ransomware attacks continue to increase, with no end in sight. Most organizations will experience ransomware in the next 24 months, some more than once, and business leaders know it. You will never have a better chance to implement best practice security controls as you do now.

The opportunity comes with important challenges. Hackers need to spend less time in discovery before they deploy an attack, which have become much more effective. You can't afford to rely solely on your ability to respond and recover. You need to build a resilient organization that can withstand a ransomware event and recover quickly.

Resilient organizations are not impervious to attack, but they have tools to protect assets, detect incursions, and respond effectively. Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to overcome challenges and work through problems. But eventually you reach the top and look back at how far you've come.

Michel Hébert
Research Director, Security and Privacy
Info-Tech Research Group

Ransomware attacks are on the rise and evolving quickly.

Three factors contribute to the threat:

• The rise of ransomware-as-a-service, which facilitates attacks.
• The rise of crypto-currency, which facilitates anonymous payment.
• State sponsorship of cybercrime.

Elementus maps ransomware payments made through bitcoin. Since 2019, victims made at least $2B in payments.

A handful of criminal organizations, many of whom operate out of cybercrime hotbeds in Russia, are responsible for most of the damage. The numbers capture only the ransom paid, not the clean-up cost and economic fallout over attacks during this period.

Total ransom money collected (2015 – 2021): USD 2,592,889,121

The frequency and impact of ransomware attacks are increasing

Emerging strains can exfiltrate sensitive data, encrypt systems and destroy backups in only a few hours, which makes recovery a grueling challenge.

Sophos commissioned a vendor agnostic study of the real-world experience of 5,600 IT professionals in mid-sized organizations across 31 countries and 15 industries.

The survey was conducted in Jan – Feb 2022 and asked about the experience of respondents over the previous year.

66%
Hit by ransomware in 2021
(up from 37% in 2020)

90%
Ransomware attack affected their ability to operate

$812,360 USD
Average ransom payment

$4.54M
Average remediation cost (not including ransom)

ONE MONTH
Average recovery time

Meanwhile, organizations continue to put their faith in ineffective ransomware defenses.

Of the respondents whose organizations weren't hit by ransomware in 2021 and don't expect to be hit in the future, 72% cited either backups or cyberinsurance as reasons why they anticipated an attack.

While these elements can help recover from an attack, they don't prevent it in the first place.

Source: Sophos, State of Ransomware (2022)
IBM, Cost of A Data Breach (2022)

The 3-step ransomware attack playbook

• Get in
• Spread
• Profit

At each point of the playbook, malicious agents need to achieve something before they can move to the next step.

Resilient organizations look for opportunities to:

• Learn from incursions
• Disrupt the playbook
• Measure effectiveness

Ransomware is more complex than other security threats

Ransomware groups thrive through extortion tactics.

• Traditionally, ransomware attacks focused on encrypting files as an incentive for organizations to pay up.
• As organizations improved backup and recovery strategies, gangs began targeting, encrypting, and destroying back ups.
• Since 2019, gangs have focused on a double-extortion strategy: exfiltrate sensitive or protected data before encrypting systems and threaten to publish them.

Organizations misunderstand ransomware risk scenarios, which obscures the potential impact of an attack.

Ransom is only a small part of the equation. Four process-related activities drive ransomware recovery costs:

• Detection and Response – Activities that enable detection, containment, eradication and recovery.
• Notification – Activities that enable reporting to data subjects, regulators, law enforcement, and third parties.
• Lost Business – Activities that attempt to minimize the loss of customers, business disruption, and revenue.
• Post Breach Response – Redress activities to victims and regulators, and the implementation of additional controls.

Source: IBM, Cost of a Data Breach (2022)

Disrupt the attack each stage of the attack workflow.

An effective response with strong, available backups will reduce the operational impact of an attack, but it won't spare you from its reputational and regulatory impact.

Put controls in place to disrupt each stage of the attack workflow to protect the organization from intrusion, enhance detection, respond quickly, and recover effectively.

Shortening dwell time requires better protection and detection

Ransomware dwell times and average encryption rates are improving dramatically.

Hackers spend less time in your network before they attack, and their attacks are much more effective.

Avg dwell time
3-5 Days

Avg encryption rate
70 GB/h

Avg detection time
11 Days

What is dwell time and why does it matter?

Dwell time is the time between when a malicious agent gains access to your environment and when they are detected. In a ransomware attack, most organizations don't detect malicious agents until they deploy ransomware, encrypt their files, and lock them out until they pay the ransom.

Effective time is a measure of the effectiveness of the encryption algorithm. Encryption rates vary by ransomware family. Lockbit has the fastest encryption rate, clocking in at 628 GB/h.

Dwell times are dropping, and encryption rates are increasing.

It's more critical than ever to build ransomware resilience. Most organizations do not detect ransomware incursions in time to prevent serious business disruption.

References: Bleeping Computers (2022), VentureBeat, Dark Reading, ZDNet.

Resilience depends in part on response and recovery capabilities

This blueprint will focus on improving your ransomware resilience to:

• Protect against ransomware.
• Detect incursions.
• Respond and recovery effectively.

Response	Recovery
For in-depth assistance with disaster recovery planning, refer to Info-Tech's Create a Right-Sized Disaster Recovery.

Info-Tech's ransomware resilience framework

Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.

Prioritize protection

Put controls in place to harden your environment, train savvy end users, and prevent incursions.

Support recovery

Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.

Threat preparedness

Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.

Awareness and training

Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.

Perimeter security

Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.

Respond and recover

Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.

Access management

Review the user access management program, policies and procedures to ensure they are ransomware-ready.

Vulnerability management

Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.

Info-Tech's ransomware resilience methodology

Insight Summary

Shift to a ransomware resilience model

Resilience is not a trampoline, where you're down one moment and up the next. It's more like climbing a mountain. It takes time, planning, and help from people around you to work through challenges.

Focus on what is in your organization's control, and cultivate strengths that allow you to protect assets, detect incursions, and respond and recover quickly

Visualize challenges

Build risk scenarios that describe how a ransomware attack would impact organizational goals.

Understand possible outcomes to motivate initiatives, protect your organization, plan your response, and practice recovery.

Prioritize protection

Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.

Seize the moment

The frequency and impact of ransomware attacks continue to increase, and business leaders know it. You will never have a better chance to implement best practice security controls than you do now.

Measure ransomware resilience

The anatomy of ransomware attack is relatively simple: malicious agents get in, spread, and profit. Deploy ransomware protection metrics to measure ransomware resilience at each stage.

Key deliverable

Ransomware resilience roadmap

The resilience roadmap captures the key insights your work will generate, including:

• An assessment of your current state and a list of initiatives you need to improve your ransomware resilience.
• The lessons learned from building and testing the ransomware response workflow and runbook.
• The controls you need to implement to measure and improve your ransomware resilience over time.

Project deliverables

Info-Tech supports project and workshop activities with deliverables to help you accomplish your goals and accelerate your success.

Ransomware Resilience Assessment

Measure ransomware resilience, identify gaps, and draft initiatives.

Enterprise Threat Preparedness Workbook

Analyze common ransomware techniques and develop countermeasures.

Ransomware Response Workflow & Runbook

Capture key process steps for ransomware response and recovery.

Ransomware Tabletop Tests

Run tabletops for your IT team and your leadership team to gather lessons learned.

Ransomware Resilience Roadmap

Capture project insights and measure resilience over time.

Plan now or pay later

Organizations worldwide spent on average USD 4.62M in 2021 to rectify a ransomware attack. These costs include escalation, notification, lost business and response costs, but did not include the cost of the ransom. Malicious ransomware attacks that destroyed data in destructive wiper-style attacks cost an average of USD 4.69M.

Building better now is less expensive than incurring the same costs in addition to the clean-up and regulatory and business disruption costs associated with successful ransomware attacks.

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research and advisory services helped them achieve.

Source: IBM, Cost of a Data Breach (2022)

See what members have to say about the ransomware resilience blueprint:

• Overall Impact: 9.8 / 10
• Average $ Saved: $98,796
• Average Days Saved: 17

"Our advisor was well-versed and very polished. While the blueprint alone was a good tool to give us direction, his guidance made it significantly faster and easier to accomplish than if we had tried to tackle it on our own."

CIO, Global Manufacturing Organization

Blueprint benefits

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostics and consistent frameworks used throughout all four options

Executive brief case study

SOURCE: Interview with CIO of large enterprise

Organizations who "build back better" after a ransomware attack often wish they had used relevant controls sooner.

Challenge

In February 2020, a large organization found a ransomware note on an admin's workstation. They had downloaded a local copy of the organization's identity management database for testing and left a port open on their workstation. Hackers exfiltrated it and encrypted the data on the workstation. They demanded a ransom payment to decrypt the data.

Complication

Because private information was breached, the organization informed the state-level regulator. With 250,000 accounts affected, plans were made to require password changes en masse. A public announcement was made two days after the breach to ensure that everyone affected could be reached.

The organization decided not to pay the ransom because it had a copy on an unaffected server.

Resolution

The organization was praised for its timely and transparent response.

The breach motivated the organization to put more protections in place, including:

• The implementation of a deny-by-default network.
• The elimination of remote desktop protocol and secure shell.
• IT mandating MFA.
• New endpoint-detection and response systems.

Executive brief case study

SOURCE: Info-Tech Workshop Results
iNDUSTRY: Government

Regional government runs an Info-Tech workshop to fast-track its ransomware incident response planning

The organization was in the middle of developing its security program, rolling out security awareness training for end users, and investing in security solutions to protect the environment and detect incursions. Still, the staff knew they still had holes to fill. They had not yet fully configured and deployed security solutions, key security policies were missing, and they had didn't have a documented ransomware incident response plan.

Workshop results

Info-Tech advisors helped the organization conduct a systematic review of existing processes, policies, and technology, with an eye to identify key gaps in the organization's ransomware readiness. The impact analysis quantified the potential impact of a ransomware attack on critical systems to improve the organizational awareness ransomware risks and improve buy-in for investment in the security program.

Info-Tech's tabletop planning exercise provided a foundation for the organization's actual response plan. The organization used the results to build a ransomware response workflow and the framework for a more detailed runbook. The workshop also helped staff identifies ways to improve the backup strategy and bridge further gaps in their ability to recover.

The net result was a current-state response plan, appropriate capability targets aligned with business requirements, and a project roadmap to achieve the organization's desired state of ransomware readiness.

Guided implementation

What kind of analyst experiences do clients have when working through this blueprint?

A guided implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

A typical GI is 6 to 8 calls over the course of 4 to 6 months.

Workshop overview

Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889

Phase 1

Assess ransomware resilience

This phase will walk you through the following activities:

• Conducting a maturity assessment.
• Reviewing selected systems and dependencies.
• Assessing a ransomware risk scenario.

This phase involves the following participants:

• Security Incident Response Team (SIRT)
• System subject-matter experts (SMEs)

Build Ransomware Resilience

Step 1.1

Build ransomware risk scenario

Activities

1.1.1 Review incidents, challenges and project drivers

1.1.2 Diagram critical systems and dependencies

1.1.3 Build ransomware risk scenario

Assess ransomware resilience

This step will guide you through the following activities:

• Reviewing incidents, challenges, and drivers.
• Diagraming critical systems and dependencies.
• Building a ransomware risk scenario.

This step involves the following participants:

• Security Incident Response Team (SIRT)
• Subject-Matter Experts

Outcomes of this step

• Establish a repeatable process to evaluate and improve ransomware readiness across your environment.
• Build a ransomware risk scenario to assess the likelihood and impact of an attack.

1.1.1 Review incidents, challenges, and project drivers

1 hour

Brainstorm the challenges you need to address in the project. Avoid producing solutions at this stage, but certainly record suggestions for later. Use the categories below to get the brainstorming session started.

Past incidents and other drivers

• Past incidents (be specific):
  • Past security incidents (ransomware and other)
  • Close calls (e.g. partial breach detected before damage done)
• Audit findings
• Events in the news
• Other?

Security challenges

• Absent or weak policies
• Lack of security awareness
• Budget limitations
• Other?

Input

• Understanding of existing security capability and past incidents.

Output

• Documentation of past incidents and challenges.
• Level-setting across the team regarding challenges and drivers.

Materials

• Whiteboard or flip chart (or a shared screen if staff are remote)

Participants

• Security Incident Response Team (SIRT)

1.1.2 Diagram critical systems and dependencies (1)

1 hour

Brainstorm critical systems and their dependencies to build a ransomware risk scenario. The scenario will help you socialize ransomware risks with key stakeholders and discuss the importance of ransomware resilience.

Focus on a few key critical systems.

1. On a whiteboard or flip chart paper, make a list of systems to potentially include in scope. Consider:
   1. Key applications that support critical business operations.
   2. Databases that support multiple key applications.
   3. Systems that hold sensitive data (e.g. data with personally identifiable information [PII]).
2. Select five to ten systems from the list.
   1. Select systems that support different business operations to provide a broader sampling of potential impacts and recovery challenges.
   2. Include one or two non-critical systems to show how the methodology addresses a range of criticality and context.

Input

• High-level understanding of critical business operations and data sets.

Output

• Clarify context, dependencies, and security and recovery challenges for some critical systems.

Materials

• Whiteboard or flip chart (or a shared screen if staff are remote)

Participants

• Security Incident Response Team (SIRT)
• System SMEs (if not covered by SIRT members)

1.1.2 Diagram critical systems and dependencies (2)

1 hour

3. A high-level topology or architectural diagram is an effective way to identify dependencies and communicate risks to stakeholders.

Start with a WAN diagram, then your production data center, and then each critical
system. Use the next three slides as your guide.

Notes:

• If you have existing diagrams, you can review those instead. However, if they are too detailed, draw a higher-level diagram to provide context. Even a rough sketch is a useful reference tool for participants.
• Keep the drawings tidy and high level. Visualize the final diagram before you start to draw on the whiteboard to help with spacing and placement.
• Collaborate with relevant SMEs to identify dependencies.

Input

• High-level understanding of critical business operations and data sets.

Output

• Clarify context, dependencies, and security and recovery challenges for some critical systems.

Materials

• Whiteboard or flip chart (or a shared screen if staff are remote)

Participants

• Security Incident Response Team (SIRT)
• System SMEs (if not covered by SIRT members)

For your WAN diagram, focus on data center and business locations

Start with a high-level network diagram like this one, and then dig deeper (see following slides) to provide more context. Below is an example; of course, your sketched diagrams may be rougher.

Diagram your production data center to provide context for the systems in scope

Creating a high-level diagram provides context across different IT disciplines involved in creating your DRP. If you have multiple production data centers, focus on the data center(s) relevant to the selected systems. Below is an example.

Diagram each selected system to identify specific dependencies and redundancies

Diagram the "ecosystem" for each system, identifying server, storage, and network dependencies. There may be overlap with the production data center diagram – but aim to be specific here. Below is an example that illustrates front-end and back-end components.

When you get to this level of detail, use this opportunity to level-set with the team. Consider the following:

• Existing security (Are these systems protected by your existing security monitoring and threat detection tools?).
• Security challenges (e.g. public-facing systems).
• Recovery challenges (e.g. limited or infrequent backups).

Note the limitations of your security, backup, and DR solutions

Use the diagrams to assess limitations. Gaps you identify here will often apply to other aspects of your environment.

1. Security limitations

• Are there any known security vulnerabilities or risks, such as external access (e.g. for a customer portal)? If so, are those risks mitigated? Are existing security solutions being fully used?

We will review the gaps we identify through the project in phase 4.

For now, make a note of these gaps and continue with the next step.

Draft risk scenarios to illustrate ransomware risk

Risk scenarios help decision-makers understand how adverse events affect business goals.

• Risk-scenario building is the process of identifying the critical factors that contribute to an adverse event and crafting a narrative that describes the circumstances and consequences if it were to happen.
• Risk scenarios set up the risk analysis stage of the risk assessment process. They are narratives that describe in detail:
  • The asset at risk.
  • The threat that can act against the asset.
  • Their intent or motivation.
  • The circumstances and threat actor model associated with the threat event.
  • The potential effect on the organization.
  • When or how often the event might occur.

Risk scenarios are further distilled into a single sentence or risk statement that communicates the essential elements from the scenario.

Risk identification → Risk scenario → Risk statement

Well-crafted risk scenarios have four components

The slides walk through how to build a ransomware risk scenario

An actor capable of harming an asset	Anything of value that can be affected and results in loss	Technique an actor uses to affect an asset	How loss materializes
Examples: Malicious or untrained employees, cybercriminal groups, malicious state actors	Examples: Systems, regulated data, intellectual property, people	Examples: Credential compromise, privilege escalation, data exfiltration	Examples: Loss of data confidentiality, integrity, or availability; impact on staff health and safety

Risk scenarios are concise, four to six sentence narratives that describe the core elements of forecasted adverse events.

Use them to engage stakeholders with the right questions and guide them to make informed decisions about how to address ransomware risks.

1.1.3 Build ransomware risk scenario (1)

2 hours

In a ransomware risk scenario, the threat, their motivations, and their methods are known. Malicious agents are motivated to compromise critical systems, sabotage recovery, and exfiltrate data for financial gain.

The purpose of building the risk scenario is to highlight the assets at risk and the potential effect of a ransomware attack.

As a group, consider critical or mission-essential systems identified in step 1.1.2. On a whiteboard, brainstorm the potential adverse effect of a loss of system availability, confidentiality or integrity.

Consider the impact on:

• Information systems.
• Sensitive or regulated data.
• Staff health and safety.
• Critical operations and objectives.
• Organizational finances.
• Reputation and brand loyalty.

Input

• Understanding of critical systems and dependencies.

Output

• Ransomware risk scenario to engage guide stakeholders to make informed decisions about addressing risks.

Materials

• Whiteboard or flip chart (or a shared screen if staff are remote)

Participants

• Security Incident Response Team (SIRT)

1.1.3 Build ransomware risk scenario (2)

2 hours

2. On a whiteboard, brainstorm how threat agents will exploit vulnerabilities in critical assets to reach their goal. Redefine attack vectors to capture what could result from a successful initial attack.
3. Bring together the critical risk elements into a single risk scenario.
4. Distill the risk scenario into a single risk statement that captures the threat, the asset it will exploit, the method it will use, and the impact it will have on the organization.
5. You can find a sample risk scenario and risk statement on the next slide.

Inputs for risk scenario identification

Sample ransomware risk scenario

Likelihood: Medium
Impact: High

Risk scenario

Cyber-criminals penetrate the network, exfiltrate critical or sensitive data, encrypt critical systems, and demand a ransom to restore access.

They threaten to publish sensitive data online to pressure the organization to pay the ransom, and reach out to partners, staff, and students directly to increase the pressure on the organization.

Network access likely occurs through a phishing attack, credential compromise, or remote desktop protocol session.

Risk statement

Cybercriminals penetrate the network, compromise backups, exfiltrate and encrypt data, and disrupt computer systems for financial gain.

Threat Actor:

• Cybercriminals

Assets:

• Critical systems (ERP, FMS, CRM, LMS)
• HRIS and payroll
• Data warehouse
• Office 365 ecosystem (email, Teams)

Effect:

• Loss of system availability
• Lost of data confidentiality

Methods:

• Phishing
• Credential compromise
• Compromised remote desktop protocol
• Privilege escalation
• Lateral movement
• Data collection
• Data exfiltration
• Data encryption

Step 1.2

Conduct resilience assessment

Activities

1.2.1 Complete resilience assessment

1.2.2 Establish resilience metrics

This step will guide you through the following activities :

• Completing a ransomware resilience assessment
• Establishing baseline metrics to measure ransomware resilience.

This step involves the following participants:

• Security Incident Response Team (SIRT)
• Subject-matter experts

.Outcomes of this step

• Current maturity, targets, and initial gap analysis

Maturity levels in this blueprint draw on the CMMI framework

The maturity levels are based on the Capability Maturity Model Integration framework. We outline our modifications below.

(Source: CMMI Institute, CMMI Levels of Capability and Performance)

Info-Tech's ransomware resilience framework

Disrupt the playbooks of ransomware gangs. Put controls in place to protect, detect, respond and recover effectively.

Prioritize protection

Put controls in place to harden your environment, train savvy end users, and prevent incursions.

Support recovery

Build and test a backup strategy that meets business requirements to accelerate recovery and minimize disruption.

Threat preparedness

Review ransomware threat techniques and prioritize detective and mitigation measures for initial and credential access, privilege escalation, and data exfiltration.

Awareness and training

Develop security awareness content and provide cybersecurity and resilience training to employees, contractors and third parties.

Perimeter security

Identify and implement network security solutions including analytics, network and email traffic monitoring, and intrusion detection and prevention.

Respond and recover

Identify disruption scenarios and develop incident response, business continuity, and disaster recovery strategies.

Access management

Review the user access management program, policies and procedures to ensure they are ransomware-ready.

Vulnerability management

Develop proactive vulnerability and patch management programs that mitigate ransomware techniques and tactics.

1.2.1 Complete the resilience assessment

2-3 hours

Use the Ransomware Resilience Assessment Tool to assess maturity of existing controls, establish a target state, and identify an initial set of initiatives to improve ransomware resilience.

Keep the assessment tool on hand to add gap closure initiatives as you proceed through the project.

Download the Ransomware Resilience Assessment

Outcomes:

• Capture baseline resilience metrics to measure progress over time.
  • Low scores are common. Use them to make the case for security investment.
  • Clarify the breadth of security controls.
• Security controls intersect with a number of key processes and technologies, each of which are critical to ransomware resilience.
• Key gaps identified.
  • Allocate more time to subsections with lower scores.
  • Repeat the scorecard at least annually to clarify remaining areas to address.

Input

• Understanding of current security controls

Output

• Current maturity, targets, and gaps

Materials

• Ransomware Resilience Assessment Tool

Participants

• Security Incident Response Team (SIRT)

1.2.2 Establish resilience metrics

Ransomware resilience metrics track your ability to disrupt a ransomware attack at each stage of its workflow.

Measure metrics at the start of the project to establish a baseline, as the project nears completion to measure progress.

Phase 2

Improve protection and detection capabilities

This phase will walk you through the following activities:

• Assessing common ransomware attack vectors.
• Identifying countermeasures to improve protection and detection capabilities.

This phase involves the following participants:

• Security Incident Response Team (SIRT)
• System subject-matter experts (SMEs)

Build Ransomware Resilience

Step 2.1

Assess attack vectors

Activities

2.1.1 Assess ransomware threat preparedness

2.1.2 Determine the impact of ransomware techniques on your environment

This step involves the following activities:

• Assessing ransomware threat preparedness.
• Configuring the threat preparedness tool.

This step involves the following participants:

• Security Incident Response Team (SIRT)
• System subject-matter experts (SMEs)

Outcomes of this step

Assess risks associated with common ransomware attack vectors.

Improve protection and detection capabilities

Use the MITRE attack framework to prepare

This phase draws on MITRE to improve ransomware protection and detection capabilities

• The activities in this phase provide guidance on how to use the MITRE attack framework to protect your organizations against common ransomware techniques and tactics, and detect incursions.
• You will:
  • Review common ransomware tactics and techniques.
  • Assess their impact on your environment.
  • Identify relevant countermeasures.
• The Enterprise Threat Preparedness Workbook included with the project blueprint will be set up to deal with common ransomware threats and tactics.

Download the Enterprise Threat Preparedness Workbook

Review ransomware tactics and techniques

Ransomware attack workflow

Associated MITRE tactics and techniques

• Initial access
• Execution
• Privilege escalation
• Credential access
• Lateral movement
• Collection
• Data Exfiltration
• Data encryption

Most common ransomware attack vectors

• Phishing and social engineering
• Exploitation of software vulnerabilities
• Unsecured external exposures
  • e.g. remote desktop protocols
• Malware infections
  • Email attachments
  • Web pages
  • Pop-ups
  • Removable media

2.1.1 Assess ransomware threat preparedness

Estimated Time: 1-4 hours

1. Read through the instructions in the Enterprise Threat Preparedness Workbook.
2. Select ransomware attack tactics to analyze. Use the workbook to understand:
   1. Risks associated with each attack vector.
   2. Existing controls that can help you protect the organization and detect an incursion.
3. This initial analysis is meant to help you understand your risk before you apply additional controls.

Once you're comfortable, follow the instructions on the following pages to configure the MITRE ransomware analysis and identify how to improve your protection and detection capabilities.

Download the Enterprise Threat Preparedness Workbook

Input

• Knowledge about existing infrastructure.
• Security protocols.
• Information about ransomware attack tactics, techniques, and mitigation protocols.

Output

• Structured understanding of the risks facing the enterprise based on your current preparedness and security protocols.
• Protective and detective measures to improve ransomware resilience.

Materials

• Enterprise Threat Preparedness Workbook

Participants

• Security Incident Response Team (SIRT)
• System subject-matter experts (SMEs)

2.1.2 Determine the impact of techniques

Estimated Time: 1-4 hours

1. The Enterprise Threat Preparedness Workbook included with the project blueprint is set up to deal with common ransomware use cases.

If you would like to change the set-up, go through the following steps.

• Review the enterprise matrix. Select the right level of granularity for your analysis. If you are new to threat preparedness exercises, the Technique Level is a good starting point.
• As you move through each tactic, align each sheet to your chosen technique domain to ensure the granularity of your analysis is consistent.
• Read the tactics sheet from left to right. Determine the impact of the technique on your environment. For each control, indicate current mitigation levels using the dropdown list.

The following slides walk you through the process with screenshots from the workbook.

Download the Enterprise Threat Preparedness Workbook

Input

• Knowledge about existing infrastructure.
• Security protocols.
• Information about ransomware attack tactics, techniques, and mitigation protocols.

Output

• Structured understanding of the risks facing the enterprise based on your current preparedness and security protocols.
• Protective and detective measures to improve ransomware resilience.

Materials

• Enterprise Threat Preparedness Workbook

Participants

• Security Incident Response Team (SIRT)
• System subject-matter experts (SMEs)

Select the domain for the analysis

• The Tactics Dashboard is a live feed of your overall preparedness for the potential attack vectors that your organization may face. These 14 tactics correspond to the Enterprise Matrix used by the MITRE ATT&CK® framework.
• The technique domain on the right side of the sheet is split in two main groups:
• The Technique Level
  • - High-level techniques that an attacker may use to gain entry to your network.
  • - The Technique Level is a great starting point if you are new to threat preparedness.
• The Sub-Technique Level
  • - Individual sub-techniques found throughout the MITRE ATT&CK® Framework.
  • - More mature organizations will find the Sub-Technique Level generates a deeper and more precise understanding of their current preparedness.

Info-Tech Insight

Dwell times and effective times are dropping dramatically. Malicious agents spend less time in your network before they deploy an attack, and their attacks are much more effective. You can't afford to rely on your ability to respond and recover alone.

Keep an eye on the enterprise matrix

As you fill out the Tactic tabs with your evaluation, the overall reading will display the average of your overall preparedness for that tactic.

Choosing the Technique Domain level will increase the accuracy of the reporting at the cost of speed.

The Technique level is faster but provides less specifics for each control and analyzes them as a group.

The Sub-Technique level is much more granular, but each tactic and technique has several sub-techniques that you will need to account for.

Check with the dashboard to see the associated risk level for each of the tactics based on the legend. Tactics that appear white have not yet been assessed or are rated as "N/A" (not applicable).

When you select your Technique Domain, you cannot change it again. Changing the domain mid-analysis will introduce inaccuracies in your security preparedness.

Configure the tactics tabs

• Each tactic has a corresponding tab at the bottom of the Excel workbook.
  Adjusting the Technique Domain level will change the number of controls shown.
• Next, align the sheet to the domain you selected on Tab 2 before you continue. As shown in the example to the right,
  • Select "1" for Technique Level.
  • Select "2" for Sub-Technique Level.
• This will collapse the controls to your chosen level of granularity.

Read tactic sheets from left to right

Technique:

How an attacker will attempt to achieve their goals through a specific action.

ID:

The corresponding ID number on the MITRE ATT&CK® Matrix for quick reference.

Impact of the Technique(s):

If an attack of this type is successful on your network, how deep does the damage run?

Current Mitigations:

What security protocols do you have in place right now that can help prevent an attacker from successfully executing this attack technique? The rating is based on the CMMI scale.

Determine the impact of the technique

• For each control, indicate the current mitigation level using the dropdown list.
• Only use "N/A" if you are confident that the control is not required in your organization.

Info-Tech Insight

We highly recommend that you write comments about your current-state security protocols. First, it's great to have documented your thought processes in the event of a threat modeling session. Second, you can speak to deficits clearly, when asked.

Review technique preparedness

• If you have chosen the Technique level, the tool should resemble this image:
  • High-level controls are analyzed, and sub-controls hidden.
  • The sub-techniques under the broader technique show how a successful attack from this vector would impact your network.
• Each sub-technique has a note for additional context:
  • Under Impact, select the overall impact for the listed controls to represent how damaging you believe the controls to be.
  • Next select your current preparedness maturity in terms of preparedness for the same techniques. Ask yourself "What do I have that contributes to blocking this technique?"

Info-Tech Insight

You may discover that you have little to no mitigation actions in place to deal with one or many of these techniques. However, look at this discovery as a positive: You've learned more about the potential vectors and can actively work toward remediating them rather than hoping that a breach never happens through one of these avenues.

Review sub-technique preparedness

If you have chosen the Sub-Technique level, the tool should resemble this image. The granular controls are being analyzed. However, the grouped controls will still appear. It is important to not fill the grouped sections, to make sure the calculations run properly. The average of your sub-techniques will be calculated to show your overall preparedness level. Look at the sub-techniques under the broader technique and consider how a successful attack from this vector would impact your network. Each sub-technique has a note for additional context and understanding about what the techniques are seeking to do and how they may impact your enterprise. Because of the enhanced granularity, the final risk score is more representative of an enterprise's current mitigation capabilities.

Step 2.2

Identify countermeasures

Activities

2.2.1 Identify countermeasures

This step involves the following activities:

• Identifying countermeasures

This step involves the following participants:

• Security Incident Response Team (SIRT)
• System subject-matter experts (SMEs)

Outcomes of this step

Identification of countermeasures to common ransomware techniques, and tactics to improve protection and detection capabilities.

Improve Protection and Detection Capabilities

Review technique countermeasures

As you work through the tool, your dashboard will prioritize your threat preparedness for each of the various attack techniques to give you an overall impression of your preparedness.

For each action, the tool includes detection and remediation actions for you to consider either for implementation or as table stakes for your next threat modeling sessions.

Note: Some sheets will have the same controls. However, the context of the attack technique may change your answers. Be sure to read the tactic and technique that you are on when responding to the controls.

Prioritize the analysis of ransomware tactics and sub-techniques identified on slide 45. If your initial analysis in Activity 2.2.1 determined that you have robust security protocols for some of the attack vectors, set these domains aside.

2.2.1 Identify countermeasures

Estimated Time: 1-4 hours

1. Review the output of the Enterprise Threat Preparedness Workbook. Remediation efforts are on the right side of the sheet. These are categorized as either detection actions or mitigation actions.
   1. Detection actions:
   • What can you do before an attack occurs, and how can you block attacks? Detection actions may thwart an attack before it ever occurs.
2. Mitigation actions:
   • If an attacker is successful through one of the attack methods, how do you lessen the impact of the technique? Mitigation actions address this function to slow and hinder the potential spread or damage of a successful attack.

Input

• Knowledge about existing infrastructure.
• Security protocols.
• Information about ransomware attack tactics, techniques, and mitigation protocols.
• Outputs from the Threat Preparedness Workbook.

Output

• Structured understanding of the risks facing the enterprise based on your current preparedness and security protocols.
• Protective and detective measures to improve ransomware resilience.

Materials

• Enterprise Threat Preparedness Workbook
• Ransomware Resilience Assessment

Participants

• Security Incident Response Team (SIRT)
• System subject-matter experts (SMEs)

Phase 3

Improve response and recovery capabilities

This phase will guide you through the following steps:

• Documenting your threat escalation protocol.
• Identify response steps and gaps.
• Update your response workflow and runbook.

This phase involves the following participants:

• Security Incident Response Team (SIRT)

Build Ransomware Resilience

Step 3.1

Review security incident management plan

Activities

3.1.1 Review the workflow and runbook templates

3.1.2 Update/define your threat escalation protocol

This step will walk you through the following activities:

• Reviewing the example Workflow and Runbook
• Updating and defining your threat escalation protocol.

This step involves the following participants:

• Security Incident Response Team (SIRT)

Outcomes of this step

• Clear escalation path for critical incidents.
• Common understanding of incident severity that will drive escalation.

Improve response and recovery capabilities

3.1.1 Review the workflow and runbook templates

30 minutes

This blueprint includes sample information in the Ransomware Response Workflow Template and Ransomware Response Runbook Template to use as a starting points for the steps in Phase 3, including documenting your threat escalation protocol.

• The Ransomware Response Workflow Template contains an example of a high-level security incident management workflow for a ransomware attack. This provides a structure to follow for the tabletop planning exercise and a starting point for your ransomware response workflow.
  The Workflow is aimed at incident commanders and team leads. It provides an at-a-glance view of the high-level steps and interactions between stakeholders to help leaders coordinate response.
• The Ransomware Response Runbook Template is an example of a security incident management runbook for a ransomware attack. This includes a section for a threat escalation protocol that you can use as a starting point.
  The Runbook is aimed at the teams executing the response. It provides more specific actions that need to be executed at each phase of the incident response.

Download the Ransomware Response Workflow Template

Download the Ransomware Response Runbook Template

Input

• No Input Required

Output

• Visualize the end goal

Materials

• Example workflow and runbook in this blueprint

Participants

• Security Incident Response Team (SIRT)

3.1.2 Update/define your threat escalation protocol

1-2 hours

Document the Threat Escalation Protocol sections in the Ransomware Response Workflow Template or review/update your existing runbook. The threat escalation protocol defines which stakeholders to involve in the incident management process, depending on impact and scope. Specifically, you will need to define the following:

Impact and scope criteria: Impact considers factors such as the criticality of the system/data, whether PII is at risk, and whether public notification is required. Scope considers how many systems or users are impacted.

Severity assessment: Define the severity levels based on impact and scope criteria.

Relevant stakeholders: Identify stakeholders to notify for each severity level, which can include external stakeholders.

If you need additional guidance, see Info-Tech's Develop and Implement a Security Incident Management Program blueprint, which takes a broader look at security incidents.

Input

• Current escalation process (formal or informal).

Output

• Define criteria for severity levels and relevant stakeholders.

Materials

• Ransomware Response Workflow Template

Participants

• Security Incident Response Team (SIRT)

Step 3.2

Run Tabletop Test (IT)

Activities

3.2.1 Define scenarios for a range of incidents

3.2.2 Run a tabletop planning exercise

This step will guide you through the following activities:

• Defining scenarios for a range of incidents.
• Running a tabletop planning exercise.

This step involves the following participants:

• Security Incident Response Team (SIRT)
• Other stakeholders (as relevant)

Outcomes of this step

• Current-state incident response workflow, including stakeholders, steps, timeline.
• Process and technology gaps to be addressed.

Improve response and recovery capabilities

3.2.1 Define scenarios for a range of incidents

30 minutes

As a group, collaborate to define scenarios that enable you to develop incident response details for a wide range of potential incidents. Below are example scenarios:

• Scenario 1: An isolated attack on one key system. The database for a critical application is compromised. Assume the attack was not detected until files were encrypted, but that you can carry out a repair-in-place by wiping the server and restoring from backups.
• Scenario 2: A site-wide impact that warrants broader disaster recovery. Several critical systems are compromised. It would take too long to repair in-place, so you need to failover to your DR environment, in addition to executing security response steps. (Note: If you don't have a DRP, see Info-Tech's Create a Right-Sized Disaster Recovery Plan.)
• Scenario 3: A critical outsourced service or cloud service is compromised. You need to work with the vendor to determine the scope of impact and execute a response. This includes determining if your on-prem systems were also compromised.
• Scenario 4: One or multiple end-user devices are compromised. Your response to the above scenarios would include assessing end-user devices as a possible source or secondary attack, but this scenario would provide more focus on the containing an attack on end-user devices.

Note: The above is too much to execute in one 30-minute session, so plan a series of exercises as outlined on the next slide.

Input

• No input required

Output

• Determine the scope of your tabletop planning exercises

Materials

• Whiteboard or flip chart (or a shared screen if staff are remote)

Participants

• Security Incident Response Team (SIRT)

Optimize the time spent by participants by running a series of focused exercises

Not all stakeholders need to be present at every tabletop planning exercise. First, run an exercise with IT that focuses on the technical response. Run a second tabletop for non-IT stakeholders that focuses on the non-IT response, such as crisis communications, working with external stakeholders (e.g. law enforcement, cyberinsurance).

Sample schedule:

• Q1: Hold two sessions that run Scenarios 1 and 2 with relevant IT participants (see Activity 3.2.1). The focus for these sessions will be primarily on the technical response. For example, include notifying leadership and their role in decision making, but don't expand further on the details of their process. Similarly, don't invite non-IT participants to these sessions so you can focus first on understanding the IT response. Invite executives to the Q2 exercise, where they will have more opportunity to be involved.
• Q2: Hold one session with the SIRT and non-IT stakeholders. Use the results of the Q1 exercises as a starting point and expand on the non-IT response steps (e.g. notifying external parties, executive decisions on response options).
• Q3 and Q4: Run other sessions (e.g. for Scenarios 3 and 4) with relevant stakeholders. Ensure your ransomware incident response plan covers a wide range of possible scenarios.
• Run ongoing exercises at least annually. Once you have a solid ransomware incident response plan, incorporate ransomware-based tabletop planning exercises into your overall security incident management testing and maintenance schedule.

Info-Tech Insight

Schedule these sessions well in advance to ensure appropriate resources are available. Document this in an annual test plan summary that outlines the scope, participants, and dates and times for the planned sessions.

3.2.2 Run a tabletop planning exercise

1-2 hours

Remember that the goal is a deeper dive into how you would respond to an attack so you can clarify steps and gaps. This is not meant to just be a read-through of your plan. Follow the guidelines below:

1. Select your scenario and invite relevant participants (see the previous slides).
2. Guide participants through the incident and capture the steps and gaps along the way. Focus on one stakeholder at a time through each phase but be sure to get input from everyone. For example, focus on the Service Desk's steps for detection, then do the same as relevant to other stakeholders. Move on to analysis and do the same. (Tip: The distinction between phases is not always clear, and that's okay. Similarly, eradication and recovery might be the same set of steps. Focus on capturing the detail; you can clarify the relevant phase later.)
3. Record the results (e.g. capture it in Visio) for reference purposes. (Tip: You can run the exercise directly in Visio. However, there's a risk that the tool may become a distraction. Enlist a scribe who is proficient with Visio so you don't need to wait for information to be captured and plan to save the detailed formatting and revising for later. )

Refer to the Ransomware Tabletop Planning Results – Example as a guide for what to capture. Aim for more detail than found in your Ransomware Response Workflow (but not runbook-level detail).

Download the Ransomware Tabletop Planning Results – Example

Input

• Baseline ransomware response workflow

Output

• Clarify your response workflow, capabilities, and gaps

Materials

• Whiteboard or sticky notes or index cards, or a shared screen

Participants

• Security Incident Response Team (SIRT)

Step 3.3

Document Workflow and Runbook

Activities

3.3.1 Update your ransomware response workflow

3.3.2 Update your ransomware response runbook

This step will guide you through the following activities:

• Updating your ransomware response workflow.
• Updating your ransomware response runbook.

This step involves the following participants:

• Security Incident Response Team (SIRT)

Outcomes of this step

• An updated incident response workflow and runbook based on current capabilities.

Improve response and recovery capabilities

3.3.1 Update your ransomware response workflow

1 hour

Use the results from your tabletop planning exercises (Activity 3.2.2) to update and clarify your ransomware response workflow. For example:

• Update stakeholder swim-lanes: Clarify which stakeholders need a swim lane (e.g. where interactions between groups needs to be clarified). For example, consider an SIRT swim-lane that combines the relevant technical response roles, but have separate swim-lanes for other groups that the SIRT interacts with (e.g. Service Desk, the Executive Team).
• Update workflow steps: Use the detail from the tabletop exercises to clarify and/or add steps, as well as further define the interactions between swim-lanes.(Tip: Your workflow needs to account for a range of scenarios. It typically won't be as specific as the tabletop planning results, which focus on only one scenario.)
• Clarify the overall the workflow: Look for and correct any remaining areas of confusion and clutter. For example, consider adding "Go To" connectors to minimize lines crossing each other, adding color-coding to highlight key related steps (e.g. any communication steps), and/or resizing swim-lanes to reduce the overall size of the workflow to make it easier to read.
• Repeat the above after each exercise: Continue to refine the workflow as needed until you reach the stage where you just need to validate that your workflow is still accurate.

Input

• Results from tabletop planning exercises (Activity 3.2.2)

Output

• Clarify your response workflow

Materials

• Ransomware Response Workflow

Participants

• Security Incident Response Team (SIRT)

3.3.2 Update your ransomware response runbook

1 hour

Use the results from your tabletop planning exercises (Activity 3.2.2) to update your ransomware response runbook. For example:

• Align stakeholder sections with the workflow: Each stakeholder swim-lane in the workflow needs its own section in the runbook.
• Update incident response steps: Use the detail from the tabletop exercise to clarify instructions for each stakeholder. This can include outlining specific actions, defining which stakeholders to work with, and referencing relevant documentation (e.g. vendor documentation, step-by-step restore procedures). (Tip: As with the workflow, the runbook needs to account for a range of scenarios, so it will include a list of actions that might need to be taken depending on the incident, as illustrated in the example runbook.)
• Review and update your threat escalation protocol: It's best to define your threat escalation protocol before the tabletop planning exercise to help identify participants and avoid confusion. Now use the exercise results to validate or update that documentation.
• Repeat the above after each exercise. Continue to refine your runbook as needed until you reach the stage where you just need to validate that your runbook is still accurate.

Input

• Results from tabletop planning exercises (Activity 3.2.2)

Output

• Clarified response runbook

Materials

• Ransomware Response Workflow

Participants

• Security Incident Response Team (SIRT)

Phase 4

Improve ransomware resilience

This phase will guide you through the following steps:

• Identifying initiatives to improve ransomware resilience.
• Prioritizing initiatives in a project roadmap.
• Communicating status and recommendations.

This phase involves the following participants:

• Security Incident Response Team (SIRT)

Build Ransomware Resilience

Step 4.1

Run Tabletop Test (leadership)

Activities

• 4.1.1 Identify initiatives to close gaps and improve resilience
• 4.1.2 Review broader strategies to improve your overall security program

This step will walk you through the following activities:

• Identifying initiatives to close gaps and improve resilience.
• Reviewing broader strategies to improve your overall security program.

This step involves the following participants:

• Security Incident Response Team (SIRT)

Outcomes of this step

• Specific potential initiatives based on a review of the gaps.
• Broader potential initiatives to improve your overall security program.

Improve ransomware resilience

4.1.1 Identify initiatives to close gaps and improve resilience

1 hour

1. Use the results from the activities you have completed to identify initiatives to improve your ransomware readiness.
2. Set up a blank spreadsheet with two columns and label them "Gaps" and "Initiatives." (It will be easier to copy the gaps and initiatives from this spreadsheet to you project roadmap, rather than use the Gap Initiative column in the Ransomware Readiness Maturity Assessment Tool.)
3. Review your tabletop planning results:
   1. Summarize the gaps in the "Gaps" column in your spreadsheet created for this activity.
   2. For each gap, write down potential initiatives to address the gap.
   3. Where possible, combine similar gaps and initiatives. Similarly, the same initiative might address multiple gaps, so you don't need to identify a distinct initiative for every gap.
4. Review the results of your maturity assessment completed in Phase 1 to identify additional gaps and initiatives in the spreadsheet created for this activity.

Input

• Tabletop planning results
• Maturity assessment

Output

• Identify initiatives to improve ransomware readiness

Materials

• Blank spreadsheet

Participants

• Security Incident Response Team (SIRT)

4.1.2 Review broader strategies to improve your overall security program

1 hour

1. Review the following considerations as outlined on the next few slides:
   • Implement core elements of an effective security program – strategy, operations, and policies. Leverage the work completed in this blueprint to provide context and address your immediate gaps while developing an overarching security strategy based on business requirements, risk tolerance, and overall security considerations. Security operations and policies are key to executing your overall security strategy and day to day incident management.
   • Update your backup strategy to account for ransomware attacks. Consider what your options would be today if your primary backups were infected? If those options aren't very good, your backup strategy needs a refresh.
   • Consider a zero-trust strategy. Zero trust reduces your reliance on perimeter security and moves controls to where the user accesses resources. However, it takes time to implement. Evaluate your readiness for this approach.
2. As a team, discuss the merits of these strategies in your organization and identify potential initiatives. Depending on what you already have in place, the project may be to evaluate options (e.g. if you have not already initiated zero trust, assign a project to evaluate your options and readiness).

Input

• An understanding of your existing security practices and backup strategy.

Output

• Broader initiatives to improve ransomware readiness.

Materials

• Whiteboard or flip chart (or a shared screen if staff are remote)

Participants

• Security Incident Response Team (SIRT)

Implement core elements of an effective security program

There is no silver bullet. Ransomware readiness depends on foundational security best practices. Where budget allows, support that foundation with more advanced AI-based tools that identify abnormal behavior to detect an attack in progress.

Leverage the following blueprints to implement the foundational elements of an effective security program:

• Build an Information Security Strategy: Consider the full spectrum of information security, including people, processes, and technologies. Then base your security strategy on the risks facing your organization – not just on best practices – to ensure alignment with business goals and requirements.
• Develop a Security Operations Strategy: Establish unified security operations that actively monitor security events and threat information, and turn that into appropriate security prevention, detection, analysis, and response processes.
• Develop and Deploy Security Policies: Improve cybersecurity through effective policies, from acceptable use policies aimed at your end users to system configuration management policies aimed at your IT operations.

Supplement foundational best practices with AI-based tools to counteract more sophisticated security attacks:

• The evolution of ransomware gangs and ransomware as a service means the most sophisticated tools designed to bypass perimeter security and endpoint protection are available to a growing number of hackers.
• Rather than activate the ransomware virus immediately, attackers will traverse the network using legitimate commands to infect as many systems as possible and exfiltrate data without generating alerts, then finally encrypt infected systems.
• AI-based tools learn what is normal behavior and therefore can recognize unusual traffic (which could be an attack in progress) before it's too late. For example, a "user" accessing a server they've never accessed before.
• Engage an Info-Tech analyst or consult SoftwareReviews to review products that will add this extra layer of AI-based security.

Update your backup strategy to account for ransomware attacks

Apply a defense-in-depth strategy. A daily disk backup that goes offsite once a week isn't good enough.

In addition to applying your existing security practices to your backup solution (e.g. anti-malware, restricted access), consider:

• Creating multiple restore points. Your most recent backup might be infected. Frequent backups allow you to be more granular when determining how far you need to roll back.
• Having offsite backups and using different storage media. Reduce the risk of infected backups by using different storage media (e.g. disk, NAS, tape) and backup locations (e.g. offsite). If you can make the attackers jump through more hoops, you have a greater chance of detecting the attack before all backups are infected.
• Investing in immutable backups. Most leading backup solutions offer options to ensure backups are immutable (cannot be altered after they are written).
• Using the BIA you completed in Phase 2 to help decide where to prioritize investments. All the above strategies add to your backup costs and might not be feasible for all data. Use your BIA results to decide which data sets require higher levels of protection.

This example strategy combines multiple restore points, offsite backup, different storage media, and immutable backups.

Refer to Info-Tech's Establish an Effective Data Protection Plan blueprint for additional guidance.

Explore zero-trust initiatives

Zero trust is a set of principles, not a set of controls.

Reduces reliance on perimeter security.

Zero trust is a strategy that reduces reliance on perimeter security and moves controls to where your user accesses resources. It often consolidates security solutions, reduces operating costs, and enables business mobility.

Zero trust must benefit the business first.

IT security needs to determine how zero trust initiatives will affect core business processes. It's not a one-size-fits-all approach to IT security. Zero trust is the goal – but some organizations can only get so close to that ideal.

For more information, see Build a Zero-Trust Roadmap.

Info-Tech Insight

A successful zero-trust strategy should evolve. Use an iterative and repeatable process to assess available zero-trust technologies and principles and secure the most relevant protect surfaces. Collaborate with stakeholders to develop a roadmap with targeted solutions and enforceable policies.

Step 4.2

Prioritize resilience initiatives

Activities

• 4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk
• 4.2.2 Review the dashboard to fine tune your roadmap

This step will guide you through the following activities:

• Prioritizing initiatives based on factors such as effort, cost, and risk.
• Reviewing the dashboard to fine-tune your roadmap.

This step involves the following participants:

• Security Incident Response Team (SIRT)

Outcomes of this step

• An executive-friendly project roadmap dashboard summarizing your initiatives.
• A visual representation of the priority, effort, and timeline required for suggested initiatives.

Review the Ransomware Resilience Assessment

Tabs 2 and 3 list initiatives relevant to your ransomware readiness improvement efforts.

• At this point in the project, the Ransomware Resilience Assessment should contain a number of initiatives to improve ransomware resilience.
• Tab 2 is prepopulated with examples of gap closure actions to consider, which are categorized into initiatives listed on Tab 3.
• Follow the instructions in the Ransomware Resilience Assessment to:
  • Categorize gap control actions into initiatives.
  • Prioritize initiatives based on cost, effort, and benefit.
  • Construct a roadmap for consideration.

Download the Ransomware Resilience Assessment

4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk

1 hour

Prioritize initiatives in the Ransomware Resilience Assessment.

1. The initiatives listed on Tab 3 Initiative List will be copied automatically on Tab 5 Prioritization.
2. On Tab 1 Setup:
   1. Review the weight you want to assign to the cost and effort criteria.
   2. Update the default values for FTE and Roadmap Start as needed.
3. Go back to Tab 5 Prioritization:
   1. Fill in the cost, effort, and benefit evaluation criteria for each initiative. Hide optional columns you don't plan to use, to avoid confusion.
   2. Use the cost and benefit scores to prioritize waves and schedule initiatives on Tab 6 Gantt Chart.

Input

• Gaps and initiatives identified in Step 4.1

Output

• Project roadmap dashboard

Materials

• Ransomware Resilience Assessment

Participants

• Security Incident Response Team (SIRT)

4.2.2 Review the dashboard to fine-tune the roadmap

1 hour

Review and update the roadmap dashboard in your Ransomware Resilience Assessment.

1. Review the Gantt chart to ensure:
   1. The timeline is realistic. Avoid scheduling many high-effort projects at the same time.
   2. Higher-priority items are scheduled sooner than low-priority items.
   3. Short-term projects include quick wins (e.g. high-priority, low-effort items).
   4. It supports the story you wish to communicate (e.g. a plan to address gaps, along with the required effort and timeline).
2. Update the values on the 5 Prioritization and 6 Gantt Chart tabs based on your review.

Input

• Gaps and initiatives identified in Step 4.1

Output

• Project roadmap dashboard

Materials

• Ransomware Resilience Assessment

Participants

• Security Incident Response Team (SIRT)

Step 4.3

Measure resilience metrics

Activities

4.3.1 Summarize status and next steps in an executive presentation

This step will guide you through the following activities:

• Summarizing status and next steps in an executive presentation.

This step involves the following participants:

• Security Incident Response Team (SIRT)

Outcomes of this step

• Gain stakeholder buy-in by communicating the risk of the status quo and achievable next steps to improve your organization's ransomware readiness.

Improve ransomware resilience

4.3.1 Summarize status and next steps in an executive presentation

1 hour

Gain stakeholder buy-in by communicating the risk of the status quo and recommendations to reduce that risk. Specifically, capture and present the following from this blueprint:

• Phase 1: Maturity assessment results, indicating your organization's overall readiness as well as specific areas that need to improve.
• Phase 2: Business impact results, which objectively quantify the potential impact of downtime and data loss.
• Phase 3: Current incident response capabilities including steps, timeline, and gaps.
• Phase 4: Recommended projects to close specific gaps and improve overall ransomware readiness.

Overall key findings and next steps.

Download the Ransomware Readiness Summary Presentation Template

Input

• Results of all activities in Phases 1-4

Output

• Executive presentation

Materials

• Ransomware Readiness Summary Presentation Template

Participants

• Security Incident Response Team (SIRT)

Revisit metrics

Ransomware resilience metrics track your ability to disrupt a ransomware attack at each stage of its workflow.

Revisit metrics as the project nears completion and compare them against your baseline to measure progress.

Summary of accomplishments

Related Info-Tech Research

Tab 3. Initiative List in the Ransomware Resilience Assessment identifies relevant Info-Tech Research to support common ransomware resilience initiatives.

Related security blueprints:

• Build an Information Security Strategy
• Develop a Security Awareness Program
• Mature your Identity and Access Management Program
• Develop and Implement a Security Incident Management Program
• Implement Risk-Based Vulnerability Management

Related disaster recovery blueprints:

• Establish an Effective Data Protection Plan
• Create a Right-Sized Disaster Recovery Plan
• Develop a Business Continuity Plan

Research Contributors and Experts

Jimmy Tom
AVP of Information Technology and Infrastructure
Financial Horizons

Dan Reisig
Vice President of Technology
UV&S

Samuel Sutton
Computer Scientist (Retired)
FBI

Ali Dehghantanha
Canada Research Chair in Cybersecurity and Threat Intelligence,
University of Guelph

Gary Rietz
CIO
Blommer Chocolate Company

Mark Roman
CIO
Simon Fraser University

Derrick Whalen
Director, IT Services
Halifax Port Authority

Stuart Gaslonde
Director of IT & Digital Services
Falmouth-Exeter Plus

Deborah Curtis
CISO
Placer County

Deuce Sapp
VP of IT
ISCO Industries

Trevor Ward
Information Security Assurance Manager
Falmouth-Exeter Plus

Brian Murphy
IT Manager
Placer County

Arturo Montalvo
CISO
Texas General Land Office and Veterans Land Board

Mduduzi Dlamini
IT Systems Manager
Eswatini Railway

Mike Hare
System Administrator
18th Circuit Florida Courts

Linda Barratt
Director of Enterprise architecture, IT Security, and Data Analytics, Toronto Community Housing Corporation

Josh Lazar
CIO
18th Circuit Florida Courts

Douglas Williamson
Director of IT
Jamaica Civil Aviation Authority

Ira Goldstein
Chief Operating Officer
Herjavec Group

Celine Gravelines
Senior Cybersecurity Analyst
Encryptics

Dan Mathieson
Mayor
City of Stratford

Jacopo Fumagalli
CISO
Omya

Matthew Parker
Program Manager
Utah Transit Authority

Two Additional Anonymous Contributors

Bibliography

2019-Data-Breach-Investigations-Report.-Verizon,-May-2019.
2019-Midyear-Security-Roundup:-Evasive-Threats,-Persistent-Effects.-Trend-Micro,-2019.
Abrams,-Lawrence.-"Ryuk-Ransomware-Uses-Wake-on-Lan-to-Encrypt-Offline-Devices."-Bleeping-Computer,-14-Jan.-2020.
Abrams,-Lawrence.-"Sodinokibi-Ransomware-Publishes-Stolen-Data-for-the-First-Time."-Bleeping-Computer,-11-Jan.-2020.
Canadian-Center-for-Cyber-Security,-"Ransomware-Playbook,"-30-November-2021.-Accessed-21-May-2022.-
Carnegie-Endowment-for-International-Peace.-"Ransomware:-Prevention-and-Protection."-Accessed-May-2022.-
Cawthra,-Jennifer,-Michael-Ekstrom,-Lauren-Lusty,-Julian-Sexton,-John-Sweetnam.-Special-Publication-1800-26-Data-Integrity:-Detecting-and-Responding-to-Ransomware-and-Other-Destructive-Events.-NIST,-Jan.-2020.
Cawthra,-Jennifer,-Michael-Ekstrom,-Lauren-Lusty,-Julian-Sexton,-John-Sweetnam.-Special-Publication-1800-25-Data-Integrity:-Identifying-and-Protecting-Assets-Against-Ransomware-and-Other-Destructive-Events.-NIST,-Jan.-2020.-
Cichonski,-P.,-T.-Millar,-T.-Grance,-and-K.-Scarfone.-"Computer-Security-Incident-Handling-Guide."-SP-800-61-Rev.-2.-NIST,-Aug.-2012.
Cimpanu,-Catalin.-"Company-shuts-down-because-of-ransomware,-leaves-300-without-jobs-just-before-holidays."-ZDNet,-3-Jan.-2020.
Cimpanu,-Catalin.-"Ransomware-attack-hits-major-US-data-center-provider."-ZDNet,-5-Dec.-2019.
CISA,-"Stop-Ransomware,"-Accessed-12-May-2022.
"CMMI-Levels-of-Capability-and-Performance."-CMMI-Institute.-Accessed-May-2022.-
Connolly,-Lena-Yuryna,-"An-empirical-study-of-ransomware-attacks-on-organizations:-an-assessment-of-severity-and-salient-factors-affecting-vulnerability."-Journal-of-Cybersecurity,-2020,.-1-18.
"Definitions:-Backup-vs.-Disaster-Recovery-vs.-High-Availability."-CVM-IT-&-Cloud-Services,-12-Jan.-2017.
"Don't-Become-a-Ransomware-Target-–-Secure-Your-RDP-Access-Responsibly."-Coveware,-2019.-
Elementus,-"Rise-of-the-Ransomware-Cartels-"(2022).-YouTube.-Accessed-May-2022.-
Global-Security-Attitude-Survey.-CrowdStrike,-2019.
Graham,-Andrew.-"September-Cyberattack-cost-Woodstock-nearly-$670,00:-report."-
Global-News,-10-Dec.-2019.
Harris,-K.-"California-2016-Data-Breach-Report."-California-Department-of-Justice,-Feb.-2016.
Hiscox-Cyber-Readiness-Report-2019.-Hiscox-UK,-2019.
Cost-of-A-Data-Breach-(2022).-IBM.-Accessed-June-2022.--
Ikeda,-Scott.-"LifeLabs-Data-Breach,-the-Largest-Ever-in-Canada,-May-Cost-the-Company-Over-$1-Billion-in-Class-Action-Lawsuit."-CPO-Magazine,-2020.
Kessem,-Limor-and-Mitch-Mayne.-"Definitive-Guide-to-Ransomware."-IBM,-May-2022.
Krebs,-Brian.-"Ransomware-Gangs-Now-Outing-Victim-Businesses-That-Don't-Pay-Up."-Krebson-Security,-16-Dec.-2019.
Jaquith,-Andrew-and-Barnaby-Clarke,-"Security-metrics-to-help-protect-against-ransomware."-Panaseer,-July-29,-2021,-Accessed-3-June-2022.
"LifeLabs-pays-ransom-after-cyberattack-exposes-information-of-15-million-customers-in-B.C.-and-Ontario."-CBC-News,-17-Dec.-2019.
Matthews,-Lee.-"Louisiana-Suffers-Another-Major-Ransomware-Attack."-Forbes,-20-Nov.-2019.
NISTIR-8374,-"Ransomware-Risk-Management:-A-Cybersecurity-Framework-Profile."-NIST-Computer-Security-Resource-Center.-February-2022.-Accessed-May-2022.-
"Ransomware-attack-hits-school-district-twice-in-4-months."-Associated-Press,-10-Sept.-2019.
"Ransomware-Costs-Double-in-Q4-as-Ryuk,-Sodinokibi-Proliferate."-Coveware,-2019.
Ransomware-Payments-Rise-as-Public-Sector-is-Targeted,-New-Variants-Enter-the-Market."-Coveware,-2019.
Rector,-Kevin.-"Baltimore-to-purchase-$20M-in-cyber-insurance-as-it-pays-off-contractors-who-helped-city-recover-from-ransomware."-The-Baltimore-Sun,-16-Oct.-2019.
"Report:-Average-time-to-detect-and-contain-a-breach-is-287-days."-VentureBeat,-May-25,-2022.-Accessed-June-2022.-
"Five-Lessons-Learned-from-over-600-Ransomware-Attacks."-Riskrecon.-Mar-2022.-Accessed-May-2022.-
Rosenberg,-Matthew,-Nicole-Perlroth,-and-David-E.-Sanger.-"-'Chaos-is-the-Point':-Russian-Hackers-and-Trolls-Grow-Stealthier-in-2020."-The-New-York-Times,-10-Jan.-2020.
Rouse,-Margaret.-"Data-Archiving."-TechTarget,-2018.
Siegel,-Rachel.-"Florida-city-will-pay-hackers-$600,000-to-get-its-computer-systems-back."-The-Washington-Post,-20-June-2019.
Sheridan,-Kelly.-"Global-Dwell-Time-Drops-as-Ransomware-Attacks-Accelerate."-DarkReading,-13-April-2021.-Accessed-May-2022.-
Smith,-Elliot.-"British-Banks-hit-by-hacking-of-foreign-exchange-firm-Travelex."-CNBC,-9-Jan.-2020.
"The-State-of-Ransomware-2022."-Sophos.-Feb-2022.-Accessed-May-2022.-
"The-State-of-Ransomware-in-the-U.S.:-2019-Report-for-Q1-to-Q3."-Emsisoft-Malware-Lab,-1-Oct.2019.
"The-State-of-Ransomware-in-the-U.S.:-Report-and-Statistics-2019."-Emsisoft-Lab,-12-Dec.-2019.
"The-State-of-Ransomware-in-2020."-Black-Fog,-Dec.-2020.
Toulas,-Bill.-"Ten-notorious-ransomware-strains-put-to-the-encryption-speed-test."-Bleeping-Computers,-23-Mar-2022.-Accessed-May-2022.
Tung,-Liam-"This-is-how-long-hackers-will-hide-in-your-network-before-deploying-ransomware-or-being-spotted."-zdnet.-May-19,-2021.-Accessed-June-2022.-