Introduction
In the wake of several frequent and recent high-profile ransomware attacks – most notably the devastating Change Healthcare ransomware attack that led to a $22 million payout and the CDK ransomware attack crippling over 15,000 car dealerships – cybersecurity and ransomware defense remain a high priority for critical infrastructure sectors and small businesses alike. The ransomware ecosystem is interconnected and affects us all: when entities like Change Healthcare make a tough choice to pay the ransom, it causes significant ripple effects in the sector which leads to increased ransomware attacks for adjacent businesses.
Ransomware attacks show no sign of slowing down, and businesses of all sizes must take action to protect sensitive data and systems. Often, businesses believe that without a large upfront investment in complex and expensive systems that require highly technical staff to maintain, effective cybersecurity and ransomware defense is unobtainable. But for SMEs, ransomware defense doesn’t need to come with a steep price tag. The minimum cost required to implement necessary cyber defense pales in comparison to the cost of recovering from a ransomware attack. Preparation can help to avoid having to make a payment.
Two years ago, the Ransomware Task Force (RTF) introduced the Blueprint for Ransomware Defense, a comprehensive set of 40 recommendations designed for SMEs to mitigate, respond to, and recover from a ransomware incident. The Blueprint consists of a curated subset of essential cyber hygiene Safeguards from the Center for Internet Security’s Critical Security Controls v8, an internationally-recognized security framework for defending against cyber attacks. These recommendations also align with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). In February of 2024, NIST released an updated 2.0 version of their CSF framework, which emphasizes proper risk management strategies and introduces new elements to focus on supply chain risk management. These new updates only further highlight the need for an ever-evolving approach to cybersecurity, for which the Blueprint creates the foundation.
The Blueprint is a popular tool for SMEs to improve their cyber posture. On the Institute for Security and Technology’s website, the Blueprint has been downloaded over 16,000 times; other important government and civil society actors also promote the product (for example, CISA includes the Blueprint on its #StopRansomware website, and the Global Cyber Alliance includes the Blueprint in its Cybersecurity Toolkit for Small Businesses). An August 2023 IST study analyzed data from cyber insurance provider Resilience and concluded that the Blueprint, if implemented correctly, could have prevented at least 68% of the attacks analyzed.
This quick-start guide breaks down important components of the Blueprint, explains its underlying core technical concepts, and points to various tools and resources—both free and paid—that can assist SMEs in investing a small amount in the short term for major long-term counter-ransomware defense.
The Blueprint’s Role in Ransomware Defense
Convened by the Institute for Security and Technology (IST), the Ransomware Task Force is a multistakeholder effort combining participation across government, industry, and civil society to advance a set of 48 recommendations to combat and disrupt ransomware at scale. Recommendation 3.1.1 of these 48 recommendations calls on stakeholders to “develop a clear, actionable framework for ransomware mitigation, response, and recovery.”
The Blueprint Working Group, primarily focused on the “Prepare” pillar of the Ransomware Task Force’s core 48 recommendations, collaborated with members such as ActZero, the Center for Internet Security (CIS), Global Cyber Alliance (GCA), Resilience, and SecurityScorecard. Together, they developed the Blueprint to support the 33+ million small businesses in the United States, representing 99.9% of all firms in the nation.
Understanding & Implementing the Blueprint
The Blueprint provides 40 security controls – a specific countermeasure or technical recommendation – to defend against ransomware and improve an organization’s cybersecurity. These security controls, or Safeguards, are divided into two types: Foundational and Actionable.
- Foundational Safeguards are non-technical actions, usually a procedure or process – like a cyber incident response plan – that serves as the building blocks for essential cyber hygiene and the Actionable Safeguards needed for cyber defenses. When leaving your home, a Foundational Safeguard would be to install a lock on the front door and implement a reminder to lock it when you leave.
- Actionable Safeguards are direct, technical controls – like creating a firewall or adding a password to a device – to strengthen cybersecurity defenses and protect sensitive data. In this case, an Actionable Safeguard is locking the door after leaving your home.
Out of the 40 Safeguards, the Blueprint is split into 14 Foundational and 26 Actionable Safeguards. These Foundational Safeguards are designed to function as a baseline or first step to implementing many of the Actionable Safeguards. Therefore, Foundational Safeguards should be implemented first before moving on to Actionable and more technical Safeguards. You can’t secure a door without first installing a lock!
Simplified Overview of Blueprint Safeguards
The Blueprint is a starting point to prioritize and improve cybersecurity. While complete adoption of the Blueprint is ideal, even partial implementation can help prevent a future attack. The Blueprint’s 40 Safeguards are categorized based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework’s five Security Functions: Identify, Protect, Detect, Respond, and Recover. Safeguards related to the “Detect” function are not included in the Blueprint; the Blueprint Working Group strongly recommends that SMEs focus on the Identify, Protect, Respond, and Recover Safeguards first. With a limited amount of available resources, focusing on these security functions maximizes impact while minimizing cost. SMEs are encouraged to return to implement the “Detect” security function at a later time, ideally after the successful implementation of the Blueprint.
For a more detailed explanation of each of the 40 recommended Safeguards, the full Blueprint for Ransomware Defense is available on the Institute for Security and Technology’s website. While there will be tools and resources included in this guide, they do not in any way represent or imply endorsement by the Blueprint for Ransomware Defense Working Group and do not constitute a guarantee of success of the tool or solution in providing sufficient cybersecurity coverage.
Identify
Cyber defense begins with identifying the technology, accounts, data, and other digital assets and access points that need to be protected. By identifying these assets and potential access points – like counting the number of doors, windows, and other points of entry into your home to see what locks and equipment are needed to secure them – SMEs can then work to implement the cyber hygiene standards needed for robust cyber defense. The Blueprint recommends several Safeguards to track devices and accounts, not only to ensure that your network is secure but also to track and defend against unauthorized devices or accounts attempting to access sensitive data.
Several Safeguards under this category call for the establishment and maintenance of an enterprise asset inventory, a software inventory, a data management process, an inventory of accounts, and the support of authorized and up-to-date software. These are all necessary to build a strong foundation for many of the Actionable Safeguards in the Protect category. The Center for Internet Security’s (CIS) Enterprise Asset Management Policy Template and Asset Tracking Spreadsheet, and OpenLDAP are all free and/or open-source tools to help implement these Safeguards.
Protect
Nearly 70% of the Blueprint’s Actionable Safeguards fall under the Protect category. This area is crucial, and focuses on security controls that can protect systems from breaches that lead to a cyber incident. Even if someone gains access to your home, safes, locked drawers, and internal cameras in your home can add yet another layer of defense, and deter further damage or theft.
To better understand how each recommendation plays a role in preventing cyberattacks, the Blueprint sorts the Protect Safeguards into five categories: Secure Configurations, Account and Access Management, Vulnerability Management Planning, Malware Defense, and Security Awareness & Skills Training. This is the phase of actually securing your devices, like installing the safes, cameras, and security system inside your home.
Starting with a Secure Configuration
When setting up your home to be safe from intruders, you take standard measures such as locking the doors and windows, installing a security alarm, and limiting who has keys to the house to protect your home. Likewise, when setting up a network to protect it from cyber criminals, implementing secure configurations are critical to protecting systems by calibrating devices and software in a way that limits access to only necessary users and devices.
Secure configurations are a set of default security rules that all devices on a network must follow to reduce the risk of unauthorized access. Misconfigured security configurations–or a lack of them altogether–is the cybersecurity equivalent of leaving a door unlocked or without an alarm set up, allowing a cyber criminal to waltz in easily.
These rules take the shape of technical actions like enforcing a list of allowed or blocked devices, limiting account access, or enforcing minimum password standards. The Blueprint recommends Safeguards such as maintaining secure configurations for devices and networks, implementing firewalls on servers, and managing default accounts on enterprise assets and software. OpenSCAP and DISA STIGs – a set of public guidelines used by the U.S. Department of Defense – are free tools to help meet these secure configuration baselines.
Account and Access Management
Many cyber attacks begin with a set of accounts compromised through a variety of methods such as phishing. Once cyber criminals gain access to an account, especially an account with administrative or elevated privileges, the potential harm they can cause increases significantly. Cyber criminals can move laterally inside the network, exfiltrate data, and/or load malicious payloads to launch a secondary attack.
Much like when you decide whether or not to give someone a key to your home, Foundational Safeguards include establishing an access-granting process with the capability to immediately terminate account access as needed. The Blueprint recommends Safeguards such as enforcing unique passwords, disabling dormant accounts, and restricting administrative privileges to dedicated accounts. To manage these actions, Foundational Safeguards must include establishing an access-granting and access-revoking process with the capability to immediately terminate account access as needed.
KeePass, Password Safe, and Have I Been Pwnd are free tools to generate unique passwords and search public data breaches for compromised passwords, while Netwrix and AdManager are paid account management options. Note that many popular SaaS services already in use by SMEs, such as Square, Squarespace, and Google Suite, also offer user account management services at some added cost.
Multi-Factor Authentication (MFA) is also an extremely important and easy way to limit unauthorized access. The Blueprint calls for MFA at all levels, which includes MFA for externally facing (public) applications, remote network access, and administrative access. If a cyber criminal gains access to a set of compromised credentials – like a burglar managing to steal your key – MFA plays a large role in blocking further access. For example, Google Authenticator, Microsoft Authenticator, Duo, Authy, and many other tools provide basic MFA capabilities at little or no cost.
Vulnerability Management Planning
Security researchers and other stakeholders in the cybersecurity community publish thousands of new software vulnerabilities every year, often before they are discovered and exploited by cybercriminals. Like working with neighbors or police officers to help identify repeat burglars or new trends of crime, establishing a vulnerability management process and a risk remediation process can help SMEs stay ahead of the cybersecurity curve. In many cases, simply enabling and enforcing automatic security updates for operating systems and applications – another Blueprint Safeguard – can meet this requirement; options include Microsoft’s Windows and Apple’s macOS.
Malware Defenses
Like many forms of cyber attacks, ransomware doesn’t just “appear” on a network. Often, cyber criminals compromise an account, device, or network and use that initial point of access to launch a secondary attack. However, even if cyber criminals gain access, all hope is not lost. The Blueprint recommends several Actionable steps to harden cyberdefenses on a network, which when implemented correctly can limit the criminals’ impact.
Establishing DNS filtering allows the network to block access to domains known for malicious activity. However, only using fully supported browsers and email clients can prevent known exploits from occurring through these applications. Deploying anti-malware software and configuring automatic anti-malware software updates can also prevent the execution of malware and ransomware on protected devices by maintaining an up-to-date list of known malware and terminating processes that are similar to or on that list. Finally, disabling autorun and auto-execute functionality for removable media can help prevent attacks launched from USBs and other storage devices. Nmap Network Scanning, Quad9, ClamAV, Bitdefender, and OpenSCAP are all free and/or open-source tools to help meet this baseline.
Security Awareness & Skills Training
Social engineering is a type of attack that involves tricking or manipulating someone into performing unauthorized actions or providing sensitive data. Phishing emails are the most common type of social engineering attack, which involves faking an email from a trusted source to either steal data or gain further access into a system. Phishing emails are the most common entry point for ransomware attacks.
No tool can completely prevent phishing attacks. However, implementing and sustaining a security awareness program to train employees to identify the signs of social engineering or security incidents, along with various technical defenses outlined in the Blueprint, provides SMEs with the best chance to prevent phishing attacks.
There are different approaches to security training. Some provide regular, mandatory security training, while others may implement more advanced phishing training and testing, typically through “test” emails to see if employees can effectively spot signs of a phishing email. Several free tools ranging from monthly newsletters to videos exist as resources for social engineering education. MS-IASC’s newsletter and awareness toolkit and NIST’s You’ve Been Phished! videos are all great examples.
The cybersecurity community is not in agreement about the effectiveness of security awareness programs. However, cyber criminals regularly exploit gaps in knowledge to execute phishing attacks, compromising even the most secure corporate networks. Studies show that a robust and frequent security awareness program can reduce security-related incidents by up to 70%. Employee training alone is insufficient, but combined with the remaining Foundational and Actionable Blueprint Safeguards, SMEs can significantly improve their cyber defenses and overall cyber hygiene by empowering employees to report suspected security incidents like phishing emails.
Respond
Even the best protections can’t stop a dedicated cyber criminal who is willing to invest the time, research, and resources necessary to carry out an attack. In the event of a major cyber incident, time is of the essence. Like calling the police after an attempted break-in, the Blueprint details several preparatory steps to quickly respond once a cyber incident is detected.
Safeguards that help an organization respond include establishing and maintaining designated personnel to manage the incident handling process, creating clear contact information for reporting incidents, and establishing a standard process for reporting cyber incidents. By designating one key person in charge of the incident response plan, organizations can quickly and effectively respond in the wake of a cyber incident. This person should be responsible for the coordination and documentation of incident response and recovery efforts. Incident response plans vary, but several free guides such as CIS’s Cyber Incident Checklist and Resilience’s Incident Response Checklist are a great starting point to create an effective incident response plan.
The Blueprint also recommends Safeguards to maintain an audit log process, collect audit logs regularly, and ensure adequate audit log storage. Audit logs are computer-generated references to actions in a certain system or software, or a “history” of what was accessed, changed, deleted, or modified. Like noticing suspicious activity around your home through watching security camera footage, irregular log history is often the first sign of a cyber incident and can help incident response personnel understand when and how malicious actors accessed a system prior to an attack. Free and enterprise audit log tools include OpenSCAP, AlienVault OSSIM, and Graylog.
Recover
During a ransomware attack, primary systems are encrypted and unavailable, often halting business operations at risk of losing sensitive data. Preparation can help avoid payment, which is why the Blueprint recommends establishing and maintaining a data recovery process along with automated and protected backups in the event of a ransomware attack.
Finally, the Blueprint recommends maintaining an isolated instance – data that is removed, whether physically or otherwise, from the main network – of recovery data. Many cyber criminals seek out and destroy backups prior to an attack to further coerce payment. On average, criminals demand ransoms that are twice as high from organizations with compromised backups compared to organizations with secure backups. Unprepared entities face nearly eight times higher recovery costs and are twice as likely to pay the ransom.
By having an offline, offsite, or cloud backup that is “isolated” from the primary business network, SMEs maintain the option to recover data, even in the event of on-site or connected backups being destroyed. Some devices have native options for automatic backups, such as Apple’s Time Machine for MacBooks, but many open-source tools for backup management such as Bacula, Clonezilla, and VeraCrypt support a variety of use cases that fulfill this Safeguard.
Blueprint Tooling Guide – Free and Paid Resources for Ransomware Defense
As a part of the Blueprint for Ransomware Defense, the Ransomware Task Force also developed and released a hub of free, open-source, and/or paid tools and resources that are mapped to each recommendation of the Blueprint. Access this free resource here.
Additional Resources for Ransomware Defense
The Ransomware Task Force has compiled a list of important educational resources to learn more about ransomware, guides to further defend against it, and other helpful cyber hygiene tips.
Access this helpful resource here.