An analysis of ransomware attack points of failure reflected in cyber insurance claims data
One year ago this month, the Institute for Security and Technology (IST)’s Ransomware Task Force released the Blueprint for Ransomware Defense in coordination with the Center for Internet Security® (CIS®). The Blueprint consists of 40 IG1 Safeguards from the CIS Critical Security Controls (CIS Controls) that help small- and medium-sized enterprises in particular defend against the most common cyber attacks, including ransomware. Based on analysis from the CIS Community Defense Model v2.0 (CIS CDM v2.0), we estimated that the Blueprint’s Safeguards, if implemented correctly, would protect against over 70% of common attack vectors associated with ransomware. As we approached the Blueprint’s anniversary, we sought to put our claim to the test.
In order to do so, we turned to cyber insurance provider Resilience, who shared information pertaining to approximately 100 ransomware claims. Out of these claims, Resilience was able to pinpoint a critical point of security failure in 38 instances. We then mapped each point of failure to a specific Blueprint Safeguard, where applicable, and determined whether or not the Safeguard, if implemented properly, could have prevented the attack. We found that at least 68% of all attacks in this particular data set could have been prevented.
About the Blueprint for Ransomware Defense
Members of a working group developed the Blueprint in response to Action 3.1.1 of the Ransomware Task Force’s April 2021 report, which called for the cybersecurity community to “develop a clear, actionable framework for ransomware mitigation, response, and recovery.” The working group tailored the Blueprint to meet the needs of small teams with limited resources, including the over 32 million small businesses in the United States. It aims to help them establish a minimum standard of information security with clear, digestible language and practical guidance. The 14 foundational Safeguards included in the Blueprint are the building blocks necessary to establish an organization’s cyber security program, while the 26 actionable Safeguards help organizations apply the technical controls needed to protect their environment and defend against ransomware and other cyber attacks.
In the year since its publication, the Blueprint has gained significant traction and attention. The Cybersecurity and Infrastructure Security Agency (CISA) listed the Blueprint as a featured resource in its #StopRansomware Guide, and Amazon Web Services (AWS) used the Blueprint as a tool to demonstrate the effectiveness of their cybersecurity services and features against ransomware and other cyber threats. The Blueprint is also available in Spanish, thanks to support from Amazon Web Services and the Organization for American States.
Points of Failure
It can be a challenge to collect data about the cyber ecosystem. First, the transnational nature of the cybercrime ecosystem and distributed nature of defenders generates an imperfect information environment, where it is difficult to establish a concrete understanding of the scope and scale of a given threat. Second, some victims, cyber insurers, incident responders, and governments are reluctant to share meaningful details about attacks, due to legal constraints, victim shaming, and at times, concern for national security.
Because of their role in insuring enterprises against cyber attacks–and in responding in case one occurs–cyber insurance providers can serve as a useful data source due to their role in responding to incidents and potentially reimbursing ransom payments made by their policyholders. Resilience Insurance, one such cyber insurer, compiled data on ransomware notifications and the associated claims between March 2021 and June 2023, and provided us with anonymized information about approximately 100 of these claims affecting Resilience clients, the client’s vendors, or other third parties within their insured’s supply chain. The data encompasses claims against both Primary and Excess policies, meaning not all claims were material to Resilience or resulted in incurred loss.
Of the approximately 100 instances of ransomware notifications, Resilience pinpointed a specific point of failure in 38 of those notifications. A number of factors can complicate efforts to capture point of failure data. In some cases, insureds cite legal privilege and refuse to share incident reports. In still others, it is not possible to reasonably attribute an incident to a specific point of failure based on the facts available. Points of failure in this dataset included unpatched software vulnerabilities (8 of 38), ransomware attack on a vendor (12 of 38), phishing campaigns that grant attackers initial access to the targeted network (6 of 38), improper management of privileged user accounts (6 of 38), misconfiguration of multifactor authentication or lack thereof (3 of 38), system misconfiguration (2 of 38), and misconfigured backups (1 of 38).
While ransomware attacks can occur for a variety of reasons and include factors beyond those listed above, such an attack can also have more than one contributing point of security failure. In compiling this analysis, Resilience selected, to the best of their ability, the single most influential factor for each incident.
Measuring ‘Effectiveness’ of the Blueprint for Ransomware Defense
In over 68% (26 of 38) of the incidents reflected in Resilience’s data set, proper implementation of the Blueprint could have prevented the attack from occurring. Safeguards in the Blueprint address software patching, phishing prevention, privileged access management, multi-factor authentication configuration, system configuration, and backup configuration. The below chart summarizes each point of failure and maps it to the relevant Safeguard in the Blueprint.
|Point of Failure
|Relevant Blueprint Safeguard
|14.1, 14.2, 14.6
|Privileged Access Management
|5.4, 6.1, 6.2
|6.3, 6.4, 6.5
|4.1, 4.2, 4.4, 4.7
|11.2, 11.3, 11.4
Of note, Resilience attributed 12 of the 38 instances in which they could identify a point of failure to vendor attacks, meaning that a third party vendor was exploited and then served as the attack vector against the insured, essentially constituting a supply chain attack. In these 12 instances, we do not know the vendor’s specific point of failure; however, this illuminates an important point: vendors and third party service providers must also implement the Blueprint or a similar cybersecurity framework to secure themselves, and those who rely on them, against ransomware and other cyber threats.
So can we conclude that the Blueprint’s Safeguards are effective in defending against ransomware attacks? You bet they are…when implemented correctly.
Ultimately, we undertook this review of Blueprint ‘effectiveness’ in an effort to gauge its real-world applicability and impact. Further research could focus on gaining insight into the points of failure associated with vendors, not just the enterprises that hold insurance policies; amalgamate data from a range of cyber insurers to ensure that enterprises from across the cyber insurance spectrum are represented; and add additional data from Resilience, incorporating a broader time scale and increasing the sample size. This experiment also only represents points of failure from those enterprises who obtained cyber insurance. Further research could look to uninsured entities hit by ransomware attacks to determine whether the Safeguards in the Blueprint would have been effective for them. Additionally, we cannot confirm with certainty that the clients had not implemented the Blueprint at the time of the attack; further research could verify the level of cybersecurity controls that each enterprise has in place and trace their effectiveness in the event of an attack.
While the Blueprint requires some time and resources to implement, such as a small budget and IT team, the cost of Blueprint implementation is dwarfed by the cost of ransom payments and the time it takes for organizations to recover from attacks. Cyber attacks threaten all of us; we are all safer when individuals, enterprises, schools, and governments implement baseline cybersecurity measures that secure their data.