Blueprint for Ransomware Defense

An Action Plan for Ransomware Mitigation, Response, and Recovery for Small- and Medium-sized Enterprises

The Ransomware Task Force called for the cybersecurity community to “develop a clear, actionable framework for ransomware mitigation, response, and recovery.” The basis for this Blueprint for Ransomware Defense is the CIS Controls, a set of well-regarded and widely-used best practices that help enterprises focus their resources on the critical actions needed to defend against the most common cyber attacks. It includes a subset of these best practices, or “Safeguards,” that are most relevant to combating ransomware.

Executive Summary

According to the U.S. Small Business Administration, there are 32,540,953 million small businesses in the United States, representing 99.9% of all firms. However, many of these businesses remain inadequately prepared against the risk of a cyber attack. Accenture’s 2019 Cost of Cybercrime Study, for example, revealed that “43% of cyber attacks target small businesses, but only 14% are prepared to defend themselves.” To address this risk, it is increasingly common for SMEs to obtain cybersecurity insurance. Increasingly, however, insurers require enterprises to better understand, implement, and demonstrate cyber risk management practices before qualifying. 

It is in this context that we recommend that SMEs should adopt a cybersecurity framework of specific best practices to help defend against these attacks. Fortunately, adopting and following a security framework can help enterprises build stronger defenses. Unfortunately, it is difficult to know where to start, leaving many lost and unable to prioritize their cybersecurity efforts. However, that framework needs to be written in plain terms, with easily digestible and practical guidance. Regrettably, some SMEs believe they are unable to achieve and implement certain cybersecurity frameworks and therefore have not pursued business opportunities that require demonstration of compliance to them. This practice perpetuates the cycle of inefficient cybersecurity preparedness.

In response to Action 3.1.1 of the Ransomware Task Force (RTF) report, which calls for the cybersecurity community to “develop a clear, actionable framework for ransomware mitigation, response, and recovery,” the Blueprint for Ransomware Defense Working Group developed a Blueprint comprised of a curated subset of essential cyber hygiene Safeguards from the Center for Internet Security Critical Security Controls® (CIS Controls®) v8. These Safeguards represent a minimum standard of information security for all enterprises and are what should be applied to defend against the most common attacks. This Blueprint for Ransomware Defense represents a set of Foundational and Actionable Safeguards, aimed at small- and medium-sized enterprises (SMEs). 

Consequently, this Blueprint for Ransomware Defense utilizes the CIS Controls, a prioritized and prescriptive set of actions developed by a global community of cybersecurity experts. The forty (40) recommended Safeguards included in the Blueprint have been carefully selected not only for their ease-of-implementation but their effectiveness in defending against ransomware attacks. This has been backed by analysis from the CIS Community Defense Model v2.0 (CIS CDM v2.0), where implementing the Safeguards in this Blueprint defends against over 70% of the attack techniques associated with ransomware. It is important to note that this Blueprint is not intended to serve as an implementation guide, but rather a recommendation of defensive actions that can be taken to protect against and respond to ransomware and other common cyber attacks.

Introducing the Blueprint for Ransomware Defense

Putting the Blueprint for Ransomware Defense to the Test

One year after the release of the Blueprint for Ransomware Defense, IST worked with cyber insurance company Resilience to test the framework’s effectiveness in protecting enterprises against ransomware attacks. In a review of 38 attacks, IST’s Zoë Brammer found that 68% could have been prevented by proper implementation of the Blueprint’s Safeguards.

Translating the Blueprint for Ransomware Defense

Thanks to support from Amazon Web Services and the Organization for American States, the Blueprint for Ransomware Defense is now available in Spanish!

Webinar Series: Blueprint for Ransomware Defense

In Fall 2023, IST’s Ransomware Task Force, along with other members of the Blueprint for Ransomware Defense Working Group, hosted a series of webinars to guide users and implementation specialists through the Blueprint’s various Safeguards. The sessions added depth as to why each Safeguard was selected, best practices for planning and implementation, and discussion on available tools to help.

Webinar 1: Foundational Safeguards | Tips and tricks for building your cybersecurity foundation
Foundational Safeguards are the building blocks that are necessary to establish an enterprise’s cyber security program. They also enable the implementation of Actionable Safeguards. To ease viewers into implementation of the Blueprint, this webinar focused on the foundational Safeguards that are preventative measures to block a ransomware attack.
October 25, 2022

Webinar 2: Foundational Safeguards | Building resilience in the face of a ransomware attack
While preventing a ransomware attack is your chief priority, ransomware actors are increasingly sophisticated and may get past even the most robust defenses. This second session focused on the set of practices an enterprises must implement to prepare for rapid response and recovery.
November 1, 2022

Webinar 3: Actionable Safeguards | Protecting your organization from access control gaps, misconfigurations, and outdated software
Now that you’ve inventoried your assets and built a strong foundation for protecting your devices, network and people, it’s time to add the next layer of Safeguards. This session focused on the set of practices an enterprise must implement to effectively manage devices and the people who use them.
November 9, 2022

Webinar 4: Actionable Safeguards | Containing and recovering from ransomware attacks
By now, through attending our earlier webinars, you’ve learned how to build a great wall of defense against ransomware attacks. Yes, we know that ransomware actors are a very determined bunch and, if dedicated, will do everything they can to exploit any unforeseen gaps. This session zeroed in on testing and optimizing incident reporting processes, best practices for collecting data and storing logs, and optimizing data recovery efforts.
November 15, 2022

Webinar 5: Cyber resilience and insurance innovation
With the rise in volume and sophistication of ransomware, insurance companies and their insureds struggle with how to respond. This has driven new underwriting requirements and price changes but also innovation. In this webinar, experts explored current trends in the cyber insurance space, how the Blueprint can prepare your organization for your next renewal, and how innovation in the market is driving cyber resilience for insureds and smarter underwriting by carriers.
November 30, 2022