A Blueprint for Ransomware Defense Using the CIS Controls

If the past few years are any indication, ransomware attacks aren't going away anytime soon. In a 2022 report, SonicWall revealed that it had detected more than 623 million ransomware attacks over the course of 2021 – an increase of 105% over the previous year. By comparison, it observed just 188 million ransomware attacks back in 2019. This means that ransomware detections more than tripled in the span of three years.

These findings don't bode well for disaster recovery and business continuity, as many enterprises are already struggling in the wake of a ransomware infection. Such challenges extend beyond the reputational and economic costs that take shape in an attack's immediate aftermath. There's also what the U.S. Cybersecurity & Infrastructure Security Agency (CISA) calls the "extended recovery" challenge. Here, enterprises might prioritize backing up their data without doing the same for their software, components, and dependencies, noted CSO. This can further amplify disruption resulting from a ransomware attack.

A Shift in Approach

Whether your enterprise is big or small, you can't afford to take a passive approach to ransomware. The ensuing recovery process might entail additional financial and operational damages. To overcome this obstacle, you need to shift to active ransomware defense using a comprehensive framework.

That's the logic behind a recent initiative from the Ransomware Task Force (RTF), which consists of more than 60 members spanning across several sectors including government, law enforcement, nonprofits, and other institutions. Over the last year, members of the initial RTF partnered with CIS, among other industry organizations, to form the Blueprint for Ransomware Defense Working Group. The purpose of the Working Group is to “develop a clear, actionable, framework for ransomware mitigation, response, and recovery” as part of Action 3.1.1 from the Ransomware Task Force Report.

We are pleased to announce the Working Group’s release of the Blueprint for Ransomware Defense. It is comprised of a subset of Implementation Group 1 (IG1) Safeguards from the CIS Critical Security Controls (CIS Controls) v8.

Ransomware Defense for Most U.S. Businesses

Our audience for the Blueprint focuses on one group in particular – small- to medium-sized enterprises (SMEs). According to the U.S. Small Business Administration’s Office of Advocacy, there are over 32.5 million small businesses in the United States, a number which makes up 99.9% of all U.S. businesses. These enterprises face unique challenges when it comes to establishing cybersecurity best practices, as they are often overwhelmed and understaffed. For many, it is difficult to know where to start.

The Blueprint provides a set of 40 Foundational and Actionable Safeguards from IG1 that will assist with ransomware defense while considering those SMEs that have limited cybersecurity expertise. As many IG1 Safeguards are foundational and process-oriented, they are often required to successfully implement additional actionable (e.g., technical) Safeguards.

The Working Group prioritized these Safeguards based on their value in combatting ransomware using analysis from the CIS Community Defense Model. The Blueprint for Ransomware Defense also aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), focusing on the framework’s five Security Functions – Identify, Protect, Detect, Respond, and Recover – to help enterprises prioritize their efforts to determine a starting point in developing ransomware defenses.

Strategic Ransomware Protection

SMEs who implement the Blueprint will be well-positioned to defend against ransomware, enforcing the value of a relatively small number of well-chosen defensive steps. As a result, SMEs should start with CIS Safeguards from IG1 in the Blueprint to obtain the highest value and work up to the other IGs, as appropriate.