Get Instant Access
to This Blueprint

Security icon

Create a Ransomware Incident Response Plan

Don’t be the next headline. Determine your current readiness, response plan, and projects to close gaps.

  • Ransomware is a high-profile threat that demands immediate attention. Organizations large and small hit by ransomware make the news every week.
  • Executives want reassurance – but aren’t ready to write a blank check. Improvements must be targeted and justified.
  • No one is bulletproof, so the ability to recover from (and not just prevent) a ransomware attack is critical. Yet backup and disaster recovery capabilities are often lacking.

Our Advice

Critical Insight

  • Ransomware is a top concern for executives. However, most ransomware victims were aware they were vulnerable, but failed to close the gaps until it was too late.
  • Ransomware is constantly evolving; your existing security and disaster recovery (DR) practices may not be enough.
  • Attacks are often sophisticated, multi-stage forays designed to not trigger an alert until critical data is already compromised.

Impact and Result

  • Execute a systematic assessment of your current security and DR practices to identify gaps and quick wins.
  • Quantify ransomware risk to prioritize investments and drive security awareness.
  • Run tabletop planning exercises for ransomware attacks to build a more effective incident response plan and further identify projects to close gaps.

Create a Ransomware Incident Response Plan Research & Tools

1. Ransomware Incident Response Research – A systematic approach to evaluate and improve your organization's current ransomware readiness.

Ransomware has the attention of every leadership team. The challenge is translating that attention into specific actions to improve your ransomware readiness. This research includes assessing the organization's maturity to determine your ransomware readiness and identify specific areas that need improvement; undertaking a business impact analysis to quantify the impact of a ransomware attack and set appropriate recovery targets; performing tabletop planning to drive a practical incident response plan that captures how your organization would need to respond to a ransomware attack; and creating a project roadmap to address gaps and meet business resiliency requirements.

2. Ransomware Readiness Maturity Assessment Tool – A structured evaluation tool for preparing your organization for a potential ransomware attack.

Identify specific areas that need improvement and define baseline metrics to measure and report progress. Use this assessment tool to evaluate prevention at each stage of incident response (including post-incident) as well as the status of your organization's disaster recovery plan (DRP) and business continuity plan (BCP), both of which may be required in the event of a ransomware attack.

3. Ransomware Business Impact Analysis Tool – An exemplar document of the business impact analysis (BIA) that you can use to quantify the potential impact of a ransomware attack.

It is critical to communicate risk and prioritize the systems and data of your organization that need the greatest protection. This streamlined, practical assessment can expedite getting agreement between IT and business leaders on risk and recovery targets. This in turn will guide security and disaster recovery strategy and investments.

4. Ransomware Response Workflow Template – An editable example of a visual at-a-glance summary of the key steps and stakeholders in a sample ransomware incident response.

The workflow is aimed at team leaders who need to coordinate actions through each stage of incident response, from detection to recovery.

5. Ransomware Project Roadmap Tool – An exemplar project roadmap tool to identify specific tasks and projects that will help your organization address gaps and improve its ability to prevent and respond to ransomware attacks.

This completed roadmapping tool provides you with a timeline of projects in an executive dashboard. Leverage the tool to drive the necessary discussions to improve your organization's ransomware readiness.

6. Ransomware Readiness Summary Presentation Template – An example presentation you can edit and customize for your organization.

Summarize your current readiness and present a prioritized project roadmap to improve ransomware prevention and recovery capabilities.


Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this blueprint and what our clients have to say.

9.6/10


Overall Impact

$36,804


Average $ Saved

15


Average Days Saved

Client

Experience

Impact

$ Saved

Days Saved

Eswatini Railway

Guided Implementation

9/10

$9,919

20

Guide Dogs for the Blind Inc.

Workshop

10/10

$19,839

10

Public Utilities Commission of Ohio

Guided Implementation

9/10

$34,099

10

Jamaica Civil Aviation Authority

Guided Implementation

10/10

$30,999

20

Aldridge Electric

Workshop

10/10

$61,999

20

Armed Forces Benefit Association

Workshop

10/10

$40,299

32

Unity Health Care

Guided Implementation

10/10

$61,999

10

California Dental Association

Guided Implementation

10/10

$12,399

5

Foxwoods Resort & Casino

Guided Implementation

8/10

$12,399

2

Unity Health Care

Guided Implementation

10/10

$61,999

20

Corporation Of The City Of Orillia

Guided Implementation

9/10

N/A

5

Cascades, Centre des Technologies

Guided Implementation

10/10

N/A

N/A

Unity Health Care

Guided Implementation

10/10

$58,899

20

Darling Ingredients

Guided Implementation

8/10

N/A

N/A

Capital Regional District

Workshop

10/10

$13,000

10

Technologent

Guided Implementation

10/10

$11,156

4

Packaging Machinery Manufacturers Institute

Guided Implementation

10/10

$7,238

10

Office Of The Comptroller Of The Currency

Guided Implementation

10/10

$11,305

20


Onsite Workshop: Create a Ransomware Incident Response Plan

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Assess Your Ransomware Readiness

The Purpose

Measure your organization's current readiness and identify key systems to focus on first.

Key Benefits Achieved

  • Identify a baseline maturity metric to measure progress over time.
  • Identify gaps in existing security processes and technology.

Activities

Outputs

1.1

Conduct a maturity assessment.

  • Maturity assessment, including baseline metrics and gaps to address
1.2

Review selected systems and dependencies.

  • Well-defined scope to enable a deeper dive into assessing readiness and response

Module 2: Conduct a Business Improvement Analysis

The Purpose

Conduct a BIA to raise risk awareness and set recovery targets. Quantify the business impact of a ransomware attack to communicate risk and prioritize the systems and data that need the greatest protection.

Key Benefits Achieved

  • Achieve consensus between the business and IT on system criticality, risk, and recovery objectives.

Activities

Outputs

2.1

Record systems and dependencies.

  • Context for an impact analysis
2.2

Complete the impact analysis for selected systems and data sets.

  • Estimated impact of downtime and data loss from a ransomware attack
  • System prioritization and acceptable RTOs/RPOs assigned based on business impact

Module 3: Create a Ransomware Response Workflow and Runbook

The Purpose

  • Use tabletop planning to drive a more accurate and more effective incident response plan.

Key Benefits Achieved

Develop the following:

  • An incident response workflow that provides an at-a-glance view for team leads
  • A runbook that outlines specific actions to execute a ransomware response

Activities

Outputs

3.1

Document your threat escalation protocol.

  • Stakeholders and severity-driven escalation guidelines identified
3.2

Use tabletop planning to identify response steps and gaps.

  • A flowchart of tabletop planning results that provides a record of the exercise, a current-state response workflow, and gaps to address
3.3

Update your ransomware response workflow and runbook.

  • More accurate and comprehensive incident response documentation

Module 4: Build a Project Roadmap to Close Gaps

The Purpose

Create an executive presentation summarizing your organization's current ransomware readiness and a prioritized project roadmap to improve your prevention and recovery capabilities.

Key Benefits Achieved

  • Communicate current risk, gaps, and recommendations to senior leadership.

Activities

Outputs

4.1

Identify initiatives to improve ransomware readiness.

  • An aggregated list of gaps and initiatives
4.2

Prioritize initiatives to close gaps in a project roadmap.

  • Ransomware project roadmap

Create a Ransomware Incident Response Plan

Don’t be the next headline. Determine your current readiness, response plan, and projects to close gaps.

EXECUTIVE BRIEF

Analyst perspective

Ransomware is arguably the top threat to your organization today.

Picture of Frank Trovato

Ransomware has the attention of every executive team. The challenge is translating that attention into specific actions to improve your ransomware readiness.

For example, as a preventative measure, every security practitioner would like to restrict local admin rights and remote desktop capabilities. But the business will often resist such policies due to likely internal friction that seems more palpable than the potential security threat.

In terms of incident response, your organization might be prepared for traditional security incidents or disasters, but not a ransomware attack that actively seeks to infect backups to give the attacker greater leverage.

IT leaders need a systematic approach to quantify ransomware risk to drive business buy-in. Leaders need to evaluate their existing incident response plans to identify specific gaps that need to be addressed and present prioritized project roadmaps to leadership to improve prevention and recovery capabilities.

Frank Trovato

Research Director, Infrastructure and Operations

Info-Tech Research Group

Executive summary

Your Challenge

Ransomware is a high-profile threat that demands immediate attention:

  • Organizations large and small hit by ransomware make the news every week. Everyone is a target.
  • Executives want reassurance but aren’t ready to write a blank check. Improvements must be targeted and justified.
  • No one is bulletproof, so the ability to recover (not just prevent) a ransomware attack is critical, yet backup and DR capabilities are often lacking.

Common Obstacles

Ransomware impact and recovery is more complicated than other security breaches:

  • Ransomware attackers use multiple attack vectors. They can even have ransomware lay dormant, so it infiltrates your backups, disaster recovery (DR) site, and even more endpoints before it’s activated.
  • Data loss is bad; data loss plus the inability to restore from backups is devastating.
  • Ransomware is constantly evolving; traditional security and DR practices may not be enough.

Info-Tech’s Approach

No one is bulletproof, but you can reduce your risk and improve your ability to recover if you are hit:

  • Review the current state of your policies and technology.
  • Identify your most critical systems and data so you can prioritize security efforts and investment.
  • Develop a security response plan that accounts for ransomware events.
  • Prioritize projects to improve prevention and recovery capability.

Info-Tech Insight

Most ransomware victims were aware they were vulnerable but failed to close those gaps until it was too late – despite ransomware being a top concern for executives. This is a failure to translate concern into the necessary steps to identify specific vulnerabilities and drive definitive actions to close those gaps.

News headlines are a reminder of the constant ransomware threat

In 2019, ransomware reached crisis proportions with targeted attacks that “impacted at least 966 government agencies, educational establishments and healthcare providers at a potential cost in excess of $7.5 billion.” Source: Emisoft

“Louisiana Suffers Another Major Ransomware Attack” (Forbes, 20 Nov. 2019)

“British banks hit by hacking of foreign exchange firm Travelex” (CNBC, 9 Jan. 2020)

“Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices” (Bleeping Computer, 14 Jan. 2020)

“‘Chaos is the Point’: Russian Hackers and Trolls Grow Stealthier in 2020” (The New York Times, 10 Jan. 2020)

“Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up” (Krebson Security, 16 Dec. 2019)

“Baltimore to purchase $20M in cyber insurance as it pays off contractors who helped city recover from ransomware” (The Baltimore Sun, 16 Oct. 2019)

“Florida city will pay hackers $600,000 to get its computer systems back” (Washington Post, 20 June 2019)

“Company shuts down because of ransomware, leaves 300 without jobs just before holidays” (ZDNet, 3 Jan. 2020)

“Sodinokibi Ransomware Publishes Stolen Data for the First Time” (Bleeping Computer, 11 Jan. 2020)

“Ransomware attack hits school district twice in 4 months” (Associated Press, 10 Sept. 2019)

Some level-setting: Basic ransomware attack

Review this high-level illustration of a basic ransomware attack:

Model of a basic ransomware attack. 1. malware is delivered (e.g. via a phishing email). 2. Locker ransomware: locks the victim's screen or system. Or Crypto ransomware: finds data and encrypts it. 3. Victim notified of compromise through ransom note.
  • Malware locks systems and/or encrypts data for financial extortion and/or cyberespionage.
  • Ransomware spreads like most other malware (not just via phishing emails): drive-by downloads, application vulnerabilities, etc. As a result, prevention can leverage many existing security best practices.
  • One key differentiator is the extensive business disruption, which is why ransomware must be treated as a security incident and disaster recovery (DR) or business continuity (BC) incident.

Ransomware is a form of malware, so malware prevention best practices still apply. What’s different is the extensive business disruption. The ability to recover, not just contain and eradicate, is critical.

Many attacks don’t immediately trigger an alert

Threat actors have access to wide range of tools and methods to bypass perimeter security and endpoint protection. Those tools are still important, but don’t count on them preventing all attacks. Hence the need for incident response planning, supported by reliable backups and disaster recovery capability.

Example of a ransomware attack workflow:

Example of a ransomware attack workflow is shown.

Phishing is still the most common method to get in the door, but that’s just the start.

Once in your network, the attacker infects as many critical systems as possible to gain maximum leverage, before taking action that would trigger an alert. For example, the attacker will:

  • Use legitimate commands to navigate your network, find an admin-level account, and crack that account (e.g. using password spray and/or other common techniques).
  • Exfiltrate data to gain more leverage.
  • Encrypt as many critical systems and data sets as possible, including backups, to limit your recovery options

If vulnerabilities aren’t closed, hackers are not shy about hitting you twice

Ransomware attackers depend on catching organizations off-guard and are not afraid to hit the same target twice. Furthermore, without a ransomware incident response plan in place, the costs associated with an unplanned recovery can skyrocket.

Picture of State of Louisiana logo

Despite its best efforts, including the funding of a Cyber Security Commission in 2017, the State of Louisiana was hit with ransomware twice in 2019. The first attack hit schools and district offices in the summer, while the second attack hit government offices in the fall. The City of New Orleans was also hit with ransomware in December 2019, showing that attackers will continue to exploit targets until organizations have hardened their security and closed off vulnerable exploits.

Picture of City of Baltimore logo

Whether you’re hit once or multiple times, the cost impact can be devastating. The City of Baltimore estimates that the costs associated with its ransomware attack amounted to $10 million in post-breach costs, in addition to $8 million in lost revenue.

Ransomware is not just a problem for industries with tight budgets

All industries are vulnerable, including some you wouldn’t expect

  • Governments (particularly municipalities), healthcare, and education are among the hardest hit, at least partly due to tight IT budgets leading to security gaps and their sensitive data making them a target
  • However, other industries such as Professional Services and Technology where you would expect a strong security program were also hard hit, and their vulnerability puts their clients at risk also. Look no further than the SolarWinds attack for an example of this risk, even though it wasn’t specifically a ransomware attack
  • The key takeaway: No one is bulletproof, so invest in incident response planning, in addition to prevention. Assume you’ll be hit, and know how you will respond to contain and recover from the attack.
A circle graph is displayed that shows the percentage of publicly reported ransomware attacks hitting each industry in 2020.

Resilience depends on security response and DR capability

When organizations take weeks to recover – essentially rebuilding their environments – it’s often because their backups or DR solutions were inadequate, in addition to possible gaps in their security responses.

This blueprint will focus on building your Ransomware Incident Response Plan and closing ransomware security vulnerabilities.

For assistance building the disaster response plan (DRP) component, refer to Info-Tech’s Create a Right-Sized Disaster Recovery Plan blueprint. Additionally, also leverage the requirements identified by your ransomware incident response planning.

Model of a ransomware incident plan.

Info-Tech’s methodology for Creating a Ransomware Incident Response Plan

Assess your ransomware readiness Conduct a BIA to raise risk awareness and set recovery targets Create a ransomware response workflow and runbook Build a project roadmap to close gaps
Phase Steps
  1. Conduct a maturity assessment
  2. Review selected systems and dependencies
  1. Record systems and dependencies in Info-Tech’s DRP Business Impact Analysis Tool
  2. Complete the impact analysis for selected systems and data sets
  1. Document your threat escalation protocol
  2. Use tabletop planning to identify response steps and gaps
  3. Update your ransomware response workflow and runbook
  1. Identify initiatives to improve ransomware readiness
  2. Prioritize initiatives in a project roadmap
  3. Communicate your current status and recommendations
Phase Outcomes
  • Maturity assessment (includes identifying policy and technology gaps)
  • Business impact analysis
  • Tabletop planning results
  • Ransomware Response Workflow
  • Ransomware Response Runbook
  • Ransomware Project Roadmap
  • Ransomware Readiness Summary

Note: This research can be executed as a do-it-yourself project, a Guided Implementation (series of advisory phone calls), or a facilitated Info-Tech Workshop.

Blueprint deliverables

Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

Screenshot of Info-Tech's Ransomware Readiness Maturity Assessment Tool

Ransomware Readiness Maturity Assessment Tool

Measure your current readiness and identify policy and technology gaps to address.

Screenshot of Info-Tech's Ransomware Business Impact Analysis Tool – Example

Ransomware Business Impact Analysis Tool – Example

Quantify the business impact of a ransomware attack to communicate risk and prioritize investment.

Screenshot of Info-Tech's Ransomware Response Workflow & Runbook Templates

Ransomware Response Workflow & Runbook Templates

The at-a-glance workflow captures key steps for all stakeholders and the runbook offers more details.

Screenshot of Info-Tech's Ransomware Project Roadmap Example & Summary Template

Ransomware Project Roadmap Example & Summary Template

The prioritized roadmap and the ransomware readiness summary template helps you outline current status and next steps.

Key deliverable:

Ransomware Readiness Summary Presentation Template

Use this executive presentation to communicate the risk of the status quo, present recommended next steps, and drive stakeholder buy-in.

Screenshot of Info-Tech's Ransomware Readiness Summary Presentation Template

Blueprint benefits

IT benefits
  • Provide a structured approach for your organization to identify gaps, quantify the risk, and communicate status to drive executive buy-in.
  • Create a practical ransomware incident response plan that combines a high-level, at-a-glance workflow with a detailed runbook to coordinate recovery and ensure key steps are followed.
  • Present an executive-friendly project roadmap that enables you to summarize your plan to address your organization’s gaps.
Business benefits
  • Enable leadership to make risk-based, informed decisions on resourcing and investments to improve ransomware readiness.
  • Quantify the potential impact of a ransomware attack on your organization to drive risk awareness.
  • Identify existing gaps so they can be addressed, whether by policy, response plans, technology, or any combination of these.

Measured value of this blueprint

Plan now or pay later

Organizations that are unprepared have had to pay anywhere from $200,000 to $10 million based on the size, scope, and impact of ransomware incidents.

Plan ahead now instead of having to pay a lot more later.

  • $667,627: The amount the City of Woodstock (in Ontario, Canada) had to spend to recover from a ransomware attack – not for the ransom, but the professional service fees and new hardware required to recover.
  • $84,116: The average ransom payment for Q4 of 2019, an increase of 104% from the previous average of $41,179 in Q3 of 2019.
  • $47,500 and 10/10: An example of the measured value dollar impact and rating reported by our clients who followed this blueprint.

Executive Brief Case Study

Industry: Government

Source: Info-Tech Workshop Results

Regional government leverages a workshop to fast-track its ransomware incident response planning

A regional government leveraged Info-Tech’s methodology to evaluate and improve its ransomware readiness.

Ransomware Attack and Readiness to Respond

While the organization was developing its security program, including rolling out security awareness training for end users and investing in security solutions beyond the basics, the staff knew they still had holes to fill. For example, security solutions were not yet fully deployed, policies were lacking, and there was no documented ransomware incident response plan.

Workshop Results

A systematic review of existing processes, policies, and technology identified key gaps in the organization’s overall readiness. The impact analysis quantified the potential impact and business risk, which would be important in driving awareness and buy-in to invest in the security program. Info-Tech’s tabletop planning exercise provided a foundation for the organization’s actual response plan: a ransomware response workflow and a framework for a more detailed runbook. The workshop also helped staff further identify gaps in their ability to recover during a ransomware scenario, such as inadequate backups. The net result was a current-state response plan, appropriate capability targets aligned with business requirements, and a project roadmap to achieve the organization’s desired state of ransomware readiness.

Screenshots of the tools and templates of this blueprint.

Info-Tech offers various levels of support to best suit your needs

DIY Toolkit

"Our teams has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

Guided Implementation

"Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

Workshop

"We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

Consulting

"Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

Diagnostic and consistent frameworks are used throughout all four options.

Phase 1

Assess your ransomware readiness

Model of the four phases is shown, and lists activities for each phase. Phase 1 is highlighted.

This phase will walk you through the following steps:

  • Conduct a maturity assessment
  • Review selected systems and dependencies

This phase involves the following participants:

  • Security Incident Response Team (SIRT)
  • System subject-matter experts (SMEs) (if not part of the SIRT)

Step 1.1

Conduct a maturity assessment

Activities

1.1.1 Review past incidents, challenges, and drivers

1.1.2 Complete your maturity assessment

This step will guide you through the following activities:

  • Review past incidents, challenges, and drivers
  • Complete your maturity assessment

This step involves the following participants:

  • Security Incident Response Team (SIRT)

Outcomes of this step

  • Level-setting across the team regarding challenges and drivers
  • Current maturity, targets, and initial gap analysis

1.1.1 Review past incidents, challenges, and drivers to level-set across the team

1 Hour

Use this brainstorming exercise to first understand the challenges to be addressed and level-set across your team. Plan to limit solutioning at this stage, but certainly record suggestions for later deliberation. Record examples of the following during your brainstorming session:

Past incidents and other drivers

  • Past incidents (be specific):
    • Past security incidents (ransomware and other)
    • Close calls (e.g. partial breach detected before damage done)
  • Audit findings
  • Events in the news
  • Other?

Security challenges

  • Absent or weak policies
  • Lack of security awareness
  • Budget limitations
  • Other?

Input

  • Understanding of existing security capability and past incidents

Output

  • Documentation of past incidents and challenges
  • Level-setting across the team regarding challenges and drivers

Materials

  • Whiteboard or flip chart (or a shared screen if staff are remote)

Participants

  • Security Incident Response Team (SIRT)

Maturity levels in this blueprint use CMMI framework...

The maturity levels are based on the Capability Maturity Model Integration (CMMI) framework. Modifications for this context are outlined below.

CMMI Maturity Level – Default Descriptions:

  • Level 1 – Initial: Unpredictable and reactive. Work gets completed but is often delayed and over budget.
  • Level 2 – Managed: Managed on the project level. Projects are planned, performed, measured, and controlled.
  • Level 3 – Defined: Proactive rather than reactive. Organization-wide standards provide guidance across projects, programs, and portfolios.
  • Level 4 – Quantitatively managed: Measured and controlled. Organization is data-driven with quantitative performance improvement objectives that are predictable and align to meet the needs of internal and external stakeholders.
  • Level 5 – Optimizing: Stable and flexible. Organization is focused on continuous improvement and is built to pivot and respond to opportunity and change. The organization’s stability provides a platform for agility and innovation.

CMMI Maturity Level – Modified for This Assessment:

  • Level 1 – Initial/ad hoc: Not well defined and ad hoc in nature.
  • Level 2 – Developing: Established but inconsistent and incomplete.
  • Level 3 – Defined: Formally established, documented, and repeatable.
  • Level 4 – Managed and measurable: Managed using qualitative and quantitative data to ensure alignment with business requirements.
  • Level 5 – Optimizing: Qualitative and quantitative data is used to continually improve.

(Source: CMMI Institute, CMMI Levels of Capability and Performance)

… and follows a standard security incident management framework

The maturity assessment and incident response workflow in this blueprint use the framework outlined below (adapted from NIST SP 800-61 Rev. 2).

Model of a standard security incident management framework is displayed.

Note: In this scorecard, the Recover section is focused on the ability to restore the infected system, which might include wiping and restoring from backup. For completeness, the assessment also includes DRP and BCP sections since a ransomware attack could require invoking your DRP to failover to a DR site and your BCP to maintain critical business operations while the security breach is being contained and resolved.

Source: Process adapted from NIST SP 800-61 Rev. 2

1.1.2 Complete the maturity assessment

1-2 hours

Use the Ransomware Readiness Maturity Assessment Tool to identify current-state and target-state across the components of a standard security incident management framework.

Tip: Consider waiting until Phase 3 is completed to identify gap initiatives so you can account for additional gaps and context from Phase 2 and 3.

Outcomes:

  • Baseline metric so you can measure progress over time.
    • Low scores are common. Helps make the case for security investment.
  • Security breadth clarified.
    • Security intersects with disaster recovery and business continuity – both are critical to incident response.
  • Key gaps identified.
    • Allocate more time to subsections with lower scores.
    • Repeat the scorecard at least annually to clarify remaining areas to address.

Input

  • Understanding of current security and DRP/BCP practices

Output

  • Current maturity, targets, and gaps

Materials

  • Ransomware Readiness Maturity Assessment Tool

Participants

  • Security Incident Response Team (SIRT)

Screenshot of Info-Tech's Ransomware Readiness Maturity Assessment

Step 1.2

Review selected systems and dependencies

Activities:

1.2.1 Narrow your scope to support a deeper dive

1.2.2 Diagram your environment to clarify context, dependencies, and challenges

This step will walk you through the following activities:

  • Narrow your scope to support a deeper dive
  • Diagram your environment to clarify context, dependencies, and challenges

This step involves the following participants:

  • Security Incident Response Team (SIRT)
  • System subject-matter experts (SMEs) (if not part of the SIRT)

Outcomes of this step

  • Manage your scope to enable a deeper dive into key systems, provide context for this methodology, and establish a repeatable process to evaluate and improve readiness across your environment.

1.2.1 Narrow scope to support a deeper dive

30 minutes

Focusing on a few key systems makes it easier to take a deeper look at ransomware readiness – not only in terms of prevention, but also for response and recovery capabilities.

  1. On a whiteboard or flip chart paper, make a list of systems to potentially include in scope. Consider:
    • Key applications that support critical business operations. (Note: Phase 2 will clarify criticality; for now, use your existing knowledge of what’s critical.)
    • Databases that support multiple key applications.
    • Systems that hold sensitive data (e.g. data with personally identifiable information [PII]).
  2. Select five to ten systems from the above list to focus on. Aim to:
    • Select systems that support different business operations to provide a broader sampling of potential impacts and recovery challenges.
    • Include one or two non-critical systems to show how the methodology addresses a range of criticality and context.

Input

  • High-level understanding of critical business operations and data sets

Output

  • A sampling of systems to focus on first in this methodology

Materials

  • Whiteboard or flip chart (or a shared screen if staff are remote)

Participants

  • Security Incident Response Team (SIRT)

1.2.2 Diagram your environment to clarify context, dependencies, and challenges

30 minutes

A high-level topology or architectural diagram is an effective way to identify dependencies, outsourced services, security and recovery challenges, and so on. Start with a WAN diagram, then your production data center, and then each system as outlined on the next few slides.

Note:

  • If you have existing diagrams, you can review those instead. However, if they are too detailed, draw a higher-level diagram to provide context. Even a rough sketch is a useful reference tool for participants.
  • Keep the drawings tidy and high level. Visualize the final diagram before you start to draw on the whiteboard to help with spacing and placement.
  • Collaborate with relevant SMEs to identify dependencies.

Input

  • Understanding of the dependencies for selected systems

Output

  • Clarify context, dependencies, and security and recovery challenges

Materials

  • Whiteboard or flip chart (or a shared screen if staff are remote)

Participants

  • Security Incident Response Team (SIRT)
  • System SMEs (if not covered by SIRT members)

For your WAN diagram, focus on data center and business locations

Start with a high-level network diagram like this one, and then dig deeper (see following slides) to provide more context. Below is an example; of course, your sketched diagrams may be rougher.

WAN diagram is displayed. Shows starting off with a high-level diagram.

Diagram your production data center to provide context for the systems in scope

Creating a high-level diagram provides context across different IT disciplines involved in creating your DRP. If you have multiple production data centers, focus on the data center(s) relevant to the selected systems. Below is an example.

High-level diagram is shown that includes production data center.

Diagram each selected system to identify specific dependencies and redundancies

Diagram the “ecosystem” for each system, identifying server, storage, and network dependencies. There may be overlap with the production data center diagram – but aim to be specific here. Below is an example that illustrates front-end and back-end components.

When you get to this level of detail, use this opportunity to level-set with the team. Consider the following:

  • Existing security (Are these systems protected by your existing security monitoring and threat detection tools?).
  • Security challenges (e.g. public-facing systems).
  • Recovery challenges (e.g. limited or infrequent backups).
Diagram to show each selected system

Note the limitations of your security, backup, and DR solutions

Use the network and system diagrams for context to take a closer look at your limitations. Gaps identified in the selected systems will often apply to other aspects of your environment. What about:

  1. Security limitations? Are there any known security vulnerabilities or risks, such as external access (e.g. for a customer portal)? If so, are those risks mitigated? Are existing security solutions being fully used?
  2. Backup limitations? What steps are taken to ensure the integrity of your backups (e.g. through inline or post-backup scanning, or the use of immutable backups)? Are there multiple restore points to provide more granularity when determining how far back you need to go for a clean backup?
  3. Disaster recovery limitations? Does your DR solution account for ransomware attacks or is it designed only for one-way failover (i.e. for a smoking hole scenario)?

Gaps identified in Phases 1 to 3 will be reviewed in Phase 4 to identify and prioritize initiatives that will improve resilience. For now, make a note of these gaps and then continue with the next phase.

Phase 2

Conduct a BIA to raise risk awareness and set recovery targets

Model of the four phases is shown, and lists activities for each phase. Phase 2 is highlighted.

This phase will guide you through the following steps:

  • Record systems and dependencies in the BIA tool
  • Compare the impact analysis for selected systems and data sets

This phase involves the following participants:

  • Security Incident Response Team (SIRT)
  • System subject-matter experts (SMEs) (if not part of the SIRT)

Step 2.1

Record systems and dependencies in the BIA tool

Activities

2.1.1 Explicitly identify critical data sets

This step will guide you through the following activities:

  • Explicitly identify critical data sets

This step involves the following participants:

  • Security Incident Response Team (SIRT)

Outcomes of this step

  • Clarify scope and context for the impact analysis to be conducted in this phase of the methodology.

Understand why you should conduct a business impact analysis (BIA)

IT leaders struggle to get executive buy-in to implement the policies and solutions that reduce security risk, despite board-level mandates to ensure ransomware readiness. This is a failure to put risk in business terms.

To go from a broad security mandate to specific actions – many of which the business may not like – you need tangible data that quantifies the potential impact of a ransomware attack. Further, the BIA process itself does not need to be onerous. A well-managed BIA is straightforward, and the benefits are tangible.

Two bar graphs are displayed. One shows the BIA impact on appropriate RTOs. The other shows BIA impact on appropriate spending.

Review the DRP BIA tool instructions

The Ransomware Business Impact Analysis Tool – Example illustrates how to execute a BIA to quantify the potential business impact of ransomware incidents. If you have conducted a BIA already, revisit it to ensure it accounts for the potential impact of ransomware. For detailed tool instructions and the latest version of the source tool, refer to Info-Tech’s Create a Right-Sized Disaster Recovery Plan blueprint, including the DRP Business Impact Analysis Tool.

One key adjustment used in this assessment is to explicitly list critical data sets that could be affected. This makes it easier to assess and report on the impact of data loss, which is especially important in a ransomware attack where not only primary data might be lost, but also backups. Alternatively, run the BIA as usual (i.e. don’t explicitly list data sets, but leave them as part of the system dependencies), but then pay extra attention to data impact in assessing each system.

Screenshot examples of DRP BIA tool

Download the Ransomware Business Impact Analysis Tool – Example.

2.1.1 Explicitly identify critical data sets in the BIA

1 hour

Record systems and dependencies in the DRP Business Impact Analysis Tool (Review the DRP BIA tool instructions). Rename the tool as appropriate, e.g. “Ransomware Business Impact Analysis.”

  1. For each application/system, identify all of its dependencies, including critical databases. This provides a clear picture of the overall footprint of what would need to be recovered.
  2. On the next line, list the system’s critical data dependency. This does mean repeating the dependency on two lines but will allow you to explicitly assess the impact of data loss on a separate row. For example, in this illustration:
    • The “ERP” row includes all its dependencies, including the ERP database. This ensures you have a clear picture of all the dependencies that would need to be recovered. Use this line to assess the impact of downtime.
    • The “ERP Data” line lists the critical data dependency. Use this line to assess the impact of data loss.
  3. Repeat this for all applications/systems where relevant.

Input

  • Systems and dependencies

Output

  • Systems and data sets to be assessed

Materials

  • DRP Business Impact Analysis Tool

Participants

  • Security Incident Response Team (SIRT)

Screenshot of Info-Tech's DRP Business Impact Analysis Tool.

Step 2.2

Complete the impact analysis for selected systems and data sets

Activities

2.2.1 Establish scoring criteria

2.2.2 Assign criticality ratings, RTOs, and RPOs based on business impact

2.2.3 Complete the vulnerability assessment to identify outage risk (optional)

This step will guide you through the following activities:

  • Establish scoring criteria
  • Assign criticality ratings, RTOs, and RPOs based on business impact
  • Complete the vulnerability assessment to identify outage risk (optional)

This step involves the following participants:

  • Security Incident Response Team (SIRT)
  • System subject-matter experts (SMEs) (if not part of the SIRT)
  • Relevant stakeholders and decision makers

Outcomes of this step

  • A repeatable process for prioritizing systems for resilience investment and recovery from an incident.
  • Agreement on acceptable downtime and data loss, which will drive security and recovery requirements, e.g. acceptable security restrictions, backups frequency, and DR solution.

2.2.1 Establish scoring criteria

1-2 hours

Define your scoring criteria in the DRP Business Impact Analysis Tool (Review the DRP BIA tool instructions)

  1. Select appropriate scoring criteria for your organization. The tool provides default criteria, but you don’t need to use all the criteria listed. Consider the types of impact most relevant to your organization and change the default criteria accordingly.
  2. Define the scoring scale for each criteria (tab 2). For the direct cost impacts, use your financial data to adjust the values. For goodwill criteria, consider whether you need to cap the scale. For example, if you have 100,000 customers but a maximum of only 1,000 of them might interact with you on a given day, adjust the customer impact descriptions to indicate the percentage impact is out of 1,000 (not out of 100,000).
  3. Confirm your criteria changes are showing up on the “Impact Analysis” tab (tab 3). For example, if you changed “Impact on Customers” to “Impact on Residents,” confirm the wording change is automatically carried over to this tab.

Input

  • Understanding of potential business impact (revenue, goodwill, compliance, health & safety)

Output

  • Objective standard scoring scale to assess impact across the organization

Materials

  • DRP Business Impact Analysis Tool

Participants

  • Security Incident Response Team (SIRT)

2.2.2 Assign criticality ratings, RTOs, and RPOs based on business impact

1-2 hours

Estimate the impact of downtime and data loss in your DRP Business Impact Analysis Tool (Review the DRP BIA tool instructions)

  1. Prepare for scoring: Delete example scores or they will affect your results, then hide the scoring columns you aren’t using. Also delete example RTOs and RPOs, but don’t delete the “Total Impact” cells or the RTO/RPO gaps, since those are calculated values.
  2. Use the sample scoring criteria as a guide to assign impact scores. For convenience, you may wish to display a copy of the tool with the scoring criteria tab open on another screen for reference.
  3. Assign criticality ratings, using the total impact scores as a guide. If you have separated out the data sets, you can have a different rating for the data vs. the system. For example, the system might be Tier 2, but its data is Tier 1 – placing higher importance on frequent backups and appropriate security vs. having a hot standby system.
  4. Assign RTOs and RPOs based on impact. If you have separated out the data sets, assign an RTO for the system and an RPO for the data.
  5. Review your results with appropriate stakeholders. Start by reviewing with select stakeholders to incorporate feedback and ensure your estimates were reasonable. Then review with appropriate decision makers to drive risk awareness and to formally approve the recovery targets.

Input

  • Understanding of potential business impact (revenue, goodwill, compliance, health & safety)

Output

  • Quantify potential impact to drive risk awareness.
  • Document system/data priorities and recovery targets.

Materials

  • DRP Business Impact Analysis Tool

Participants

  • Security Incident Response Team (SIRT)

2.2.3 Complete the vulnerability assessment to identify outage risk (optional)

1-2 hours

Estimate the likelihood and impact of individual dependency outages in your DRP Business Impact Analysis Tool (Review the DRP BIA tool instructions)

Note: This exercise targets DR planning more than security, with a goal of identifying potential single points of failure that warrant more redundancy and/or emphasis in your DRP. Consider deferring this to your DRP initiatives.

  1. Follow the instructions in the DRP Business Impact Analysis Tool to assign likelihood and impact scores. The “Vulnerability Assessment” tab (tab 4) includes callouts with specific instructions to populate the tab and complete the scoring.
  2. Review the results. See the results in tab 5, “Vulnerability Report,” for a summary of which dependencies present a higher outage risk. Use this to inform your infrastructure and/or DRP project roadmap.

Input

  • Understanding of the reliability of individual system dependencies

Output

  • Summary of which dependencies present a higher outage risk, and therefore should be prioritized in projects to improve resilience.

Materials

  • DRP Business Impact Analysis Tool

Participants

  • Security Incident Response Team (SIRT).
  • System SMEs (if not covered by SIRT members)

Phase 3

Create a ransomware response workflow and runbook

Model of the four phases is shown, and lists activities for each phase. Phase 1 is highlighted.

This phase will guide you through the following steps:

  • Document your threat escalation protocol
  • Identify response steps and gaps
  • Update your response workflow and runbook

This phase involves the following participants:

  • Security Incident Response Team (SIRT)

Step 3.1

Document your threat escalation protocol

Activities

3.1.1 Review the workflow and runbook templates

3.1.2 Update/define your threat escalation protocol

This step will walk you through the following activities:

  • Review the example workflow and runbook
  • Update and define your threat escalation protocol

This step involves the following participants:

  • Security Incident Response Team (SIRT)

Outcomes of this step

  • Clear escalation path for critical incidents
  • Common understanding of incident severity that will drive escalation

3.1.1 Review the workflow and runbook templates

30 minutes

This blueprint includes sample information in the Ransomware Response Workflow Template and Ransomware Response Runbook Template to use as starting points for the steps in Phase 3, including documenting your threat escalation protocol.

  • The Ransomware Response Workflow Template contains an example of a high-level security incident management workflow for a ransomware attack. This provides a structure to follow for the tabletop planning exercise and a starting point for your ransomware response workflow.
  • The Workflow is aimed at incident commanders and team leads. It provides an at-a-glance view of the high-level steps and interactions between stakeholders to help leaders coordinate response.

  • The Ransomware Response Runbook Template is an example of a security incident management runbook for a ransomware attack. This includes a section for a threat escalation protocol that you can use as a starting point.
  • The Runbook is aimed at the teams executing the response. It provides more specific actions that need to be executed at each phase of the incident response.

Input

  • No input required

Output

  • Visualize the end goal

Materials

  • Example workflow and runbook in this blueprint

Participants

  • Security Incident Response Team (SIRT)

Screenshot of Info-Tech's Ransomware Response Runbook

Download the Ransomware Response Workflow Template.

3.1.2 Update/define your threat escalation protocol

1-2 hours

Document the “Threat Escalation Protocol” sections in the Ransomware Response Workflow Template or review/update your existing runbook. The threat escalation protocol defines which stakeholders to involve in the incident management process, depending on impact and scope. Specifically, you will need to define the following:

  1. Impact and scope criteria: Impact considers factors such as the criticality of the system/data, whether PII is at risk, and whether public notification is required. Scope considers how many systems or users are impacted.
  2. Severity assessment: Define the severity levels based on impact and scope criteria.
  3. Relevant stakeholders: Identify stakeholders to notify for each severity level, which can include external stakeholders.

If you need additional guidance, see Info-Tech’s Develop and Implement a Security Incident Management Program blueprint which takes a broader look at security incidents.

Input

  • Current escalation process (formal or informal).

Output

  • Define criteria for severity levels and relevant stakeholders.

Materials

  • Ransomware Response Workflow Template

Participants

  • Security Incident Response Team (SIRT)

Use the examples in the Ransomware Response Runbook Template as a guide.

Screenshot of Info-Tech's Ransomware Response Runbook Template - Threat Escalation Protocol Section

Step 3.2

Identify response steps and gaps

Activities

3.2.1 Define scenarios for a range of incidents

3.2.2 Run a tabletop planning exercise

This step will guide you through the following activities:

  • Define scenarios for a range of incidents
  • Run a tabletop planning exercise

This step involves the following participants:

  • Security Incident Response Team (SIRT)
  • Other stakeholders (as relevant)

Outcomes of this step

  • Current-state incident response workflow, including stakeholders, steps, timeline
  • Process and technology gaps to be addressed

3.2.1 Define scenarios for a range of incidents

30 minutes

As a group, collaborate to define scenarios that enable you to develop incident response details for a wide range of potential incidents. Below are example scenarios:

  • Scenario 1: An isolated attack on one key system. The database for a critical application is compromised. Assume the attack was not detected until files were encrypted, but that you can carry out a repair-in-place by wiping the server and restoring from backups.
  • Scenario 2: A site-wide impact that warrants broader disaster recovery. Several critical systems are compromised. It would take too long to repair in-place, so you need to failover to your DR environment, in addition to executing security response steps. (Note: If you don’t have a DRP, see Info-Tech’s Create a Right-Sized Disaster Recovery Plan solution set.)
  • Scenario 3: A critical outsourced service or cloud service is compromised. You need to work with the vendor to determine the scope of impact and execute a response. This includes determining if your on-prem systems were also compromised.
  • Scenario 4: One or multiple end-user devices are compromised. Your response to the above scenarios would include assessing end-user devices as a possible source or secondary attack, but this scenario would provide more focus on the containing an attack on end-user devices.

Note: The above is too much to execute in one 30-minute session, so plan a series of exercises as outlined below.

Input

  • No input required

Output

  • Determine the scope of your tabletop planning exercises

Materials

  • Whiteboard or flip chart (or a shared screen if staff are remote)

Participants

  • Security Incident Response Team (SIRT)

Optimize the time spent by participants by running a series of focused exercises

Not all stakeholders need to be present at every tabletop planning exercise. You can gain efficiency by first running exercises with IT (to focus on IT response) and then include non-IT stakeholders for more focus on steps such as crisis communications and working with external stakeholders (e.g. law enforcement, cyberinsurance). Below is a sample schedule.

Sample schedule:

Q1: Hold two sessions that run Scenarios 1 and 2 with relevant IT participants (see Activity 3.2.1). The focus for these sessions will be primarily on the technical response. For example, include notifying leadership and their role in decision making, but don’t expand further on the details of their process. Similarly, don’t invite non-IT participants to these sessions so you can focus first on understanding the IT response. Invite executives to the Q2 exercise where they will have more opportunity to be involved.

Q2: Hold one session with the SIRT and non-IT stakeholders. Use the results of the Q1 exercises as a starting point and expand on the non-IT response steps (e.g. notifying external parties, executive decisions on response options).

Q3 and Q4: Run other sessions (e.g. for Scenarios 3 and 4) with relevant stakeholders. Ensure your ransomware incident response plan covers a wide range of possible scenarios.

Run ongoing exercises at least annually. Once you have a solid ransomware incident response plan, incorporate ransomware-based tabletop planning exercises into your overall security incident management testing and maintenance schedule.

Info-Tech Insight

Schedule these sessions well in advance to ensure appropriate resources are available. Document this in an annual test plan summary that outlines the scope, participants, and dates and times for the planned sessions.

3.2.2 Run a tabletop planning exercise

1-2 hours

Remember that the goal is a deeper dive into how you would respond to an attack so you can clarify steps and gaps. This is not meant to just be a read-through of your plan. Follow the guidelines below:

  1. Select your scenario and invite relevant participants (see the previous slides).
  2. Guide participants through the incident and capture the steps and gaps along the way. Focus on one stakeholder at a time through each phase but be sure to get input from everyone. For example, focus on the Service Desk’s steps for detection, then do the same as relevant to other stakeholders. Move on to analysis and do the same. (Tip: The distinction between phases is not always clear, and that’s okay. Similarly, eradication and recovery might be the same set of steps. Focus on capturing the detail; you can clarify the relevant phase later.)
  3. Record the results (e.g. capture it in Visio) for reference purposes. (Tip: You can run the exercise directly in Visio. However, there’s a risk that the tool may become a distraction. Enlist a scribe who is proficient with Visio so you don’t need to wait for information to be captured and plan to save the detailed formatting and revising for later.)

Refer to the Ransomware Tabletop Planning Results – Example as a guide for what to capture. Aim for more detail than found in your Ransomware Response Workflow (but not runbook-level detail).

Input

  • Baseline ransomware response workflow

Output

  • Clarify your response workflow, capabilities, and gaps

Materials

  • Whiteboard or sticky notes or index cards, or a shared screen

Participants

  • Security Incident Response Team (SIRT)

Screenshot of Info-Tech's Ransomware Response Tabletop Planning Results - Example

Download the Ransomware Tabletop Planning Results – Example.

Step 3.3

Update your ransomware response workflow and runbook

Activities

3.3.1 Update your ransomware response workflow

3.3.2 Update your ransomware response runbook

This step will guide you through the following activities:

  • Update your ransomware response workflow
  • Update your ransomware response runbook

This step involves the following participants:

  • Security Incident Response Team (SIRT)

Outcomes of this step

  • An updated incident response workflow and runbook based on current capabilities

3.3.1 Update your ransomware response workflow

1 hour

Use the results from your tabletop planning exercises (Activity 3.2.2) to update and clarify your ransomware response workflow. For example:

  • Update stakeholder swimlanes: Clarify which stakeholders need a swimlane (e.g. where interactions between groups needs to be clarified). For example, consider a SIRT swimlane that combines the relevant technical response roles but have separate swimlanes for other groups that the SIRT interacts with (e.g. Service Desk, the Executive Team).
  • Update workflow steps: Use the detail from the tabletop exercises to clarify and/or add steps, as well as further define the interactions between swimlanes. (Tip: Your workflow needs to account for a range of scenarios. It typically won’t be as specific as the tabletop planning results, which focus on only one scenario.)
  • Clarify the overall the workflow: Look for and correct any remaining areas of confusion and clutter. For example, consider adding “Go To” connectors to minimize lines crossing each other, adding color coding to highlight key related steps (e.g. any communication steps), and/or resizing swimlanes to reduce the overall size of the workflow to make it easier to read.
  • Repeat the above after each exercise: Continue to refine the workflow as needed until you reach the stage where you just need to validate that your workflow is still accurate.

Input

  • Results from tabletop planning exercises (Activity 3.2.2)

Output

  • Clarify your response workflow

Materials

  • Ransomware Response Workflow

Participants

  • Security Incident Response Team (SIRT)

Screenshot of Info-Tech's Ransomware Response Tabletop Planning Results - Example with update

3.3.2 Update your ransomware response runbook

1 hour

Use the results from your tabletop planning exercises (Activity 3.2.2) to update your ransomware response runbook. For example:

  • Align stakeholder sections with the workflow: Each stakeholder swimlane in the workflow needs its own section in the runbook.
  • Update incident response steps: Use the detail from the tabletop exercise to clarify instructions for each stakeholder. This can include outlining specific actions, defining which stakeholders to work with, and referencing relevant documentation (e.g. vendor documentation, step-by-step restore procedures). (Tip: As with the workflow, the runbook needs to account for a range of scenarios, so it will include a list of actions that might need to be taken depending on the incident, as illustrated in the example runbook.)
  • Review and update your threat escalation protocol: It’s best to define your threat escalation protocol before the tabletop planning exercise to help identify participants and avoid confusion. Now use the exercise results to validate or update that documentation.
  • Repeat the above after each exercise. Continue to refine your runbook as needed until you reach the stage where you just need to validate that your runbook is still accurate.

Input

  • Results from tabletop planning exercises (Activity 3.2.2)

Output

  • Clarified response runbook

Materials

  • Ransomware Response Runbook

Participants

  • Security Incident Response Team (SIRT)

Screenshots of Info-Tech's Example Ransomware Response Tabletop Planning results, and Ransomware Response Runbook

Phase 4

Build a project roadmap to close gaps

Model of the four phases is shown, and lists activities for each phase. Phase 4 is highlighted.

This phase will guide you through the following steps:

  • Identify initiatives to improve ransomware readiness
  • Prioritize initiatives in a project roadmap
  • Communicate status and recommendations

This phase involves the following participants:

  • Security Incident Response Team (SIRT)

Step 4.1

Identify initiatives to improve ransomware readiness

Activities

4.1.1 Identify initiatives to close gaps and improve resilience

4.1.2 Review broader strategies to improve your overall security program

This step will walk you through the following activities:

  • Identify initiatives to close gaps and improve resilience
  • Review broader strategies to improve your overall security program

This step involves the following participants:

  • Security Incident Response Team (SIRT)

Outcomes of this step

  • Specific potential initiatives based on a review of the gaps
  • Broader potential initiatives to improve your overall security program

4.1.1 Identify initiatives to close gaps and improve resilience

1 hour

Use the results from the activities you have completed to identify initiatives to improve your ransomware readiness.

  1. Set up a blank spreadsheet with two columns and label them “Gaps” and “Initiatives.” (It will be easier to copy the gaps and initiatives from this spreadsheet to you project roadmap, rather than use the Gap Initiative column in the Ransomware Readiness Maturity Assessment Tool.)
  2. Review your tabletop planning results:
    • Summarize the gaps in the “Gaps” column in your spreadsheet created for this activity.
    • For each gap, write down potential initiatives to address the gap.
    • Where possible, combine similar gaps and initiatives. Similarly, the same initiative might address multiple gaps, so you don’t need to identify a distinct initiative for every gap.
  3. Review the results of your maturity assessment completed in Phase 1 to identify additional gaps and initiatives in the spreadsheet created for this activity.

Input

  • Tabletop planning results
  • Maturity assessment

Output

  • Identify initiatives to improve ransomware readiness

Materials

  • Blank spreadsheet

Participants

  • Security Incident Response Team (SIRT)

4.1.2 Review broader strategies to improve your overall security program

1 hour

  1. Review the following considerations as outlined on the next few slides:
    • Implement core elements of an effective security program – strategy, operations, and policies. Leverage the work completed in this blueprint to provide context and address your immediate gaps while developing an overarching security strategy based on business requirements, risk tolerance, and overall security considerations. Security operations and policies are key to executing your overall security strategy and day to day incident management.
    • Update your backup strategy to account for ransomware attacks. Consider what your options would be today if your primary backups were infected? If those options aren’t very good, your backup strategy needs a refresh.
    • Consider a zero-trust strategy. Zero trust reduces your reliance on perimeter security and moves controls to where the user accesses resources. However, it takes time to implement. Evaluate your readiness for this approach.
  2. As a team, discuss the merits of these strategies in your organization and identify potential initiatives. Depending on what you already have in place, the project may be to evaluate options (e.g. if you have not already initiated zero trust, assign a project to evaluate your options and readiness).

Input

  • An understanding of your existing security practices and backup strategy

Output

  • Broader initiatives to improve ransomware readiness

Materials

  • Whiteboard or flip chart (or a shared screen if staff are remote)

Participants

  • Security Incident Response Team (SIRT)

Implement core elements of an effective security program

There is no silver bullet. Ransomware readiness depends on foundational security best practices. Where budget allows, support that foundation with more advanced AI-based tools that identify abnormal behavior to detect an attack in progress.

Leverage the following blueprints to implement the foundational elements of an effective security program:

  • Build an Information Security Strategy: Consider the full spectrum of information security, including people, processes, and technologies. Then base your security strategy on the risks facing your organization – not just on best practices – to ensure alignment with business goals and requirements.
  • Develop a Security Operations Strategy: Establish unified security operations that actively monitor security events and threat information, and turn that into appropriate security prevention, detection, analysis, and response processes.
  • Develop and Deploy Security Policies: Improve cybersecurity through effective policies, from acceptable use policies aimed at your end users to system configuration management policies aimed at your IT operations.

Supplement foundational best practices with AI-based tools to counteract more sophisticated security attacks:

  • The evolution of ransomware gangs and ransomware as a service means the most sophisticated tools designed to bypass perimeter security and endpoint protection are available to a growing number of hackers.
  • Rather than activate the ransomware virus immediately, attackers will traverse the network using legitimate commands to infect as many systems as possible and exfiltrate data without generating alerts, then finally encrypt infected systems.
  • AI-based tools learn what is normal behavior and therefore can recognize unusual traffic (which could be an attack in progress) before it’s too late. For example, a “user” accessing a server they’ve never accessed before.
  • Engage an Info-Tech analyst or consult SoftwareReviews to review products that will add this extra layer of AI-based security.

Update your backup strategy to account for ransomware attacks

Apply a defense-in-depth strategy. A daily disk backup that goes offsite once a week isn’t good enough.

In addition to applying your existing security practices to your backup solution (e.g. anti-malware, restricted access), consider:

  • Creating multiple restore points. Your most recent backup might be infected. Frequent backups allow you to be more granular when determining how far you need to roll back.
  • Having offsite backups and use different storage media. Reduce the risk that backups are infected by using different storage media (e.g. disk, NAS, tape) and backup locations (e.g. offsite). If you can make the attackers jump through more hoops, you have a greater chance of detecting the attack before all backups are infected.
  • Investing in immutable backups. Most leading backup solutions offer options to ensure backups are immutable (cannot be altered after they are written).
  • Using the BIA you completed in Phase 2 to help decide where to prioritize investments. All the above strategies add to your backup costs and might not be feasible for all data. Use your BIA results to decide which data sets require higher levels of protection.

This example strategy combines multiple restore points, offsite backup, different storage media, and immutable backups

Model of backup strategy to account for ransomware attacks.

Refer to Info-Tech’s Establish an Effective Data Protection Plan blueprint for additional

Identify where and how your organization can adopt a zero-trust strategy

Zero trust is more of a set of principles than it is a set of controls, making it a highly flexible and very effective approach to IT security strategy.

Consider the following:

  • Zero trust reduces reliance on perimeter security. Zero trust is a strategy that solves how to move beyond your reliance on perimeter security and to move controls to where your user accesses resources. Frequently, zero trust consolidates security solutions, which saves operating expenditures but also enables business mobility by securing the digital environment at all layers.
  • Zero trust must benefit the business first. IT security will need to constantly determine how different areas of zero trust will affect core business processes. This means that zero trust is not a one-size-fits-all approach to IT security. Zero trust is the goal – but some organizations can only get so close to that ideal.
  • Not everyone can achieve zero trust, but everyone can adopt it. Zero trust will be different for every organization and may not be applicable in every control area. Your organization does not need to move to the cloud to achieve zero trust, since there are controls that can be implemented that make zero trust possible on premise as well as in the cloud.

Info-Tech Insight

This may take some time. The U.S. Air Force’s AFWERX zero-trust pilot found it would take at least five years to fully realize the benefits of zero trust. Review what would be involved in a zero trust strategy and evaluate your readiness to take this on by leveraging Info-Tech’s Determine Your Zero Trust Readiness blueprint.

Step 4.2

Prioritize initiatives in a project roadmap

Activities

4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk

4.2.2 Review the dashboard to fine tune your roadmap

This step will guide you through the following activities:

  • Prioritize initiatives based on factors such as effort, cost, and risk
  • Review the dashboard to fine tune your roadmap

This step involves the following participants:

  • Security Incident Response Team (SIRT)

Outcomes of this step

  • An executive-friendly project roadmap dashboard summarizing your initiatives
  • A visual representation of the priority, effort, and timeline required for suggested initiatives

Review the DRP Roadmap Tool

The Ransomware Project Roadmap Tool – Example is included in this blueprint to illustrate the types of initiatives that might be relevant to improve your ransomware readiness. For detailed tool instructions and the latest version of the source project roadmap tool, refer to Info-Tech’s Create a Right-Sized Disaster Recovery Plan blueprint and DRP Roadmap Tool. Although it’s labeled for DRP, the same tool can be used to create any project roadmap.

Three screenshots of Info-Tech's DRP Roadmap Tool

Download the Ransomware Project Roadmap Tool – Example.

4.2.1 Prioritize initiatives based on factors such as effort, cost, and risk

1 hour

Prioritize initiatives in the DRP Roadmap Tool. Rename the tool as appropriate for your organization, e.g. “Ransomware Project Roadmap.”

  1. On the “Data Entry” tab, copy the gaps and initiatives collected during your activities in Step 4.1 into the tool. (Tip: Put short names for the initiatives in the “Roadmap Item” column (this is what appears on the Roadmap dashboard in tab 3).
  2. On the “Setup” tab:
    • Decide which criteria you wish to include in your evaluation (beyond the required fields such as effort).
    • For the criteria you plan to use, update the default values as needed (i.e. define the values for the different levels of effort).
  3. Go back to the “Data Entry” tab and:
    • Fill in the evaluation criteria you wish to use (consider hiding the columns you don’t plan to use to avoid confusion).
    • Use the evaluation criteria to inform the priority level you assign, as well as the timeline.

Input

  • Gaps and initiatives identified in Step 4.1

Output

  • Project roadmap dashboard

Materials

Participants

  • Security Incident Response Team (SIRT)

Screenshot of Info-Tech's DRP Roadmap Tool - Roadmap: Data Entry

4.2.2 Review the dashboard to fine-tune the roadmap

1 hour

Review and update the roadmap dashboard in your DRP Roadmap Tool

  1. On the “Roadmap” tab, review your resulting dashboard (you may need to run a data refresh to update the dashboard). For example, during your review, ensure:
    • The timeline is realistic (avoid multiple high-effort projects planned for the short term).
    • Higher-priority items are scheduled sooner than low-priority items.
    • The short term includes some quick wins (e.g. high-priority, low-effort items)
    • It overall supports the story you wish to communicate (e.g. a plan to address gaps, along with the required effort and timeline).
    • Tip: When you eventually present the dashboard to relevant stakeholders, use the filters to refine the message or the focus. Highlight high-priority tasks, present possible capacity bottlenecks by filtering by owner, and so on.
  2. Based on your review, update the values on the “Data Entry” tab as needed.

Input

  • Gaps and initiatives identified in Step 4.1

Output

  • Project roadmap dashboard

Materials

Participants

  • Security Incident Response Team (SIRT)

Screenshot of Info-Tech's DRP Roadmap Tool - Project Roadmap

Step 4.3

Communicate current status and recommendations

Activities

4.3.1 Summarize status and next steps in an executive presentation

This step will guide you through the following activities:

  • Summarize status and next steps in an executive presentation

This step involves the following participants:

  • Security Incident Response Team (SIRT)

Outcomes of this step

  • Gain stakeholder buy-in by communicating the risk of the status quo and achievable next steps to improve your organization’s ransomware readiness

4.3.1 Summarize status and next steps in an executive presentation

1 hour

Gain stakeholder buy-in by communicating the risk of the status quo and recommendations to reduce that risk. Specifically, capture and present the following from this blueprint:

  • Phase 1: Maturity assessment results, indicating your organization’s overall readiness as well as specific areas that need to improve.
  • Phase 2: Business impact results, which objectively quantify the potential impact of downtime and data loss.
  • Phase 3: Current incident response capabilities, including steps, timeline, and gaps.
  • Phase 4: Recommended projects to close specific gaps and improve overall ransomware readiness.
  • Overall key findings and next steps.

Input

  • Results of all activities in Phases 1-4

Output

  • Executive presentation

Materials

  • Ransomware Readiness Summary Presentation Template

Participants

  • Security Incident Response Team (SIRT)

Screenshot of Ransomware Readiness Maturity: Level 2 (Developing)

Download the Ransomware Readiness Summary Presentation Template.

Summary of Accomplishments

Project Overview

This blueprint helped you create a ransomware incident response plan for your organization, as well as identify specific actions to improve its overall ransomware prevention and recovery capabilities.

Project Phases

Phase 1: Assess your ransomware readiness

Phase 2: Conduct a BIA to raise risk awareness and set recovery targets

Phase 3: Create a ransomware response workflow and runbook

Phase 4: Build a project roadmap to close gaps

Project Deliverables

  • Ransomware Readiness Maturity Assessment: Measure your current readiness, then identify people, policy, and technology gaps to address.
  • Ransomware Business Impact Analysis: Quantify the business impact of a ransomware attack to communicate risk and prioritize the systems and data that need the greatest protection.
  • Ransomware Response Workflow: An at-a-glance summary of the key incident response steps across all relevant stakeholders through each phase of incident management.
  • Ransomware Response Runbook: Includes your threat escalation protocol and detailed response steps to be executed by each stakeholder.
  • Ransomware Tabletop Planning Results: This deep dive into a ransomware scenario will help you develop a more accurate incident management workflow and runbook, as well as identify gaps to address.
  • Ransomware Project Roadmap: This prioritized list of initiatives will address specific gaps and improve overall ransomware readiness.
  • Ransomware Readiness Summary Presentation: Your executive presentation will communicate the risk of the status quo, present recommended next steps, and drive stakeholder buy-in.

Related Info-Tech Research

Related Security Blueprints:

  • Build an Information Security Strategy
    This blueprint helps you consider the full spectrum of information security, including people, processes, and technologies. Base your security strategy on risks facing your organization – not just on best practices – to ensure alignment with business goals and requirements.
  • Develop a Security Operations Strategy
    Establish unified security operations that actively monitor security events and threat information. Turn that into appropriate security prevention, detection, analysis, and response processes.
  • Develop and Deploy Security Policies
    Improve cybersecurity through effective policies, from acceptable use policies aimed at end users to system configuration management policies aimed at IT operations.
  • Develop and Implement a Security Incident Management Program
    Create a scalable incident response program for a wide range of potential security incidents. Refer to this blueprint for additional details on overall security incident management.

Related Disaster Recovery Blueprints:

  • Establish an Effective Data Protection Plan
    Select appropriate backup strategies based on business requirements for data related to archiving, restoring, and business continuity.
  • Create a Right-Sized Disaster Recovery Plan
    Avoid over- or under-provisioning your disaster recovery (DR) solution. Prioritize business requirements, determine your ability to meet those requirements, and then identify projects to close the gap between your current and required DR capabilities.

Research Contributors and Experts

Picture of Ira Goldstein

Ira Goldstein

Chief Operating Officer

Herjavec Group

Picture of Celine Gravelines

Celine Gravelines

Senior Cybersecurity Analyst

Encryptics

Picture of Dan Mathieson

Dan Mathieson

Mayor

City of Stratford

Kevin Cross

Network Operations Coordinator

Mohawk Council of Kahnawake

Mohawk Council of Kahnawake

Two Additional Anonymous Contributors

Bibliography

2019 Data Breach Investigations Report. Verizon, May 2019.

2019 Midyear Security Roundup: Evasive Threats, Persistent Effects. Trend Micro, 2019.

Abrams, Lawrence. “Ryuk Ransomware Uses Wake-on-Lan to Encrypt Offline Devices.” Bleeping Computer, 14 Jan. 2020.

Abrams, Lawrence. “Sodinokibi Ransomware Publishes Stolen Data for the First Time.” Bleeping Computer, 11 Jan. 2020.

Cawthra, Jennifer, Michael Ekstrom, Lauren Lusty, Julian Sexton, John Sweetnam. Special Publication 1800-26 Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events. NIST, Jan. 2020.

Cawthra, Jennifer, Michael Ekstrom, Lauren Lusty, Julian Sexton, John Sweetnam. Special Publication 1800-25 Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events. NIST, Jan. 2020.

Cichonski, P., T. Millar, T. Grance, and K. Scarfone. “Computer Security Incident Handling Guide.” SP 800-61 Rev. 2. NIST, Aug. 2012.

Cimpanu, Catalin. “Company shuts down because of ransomware, leaves 300 without jobs just before holidays.” ZDNet, 3 Jan. 2020.

Cimpanu, Catalin. “Ransomware attack hits major US data center provider.” ZDNet, 5 Dec. 2019.

“Definitions: Backup vs. Disaster Recovery vs. High Availability.” CVM IT & Cloud Services, 12 Jan. 2017.

“Don’t Become a Ransomware Target – Secure Your RDP Access Responsibly.” Coveware, 2019.

Global Security Attitude Survey. CrowdStrike, 2019.

Graham, Andrew. “September Cyberattack cost Woodstock nearly $670,00: report.” Global News, 10 Dec. 2019.

Harris, K. “California 2016 Data Breach Report.” California Department of Justice, Feb. 2016.

Hiscox Cyber Readiness Report 2019. Hiscox UK, 2019.

Ikeda, Scott. “LifeLabs Data Breach, the Largest Ever in Canada, May Cost the Company Over $1 Billion in Class-Action Lawsuit.” CPO Magazine, 2020.

Krebs, Brian. “Ransomware Gangs Now Outing Victim Businesses That Don’t Pay Up.” Krebson Security, 16 Dec. 2019.

“LifeLabs pays ransom after cyberattack exposes information of 15 million customers in B.C. and Ontario.” CBC News, 17 Dec. 2019.

Matthews, Lee. “Louisiana Suffers Another Major Ransomware Attack.” Forbes, 20 Nov. 2019.

“Ransomware attack hits school district twice in 4 months.” Associated Press, 10 Sept. 2019.

“Ransomware Costs Double in Q4 as Ryuk, Sodinokibi Proliferate.” Coveware, 2019.

“Ransomware Payments Rise as Public Sector is Targeted, New Variants Enter the Market.” Coveware, 2019.

Rector, Kevin. “Baltimore to purchase $20M in cyber insurance as it pays off contractors who helped city recover from ransomware.” The Baltimore Sun, 16 Oct. 2019.

Rosenberg, Matthew, Nicole Perlroth, and David E. Sanger. “ ‘Chaos is the Point’: Russian Hackers and Trolls Grow Stealthier in 2020.” The New York Times, 10 Jan. 2020.

Rouse, Margaret. “Data Archiving.” TechTarget, 2018.

Siegel, Rachel. “Florida city will pay hackers $600,000 to get its computer systems back.” The Washington Post, 20 June 2019.

Smith, Elliot. “British Banks hit by hacking of foreign exchange firm Travelex.” CNBC, 9 Jan. 2020.

“The State of Ransomware in the U.S.: 2019 Report for Q1 to Q3.” Emsisoft Malware Lab, 1 Oct.2019.

“The State of Ransomware in the U.S.: Report and Statistics 2019.” Emsisoft Lab, 12 Dec. 2019.

“The State of Ransomware in 2020.” Black Fog, Dec. 2020.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

Member Rating

9.6/10
Overall Impact

$36,804
Average $ Saved

15
Average Days Saved

After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.

Read what our members are saying

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Need Extra Help?
Try Our Guided Implementations

Get the help you need in this 4-phase advisory process. You'll receive 10 touchpoints with our researchers, all included in your membership.

Guided Implementation #1 - Assess your ransomware readiness
  • Call #1 - Conduct a maturity assessment.
  • Call #2 - Review selected systems and dependencies.

Guided Implementation #2 - Conduct a BIA to raise risk awareness and set recovery targets
  • Call #1 - Record systems and dependencies using Info-Tech's Business Impact Analysis Tool.
  • Call #2 - Complete the impact analysis for selected systems and data sets.

Guided Implementation #3 - Create a ransomware response workflow and runbook
  • Call #1 - Document your threat escalation protocol.
  • Call #2 - Use tabletop planning to identify response steps and gaps.
  • Call #3 - Update your ransomware response workflow and runbook.

Guided Implementation #4 - Build a project roadmap to close gaps
  • Call #1 - Identify initiatives to improve ransomware readiness.
  • Call #2 - Prioritize initiatives in a project roadmap.
  • Call #3 - Communicate your current status and recommendations.

Author(s)

Frank Trovato

Contributors

  • Ira Goldstein, Chief Operating Officer, Herjavec Group
  • Celine Gravelines, Senior Cybersecurity Analyst, Encryptics
  • Dan Mathieson, Mayor, City of Stratford
  • Kevin Cross, Network Operations Coordinator and Team Leader for IT, Mohawk Council of Kahnawake
  • Two anonymous contributors
Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019