Our Wired World

Blueprint For Ransomware Defense

An action plan for ransomware mitigation, response, and recovery for small- and medium-sized enterprises

A recent white paper from the Institute For Security And Technology, a research company focused on global technology and security for business, lays out an ambitious plan to combat and respond to the threats of cyber-warfare across the ecosystem of commerce. Its Ransomeware Task Force maps out the blueprint. Access the full report here.

The Ransomware Task Force called for the cybersecurity community to “develop a clear, actionable framework for ransomware mitigation, response, and recovery.” The basis for this Blueprint for Ransomware Defense is the CIS Controls, a set of well-regarded and widely-used best practices that help enterprises focus their resources on the critical actions needed to defend against the most common cyber attacks. It includes a subset of these best practices, or “Safeguards,” that are most relevant to combating ransomware.

Executive Summary

According to the U.S. Small Business Administration, there are 32,540,953 million small businesses in the United States, representing 99.9% of all firms. However, many of these businesses remain inadequately prepared against the risk of a cyber attack. Accenture’s 2019 Cost of Cybercrime Study, for example, revealed that “43% of cyber attacks target small businesses, but only 14% are prepared to defend themselves.” To address this risk, it is increasingly common for SMEs to obtain cybersecurity insurance. Increasingly, however, insurers require enterprises to better understand, implement, and demonstrate cyber risk management practices before qualifying.

It is in this context that we recommend that SMEs should adopt a cybersecurity framework of specific best practices to help defend against these attacks. Fortunately, adopting and following a security framework can help enterprises build stronger defenses. Unfortunately, it is difficult to know where to start, leaving many lost and unable to prioritize their cybersecurity efforts. However, that framework needs to be written in plain terms, with easily digestible and practical guidance. Regrettably, some SMEs believe they are unable to achieve and implement certain cybersecurity frameworks and therefore have not pursued business opportunities that require demonstration of compliance to them. This practice perpetuates the cycle of inefficient cybersecurity preparedness.

In response to Action 3.1.1 of the Ransomware Task Force (RTF) report, which calls for the cybersecurity community to “develop a clear, actionable framework for ransomware mitigation, response, and recovery,” the Blueprint for Ransomware Defense Working Group developed a Blueprint comprised of a curated subset of essential cyber hygiene Safeguards from the Center for Internet Security Critical Security Controls® (CIS Controls®) v8. These Safeguards represent a minimum standard of information security for all enterprises and are what should be applied to defend against the most common attacks. This Blueprint for Ransomware Defense represents a set of Foundational and Actionable Safeguards, aimed at small- and medium-sized enterprises (SMEs).

In order to defend your network, you must first know what is on your network, meaning what technology you are using and data you are storing and/or transmitting...

Consequently, this Blueprint for Ransomware Defense utilizes the CIS Controls, a prioritized and prescriptive set of actions developed by a global community of cybersecurity experts. The forty (40) recommended Safeguards included in the Blueprint have been carefully selected not only for their ease-of-implementation but their effectiveness in defending against ransomware attacks. This has been backed by analysis from the CIS Community Defense Model v2.0 (CIS CDM v2.0), where implementing the Safeguards in this Blueprint defends against over 70% of the attack techniques associated with ransomware. It is important to note that this Blueprint is not intended to serve as an implementation guide, but rather a recommendation of defensive actions that can be taken to protect against and respond to ransomware and other common cyber attacks.

Excerpts From The Blueprint For Ransomware Defense

In order to defend against ransomware, SMEs must implement a layered approach to protect their most critical assets. This requires implementation of controls in areas such as enterprise asset and software inventory management, vulnerability management, malware defense, training, data recovery, and incident response. As ransomware evolves, adversaries are now crafting new techniques, such as extortion – where attackers exfiltrate data prior to encryption and then demand payment to avoid public release of the data. By implementing the Safeguards in this Blueprint, SMEs are well poised to defend against ransomware, as well as other types of attacks.

The following describes Foundational and Actionable Safeguards for ransomware defense and why they are important. Users of this Blueprint should focus on implementing Foundational Safeguards first before implementing Actionable (i.e., more technical) Safeguards.

Blueprint For Action

Given its broad acceptance across the government, business, and cybersecurity communities, the Blueprint for Ransomware Defense Working Group aligned the subset of Safeguards to the National Institute of Standards and Technology® Cybersecurity Framework (NIST® CSF) functions – Identify, Protect, Detect, Respond, and Recover – that help implement an effective cybersecurity program. Grouping actions by these functions can help SMEs better understand their risks, the steps needed to protect their enterprise from that risk, the tools that can be used to find and detect risks, and the solutions available to contain and remediate threats as quickly as possible. Due to their complexity and technical nature, Safeguards relating to the “Detect” function have been excluded from this Blueprint. However, the Working Group strongly recommends that SMEs following this Blueprint work with a cybersecurity services provider to implement detection controls, or other controls where SMEs require assistance, where appropriate


In order to defend your network, you must first know what is on your network, meaning what technology you are using and data you are storing and/or transmitting. Foundational Safeguards under Identify recommend that SMEs establish and maintain enterprise asset and software inventories to better manage all connected devices; and implement data management processes that clearly outline the collection, use, and storage of data.

Activities also include establishing and maintaining an inventory of accounts, including regular user accounts and those with elevated privileges.