Professional Documents
Culture Documents
Maintenance
Survivability
PRO-20 Backup & Recovery
Survivability
Survivability
Control Detail Control Status
Ensure that an accurate inventory of systems, services, and Critical Coverage Gaps /
data assets is maintained, and that an up-to-date copy of this No Capabilities
inventory is maintained outside of the environment being
protected.
Ensure that appropriate levels of threat and risk assessment Critical Coverage Gaps /
activities have been performed to help identify control No Capabilities
weaknesses or gaps in across functions relative to production
business processes and data.
Ensure that data with privacy, compliance, or other regulatory Critical Coverage Gaps /
protections that may result in adverse effects to the No Capabilities
organization even if the data is recoverable are protected with
sufficient controls based on organizational risk planning.
Understand the level of risk introduced by partners with Critical Coverage Gaps /
elevated levels of connectivity to the organization, and ensure No Capabilities
that suitable “quick disconnect” plans exist to mitigate threats
associated with partner compromise to prevent spread.
Ensure that vendor alerts are subscribed to for systems and Critical Coverage Gaps /
services handling production data or workloads to enable No Capabilities
proactive vulnerability mitigation based on vendor
announcements and patch or workaround release. At a
minimum, all exposed systems/services and perimeter
infrastructure must be included.
Ensure that all systems are protected by a centrally managed Critical Coverage Gaps /
antivirus platform, ideally coupled with EDR capabilities that No Capabilities
include behavioral assessment and threat-mitigation
capabilities.
Ensure that network-based IDS/IPS solutions are in place to Critical Coverage Gaps /
monitor traffic related to production assets for concerns or No Capabilities
threats.
Access to backup servers and backup applications should Critical Coverage Gaps /
require multi-factor authentication for access (including RDP No Capabilities
access on internal networks).
Enforce egress controls to limit or prohibit direct outbound Critical Coverage Gaps /
access for systems where there is no business or technical No Capabilities
need for such connectivity.
Enforce strong segmentation and traffic filtering between Critical Coverage Gaps /
higher-risk production assets handling sensitive data and other No Capabilities
resources in the environment to the absolute minimum
necessary.
Use a malicious DNS blocking service for all external queries to Critical Coverage Gaps /
minimize the threat of compromise due to visiting known No Capabilities
malicious sites, as well as to render command & control traffic
less likely to succeed.
Perform periodic reviews to ensure that only the minimum Critical Coverage Gaps /
necessary access is permitted related to exposed services, No Capabilities
partner connections, and client VPN connections.
Use unique accounts for on-disk data access and modification Critical Coverage Gaps /
of backup data on backup infrastructure and services. No Capabilities
Prohibit general user and administrative groups from Critical Coverage Gaps /
accessing (not to mention writing or modifying) data on No Capabilities
volumes where backups are stored. This includes ensuring
domain administrator or equivalent access is limited.
Take offline or unmount data volumes storing backup data Critical Coverage Gaps /
when not in use. No Capabilities
Backup infrastructure is segmented from general network Critical Coverage Gaps /
access, and does not present SMB/CIFS shares to networks No Capabilities
(including administrative shares). This includes isolating
network-based storage connectivity.
Backups include point-in-time recovery options that span at Critical Coverage Gaps /
least several week and month periods (a single, most-recent No Capabilities
backup is generally not considered sufficient).
Where possible, create backups by pulling from, versus Critical Coverage Gaps /
pushing to, backup/storage infrastructure, to limit access to No Capabilities
backup infrastructure services.
Configure volume shadow copies and other system-level Critical Coverage Gaps /
controls, which may provide recovery options in some No Capabilities
scenarios but should not be depended on (as they are often
targeted for deletion by malicious software).
Vigilantly patch backup software and supporting operating Critical Coverage Gaps /
systems, and protect them with an antivirus solution. No Capabilities
Use snapshots of backup data and/or critical systems to Critical Coverage Gaps /
supplement backups. No Capabilities
Use off-site backups in some form, such as cloud or tape, to Critical Coverage Gaps /
provide a last resort recovery path/capability for production No Capabilities
data and data with defined retention requirements.
Ensure all off-site backups have sufficient controls in place to Critical Coverage Gaps /
prevent unauthorized modification or removal in the event of No Capabilities
control failures within the primary operating and backup
environment.
Store physical backup copies and archives in a secured facility Critical Coverage Gaps /
with appropriate access controls, climate controls, and No Capabilities
independence from primary storage facilities or personnel.
Store cloud storage backups and/or replication data in a Critical Coverage Gaps /
manner that completely separates logical controls and access No Capabilities
from the primary environment. Access should be bound to a
service layer over a secure transport, and storage must
leverage a mechanism to provide time-based immutability of
written data for at least 30 days. Technologies such as object
storage with object locking can be used to meet this objective.
Periodically inventory data for criticality and cross-check with Critical Coverage Gaps /
current backup procedures to verify inclusion, on at least a No Capabilities
monthly basis.
Where backups are encrypted, maintain decryption keys in a Critical Coverage Gaps /
secure location with no dependency on environment access, No Capabilities
and ideally in multiple locations, with one location off-site.
Ensure that procedures exist and that there is tracking of Critical Coverage Gaps /
performance of those procedures for core security monitoring No Capabilities
functions (critical system log reviews, vulnerability
announcements, patch compliance, AV/EDR alerts, IDS/IPS
alerts, backup failures, etc.)
Require that production backup failures create a ticket that Critical Coverage Gaps /
requires human intervention to resolve. No Capabilities
Perform full-network vulnerability scans to identify gaps in Critical Coverage Gaps /
patch compliance at least monthly. No Capabilities
Ensure that alerts are configured for all access to critical Critical Coverage Gaps /
backup service and data protection layers by interactive No Capabilities
means (RDP, etc.)
Ensure that there is an accurate and current incident response Critical Coverage Gaps /
process that is distributed to essential team members, and No Capabilities
that has been practiced/drilled, ideally including a large-scale
ransomware scenario.
Task a subset of likely incident response leaders and key Critical Coverage Gaps /
participants with completion of the freely available NIMS ICS No Capabilities
100 and ICS 200 certifications to gain familiarity with NIMS
ICS-based response methods.
Prepare an incident “go bag” (or bags) for organizational Critical Coverage Gaps /
incident response. Often supported by or based on an incident No Capabilities
response kit, this should include online tools, services, or
platforms that can facilitate improved incident response
coordination, in addition to things such as Wi-Fi hotspots, two-
way radios, or other suitability equipment based on incident
response planning.
Ensure that backup recovery methods are tested at least Critical Coverage Gaps /
quarterly, including both local and cloud recovery methods (as No Capabilities
defined in disaster recovery and business continuity planning).
Control Function
Grade Grade
###
F Rule4 Ransomware Readiness Too
Overview
This tool is intended to serve as a guide to general ransomware readiness b
referenced in relation to the NIST Cybersecurity Framework (CSF) functi
F Control Detail columns provide a set of controls that when operated at a h
ransomware event. Controls are classified as one of three general types, w
Attribution
F © 2021 Rule4, Inc. All rights reserved.
Redistribution and use, with or without modification, are permitted provided tha
1. Redistributions must retain the above copyright notice, this list of conditions
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE I
ARE DISCLAIMED. IN NO EVENT SHALL RULE4 BE LIABLE FOR ANY
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
F ARISING IN ANY WAY OUT OF THE USE OF THIS TOOL, EVEN IF ADV
2. All advertising materials mentioning features or use of this tool must display
3. Neither the name of Rule4 nor the names of its contributors may be used to e
###
F
F
Ransomware Readiness
NIST CSF Function-Mapped
Custom Grade Scale
Ransomware Readiness
NIST CSF Function-Mapped
F Custom Grade Scale
F
F Recover
Respond
F
Editing this shape or saving this workbook into a different file format will perm
F
F
F
F
F
F
F
F
F
Ransomware Readiness
F 25
F
20
15
10
5
A B C D
0
F
F
###
F
F
F
F
###
F
F
F
###
F
eadiness Tool
eral ransomware readiness by providing grade-based assessments on a scale specifically developed for this tool. Controls are
ty Framework (CSF) functions, but are not intended to be explicit mappings to the CSF. The Control ID, Control Type, and
ls that when operated at a high level of maturity should help to greatly reduce both the likelihood and impact of a
ne of three general types, which are:
Controls and mechanisms to reduce ransomware risk tied to preparation and planning
on: Controls intended to reduce or identify and react to threats common to ransomware
ls that are closely coupled with backup solution design and operation to reduce ransomware risk
oint for organizations, and that they perform their own risk rating and adjustments if deemed appropriate relative to their
h yellow cell in the yellow Control Status column (E).
on, are permitted provided that the following conditions are met:
t notice, this list of conditions, and the following disclaimer: "THIS TOOL IS PROVIDED BY RULE4 AS IS AND ANY EXPRESS
T NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
LE4 BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
UREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
THIS TOOL, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE."
or use of this tool must display the following acknowledgement: "This product includes a tool developed by Rule4."
contributors may be used to endorse or promote products derived from this tool without specific prior written permission.
ess
pped
e
Identify
4.0
ess
pped
e
Identify
4.0
2.0
ver Protect
0.0
Respond Detect
C D A B C D A B C D
A B C D F
or this tool. Controls are
ID, Control Type, and
impact of a
ule4."
n permission.
F
D
Critical Coverage Gaps / No Capabilities F 0
Limited Coverage / Few Capabilities D 1
Moderate Coverage / Some Capabilities C 2
High Coverage / Good Capabilities B 3
Complete Coverage / Strong Capabilities A 4
Radar Chart
Identify 0.0 F Grade: F (0/4.0)
Protect 0.0 F Grade: F (0/4.0)
Detect 0.0 F Grade: F (0/4.0)
Respond 0.0 F Grade: F (0/4.0)
Recover 0.0 F Grade: F (0/4.0)
Sunburst Chart
Identify A 0 IDN-*
B 0 IDN-*
C 0 IDN-*
D 0 IDN-*
F 6 IDN-*
Protect A 0 DET-*
B 0 DET-*
C 0 DET-*
D 0 DET-*
F 5 DET-*
Detect A 0 PRO-*
B 0 PRO-*
C 0 PRO-*
D 0 PRO-*
F 27 PRO-*
Respond A 0 RSP-*
B 0 RSP-*
C 0 RSP-*
D 0 RSP-*
F 7 RSP-*
Recover A 0 REC-*
B 0 REC-*
C 0 REC-*
D 0 REC-*
F 1 REC-*
Column Chart
A B C D
Backup & Recovery Survivability 0 0 0 0
Plan, Inventory & Process Maintenance 0 0 0 0
Threat Monitoring, Mitigation & Reduction 0 0 0 0
0 0 0 0
F
21 21
14 14
11 11
46 Totals