Function ID Control Type

IDN-1 Plan, Inventory & Process

Maintenance

IDN-2 Plan, Inventory & Process

IDENTIFY

Maintenance

IDN-3 Plan, Inventory & Process

Maintenance

IDN-4 Plan, Inventory & Process

Maintenance

IDN-5 Threat Monitoring,

IDENTIFY

Mitigation & Reduction

IDN-6 Plan, Inventory & Process

Maintenance

PRO-1 Plan, Inventory & Process

Maintenance
PROTECT

PRO-2 Threat Monitoring,

Mitigation & Reduction
PROTE
PRO-3 Threat Monitoring,
Mitigation & Reduction

PRO-4 Threat Monitoring,

Mitigation & Reduction

PRO-5 Threat Monitoring,

Mitigation & Reduction
PRO-6 Plan, Inventory & Process
Maintenance
PROTECT

PRO-7 Threat Monitoring,

Mitigation & Reduction

PRO-8 Threat Monitoring,

Mitigation & Reduction

PRO-9 Threat Monitoring,

Mitigation & Reduction

PRO-10 Plan, Inventory & Process

Maintenance
PROTECT

PRO-11 Backup & Recovery

Survivability
PRO-12 Backup & Recovery
Survivability

PRO-13 Backup & Recovery

Survivability
PRO-14 Backup & Recovery
Survivability
PROTECT

PRO-15 Backup & Recovery

Survivability
PROTE
PRO-16 Backup & Recovery
Survivability

PRO-17 Backup & Recovery

Survivability

PRO-18 Backup & Recovery

Survivability

PRO-19 Backup & Recovery

PROTECT

Survivability
PRO-20 Backup & Recovery
Survivability

PRO-21 Backup & Recovery

Survivability

PRO-22 Backup & Recovery

Survivability

PRO-23 Backup & Recovery

Survivability
PROTECT

PRO-24 Backup & Recovery

Survivability

PRO-25 Backup & Recovery

Survivability

PRO-27 Backup & Recovery

Survivability
PROTECT
PROTECT
PRO-27 Backup & Recovery
Survivability

Det-1 Threat Monitoring,

Mitigation & Reduction

Det-2 Backup & Recovery

Survivability
DETECT

Det-3 Threat Monitoring,

Mitigation & Reduction
Det-4 Backup & Recovery
Survivability

Det-5 Threat Monitoring,

Mitigation & Reduction

RSP-1 Plan, Inventory & Process

Maintenance
RESPOND

RSP-2 Plan, Inventory & Process

Maintenance

RSP-3 Plan, Inventory & Process

Maintenance

RSP-4 Plan, Inventory & Process

Maintenance
RESPOND
 RSP-5 Plan, Inventory & Process
Maintenance
RESPOND

RSP-6 Plan, Inventory & Process

Maintenance

RSP-7 Backup & Recovery

Survivability
RESPOND

REC-1 Backup & Recovery

RECOVER

Survivability
Control Detail Control Status
Ensure that an accurate inventory of systems, services, and Critical Coverage Gaps /
data assets is maintained, and that an up-to-date copy of this No Capabilities
inventory is maintained outside of the environment being
protected.

Ensure that appropriate levels of threat and risk assessment Critical Coverage Gaps /
activities have been performed to help identify control No Capabilities
weaknesses or gaps in across functions relative to production
business processes and data.

Ensure that data with privacy, compliance, or other regulatory Critical Coverage Gaps /
protections that may result in adverse effects to the No Capabilities
organization even if the data is recoverable are protected with
sufficient controls based on organizational risk planning.

Understand the level of risk introduced by partners with Critical Coverage Gaps /
elevated levels of connectivity to the organization, and ensure No Capabilities
that suitable “quick disconnect” plans exist to mitigate threats
associated with partner compromise to prevent spread.

Ensure that vendor alerts are subscribed to for systems and Critical Coverage Gaps /
services handling production data or workloads to enable No Capabilities
proactive vulnerability mitigation based on vendor
announcements and patch or workaround release. At a
minimum, all exposed systems/services and perimeter
infrastructure must be included.

Incorporate scenario planning for a complete environment Critical Coverage Gaps /

ransomware event, such that all systems and services, No Capabilities
including backup systems and software, are unavailable.

Operate a comprehensive patch management program that Critical Coverage Gaps /

addresses all devices, systems, appliances, and other No Capabilities
equipment — anything network connected or connectable —
in the environment.

Ensure that all systems are protected by a centrally managed Critical Coverage Gaps /
antivirus platform, ideally coupled with EDR capabilities that No Capabilities
include behavioral assessment and threat-mitigation
capabilities.
Ensure that network-based IDS/IPS solutions are in place to Critical Coverage Gaps /
monitor traffic related to production assets for concerns or No Capabilities
threats.

Access to backup servers and backup applications should Critical Coverage Gaps /
require multi-factor authentication for access (including RDP No Capabilities
access on internal networks).

Deploy host-based intrusion detection and prevention Critical Coverage Gaps /

capabilities on high-risk/critical assets. No Capabilities
Enforce periodic data retention procedures to remove data Critical Coverage Gaps /
that is retained past its defined retention period to reduce No Capabilities
both risk and recovery efforts.

Enforce egress controls to limit or prohibit direct outbound Critical Coverage Gaps /
access for systems where there is no business or technical No Capabilities
need for such connectivity.

Enforce strong segmentation and traffic filtering between Critical Coverage Gaps /
higher-risk production assets handling sensitive data and other No Capabilities
resources in the environment to the absolute minimum
necessary.

Use a malicious DNS blocking service for all external queries to Critical Coverage Gaps /
minimize the threat of compromise due to visiting known No Capabilities
malicious sites, as well as to render command & control traffic
less likely to succeed.

Perform periodic reviews to ensure that only the minimum Critical Coverage Gaps /
necessary access is permitted related to exposed services, No Capabilities
partner connections, and client VPN connections.

Use unique accounts for on-disk data access and modification Critical Coverage Gaps /
of backup data on backup infrastructure and services. No Capabilities
Prohibit general user and administrative groups from Critical Coverage Gaps /
accessing (not to mention writing or modifying) data on No Capabilities
volumes where backups are stored. This includes ensuring
domain administrator or equivalent access is limited.

Take offline or unmount data volumes storing backup data Critical Coverage Gaps /
when not in use. No Capabilities
Backup infrastructure is segmented from general network Critical Coverage Gaps /
access, and does not present SMB/CIFS shares to networks No Capabilities
(including administrative shares). This includes isolating
network-based storage connectivity.

Backups include point-in-time recovery options that span at Critical Coverage Gaps /
least several week and month periods (a single, most-recent No Capabilities
backup is generally not considered sufficient).
Where possible, create backups by pulling from, versus Critical Coverage Gaps /
pushing to, backup/storage infrastructure, to limit access to No Capabilities
backup infrastructure services.

Configure volume shadow copies and other system-level Critical Coverage Gaps /
controls, which may provide recovery options in some No Capabilities
scenarios but should not be depended on (as they are often
targeted for deletion by malicious software).

Vigilantly patch backup software and supporting operating Critical Coverage Gaps /
systems, and protect them with an antivirus solution. No Capabilities

Use snapshots of backup data and/or critical systems to Critical Coverage Gaps /
supplement backups. No Capabilities
Use off-site backups in some form, such as cloud or tape, to Critical Coverage Gaps /
provide a last resort recovery path/capability for production No Capabilities
data and data with defined retention requirements.

Ensure all off-site backups have sufficient controls in place to Critical Coverage Gaps /
prevent unauthorized modification or removal in the event of No Capabilities
control failures within the primary operating and backup
environment.

Store physical backup copies and archives in a secured facility Critical Coverage Gaps /
with appropriate access controls, climate controls, and No Capabilities
independence from primary storage facilities or personnel.

Store cloud storage backups and/or replication data in a Critical Coverage Gaps /
manner that completely separates logical controls and access No Capabilities
from the primary environment. Access should be bound to a
service layer over a secure transport, and storage must
leverage a mechanism to provide time-based immutability of
written data for at least 30 days. Technologies such as object
storage with object locking can be used to meet this objective.

Periodically inventory data for criticality and cross-check with Critical Coverage Gaps /
current backup procedures to verify inclusion, on at least a No Capabilities
monthly basis.

Where backups are encrypted, maintain decryption keys in a Critical Coverage Gaps /
secure location with no dependency on environment access, No Capabilities
and ideally in multiple locations, with one location off-site.

Similar to encryption keys, maintain a reasonable amount of Critical Coverage Gaps /

“bootstrap” software and license key information in an No Capabilities
isolated environment/location in order to support more rapid
recovery in the event of a significant ransomware event.
Depending on recovery time and point objectives (RTOs and Critical Coverage Gaps /
RPOs), ensure an appropriate amount of cold spare No Capabilities
infrastructure to better position the organization to tolerate
adverse events exists. This is likely to include some amount of
server, storage, and client compute capability

Ensure that procedures exist and that there is tracking of Critical Coverage Gaps /
performance of those procedures for core security monitoring No Capabilities
functions (critical system log reviews, vulnerability
announcements, patch compliance, AV/EDR alerts, IDS/IPS
alerts, backup failures, etc.)

Require that production backup failures create a ticket that Critical Coverage Gaps /
requires human intervention to resolve. No Capabilities
Perform full-network vulnerability scans to identify gaps in Critical Coverage Gaps /
patch compliance at least monthly. No Capabilities
Ensure that alerts are configured for all access to critical Critical Coverage Gaps /
backup service and data protection layers by interactive No Capabilities
means (RDP, etc.)

Ensure that ransomware-detection capabilities in particular Critical Coverage Gaps /

generate mandatory rapid-response actions regardless of the No Capabilities
source of alert (IDS/IPS, AV/EDR, etc.) and generate a ticket.

Ensure that there is an accurate and current incident response Critical Coverage Gaps /
process that is distributed to essential team members, and No Capabilities
that has been practiced/drilled, ideally including a large-scale
ransomware scenario.

Document key contact information in an out-of-band channel Critical Coverage Gaps /

to the environment the response would be for, in the event it No Capabilities
is needed during an incident.

Define starting point/reference structures for scalable Critical Coverage Gaps /

response structures based on the National Incident No Capabilities
Management System Incident Command System (NIMS ICS)
structure as part of preparation efforts.

Task a subset of likely incident response leaders and key Critical Coverage Gaps /
participants with completion of the freely available NIMS ICS No Capabilities
100 and ICS 200 certifications to gain familiarity with NIMS
ICS-based response methods.
Prepare an incident “go bag” (or bags) for organizational Critical Coverage Gaps /
incident response. Often supported by or based on an incident No Capabilities
response kit, this should include online tools, services, or
platforms that can facilitate improved incident response
coordination, in addition to things such as Wi-Fi hotspots, two-
way radios, or other suitability equipment based on incident
response planning.

Perform inventories and refreshes of prepared incident Critical Coverage Gaps /

response support material (response kits, contact information, No Capabilities
service readiness reviews, etc.) at least biannually.

Pre-establish a lightweight secondary business communication Critical Coverage Gaps /

service using separate domains, accounts, and passwords — No Capabilities
i.e., completely separate from the production environment.
This is advisable as a low-cost and quick-to-scale readiness
method, but is dependent on organizational size, complexity,
methods of work (local/remote), RTOs, and RPOs. For
example, if an organization uses M365, this would result in
creating a separate tenant with a different DNS domain.
This environment would be used to coordinate recovery and
restoration efforts. Inclusion of chat functionality such as
Teams or Slack is advisable.

Ensure that backup recovery methods are tested at least Critical Coverage Gaps /
quarterly, including both local and cloud recovery methods (as No Capabilities
defined in disaster recovery and business continuity planning).
Control Function
Grade Grade

###
F Rule4 Ransomware Readiness Too
Overview
This tool is intended to serve as a guide to general ransomware readiness b
referenced in relation to the NIST Cybersecurity Framework (CSF) functi
F Control Detail columns provide a set of controls that when operated at a h
ransomware event. Controls are classified as one of three general types, w

- Plan, Inventory & Process Maintenance: Controls and mechanisms to

- Threat Monitoring, Mitigation & Reduction: Controls intended to red
F - Backup & Recovery Survivability: Controls that are closely coupled w

It is suggested this tool be used as a starting point for organizations, and th

environment. To use the tool, simply score each yellow cell in the yellow

Attribution
F © 2021 Rule4, Inc. All rights reserved.
Redistribution and use, with or without modification, are permitted provided tha
1. Redistributions must retain the above copyright notice, this list of conditions
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE I
ARE DISCLAIMED. IN NO EVENT SHALL RULE4 BE LIABLE FOR ANY
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
F ARISING IN ANY WAY OUT OF THE USE OF THIS TOOL, EVEN IF ADV
2. All advertising materials mentioning features or use of this tool must display
3. Neither the name of Rule4 nor the names of its contributors may be used to e

###
F

F
Ransomware Readiness
NIST CSF Function-Mapped
Custom Grade Scale
 Ransomware Readiness
NIST CSF Function-Mapped
F Custom Grade Scale

F
F Recover

Respond
F

F This chart isn't available in your version of Excel.

Editing this shape or saving this workbook into a different file format will perm
F

F
F

F
F

F
F
F

F
Ransomware Readiness
F 25
F
20

15

10

5
A B C D
0

F
F

###
F

F
F
F

###
F

F
F

###
F
 eadiness Tool
eral ransomware readiness by providing grade-based assessments on a scale specifically developed for this tool. Controls are
ty Framework (CSF) functions, but are not intended to be explicit mappings to the CSF. The Control ID, Control Type, and
ls that when operated at a high level of maturity should help to greatly reduce both the likelihood and impact of a
ne of three general types, which are:

Controls and mechanisms to reduce ransomware risk tied to preparation and planning
on: Controls intended to reduce or identify and react to threats common to ransomware
ls that are closely coupled with backup solution design and operation to reduce ransomware risk

oint for organizations, and that they perform their own risk rating and adjustments if deemed appropriate relative to their
h yellow cell in the yellow Control Status column (E).

on, are permitted provided that the following conditions are met:
t notice, this list of conditions, and the following disclaimer: "THIS TOOL IS PROVIDED BY RULE4 AS IS AND ANY EXPRESS
T NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
LE4 BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
UREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
THIS TOOL, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE."
or use of this tool must display the following acknowledgement: "This product includes a tool developed by Rule4."
contributors may be used to endorse or promote products derived from this tool without specific prior written permission.

ess
pped
e
Identify
4.0
ess
pped
e
Identify
4.0

2.0
ver Protect

0.0

Respond Detect

different file format will permanently break the chart.

are Readiness Functional Area Grade Breakdown
F
F
F

C D A B C D A B C D
A B C D F
or this tool. Controls are
ID, Control Type, and
impact of a

ate relative to their

S AND ANY EXPRESS

PARTICULAR PURPOSE
QUENTIAL DAMAGES
ESS INTERRUPTION)
CE OR OTHERWISE)

ule4."
n permission.
 F

D
Critical Coverage Gaps / No Capabilities F 0
Limited Coverage / Few Capabilities D 1
Moderate Coverage / Some Capabilities C 2
High Coverage / Good Capabilities B 3
Complete Coverage / Strong Capabilities A 4

Radar Chart
Identify 0.0 F Grade: F (0/4.0)
Protect 0.0 F Grade: F (0/4.0)
Detect 0.0 F Grade: F (0/4.0)
Respond 0.0 F Grade: F (0/4.0)
Recover 0.0 F Grade: F (0/4.0)

Sunburst Chart
Identify A 0 IDN-*
B 0 IDN-*
C 0 IDN-*
D 0 IDN-*
F 6 IDN-*
Protect A 0 DET-*
B 0 DET-*
C 0 DET-*
D 0 DET-*
F 5 DET-*
Detect A 0 PRO-*
B 0 PRO-*
C 0 PRO-*
D 0 PRO-*
F 27 PRO-*
Respond A 0 RSP-*
B 0 RSP-*
C 0 RSP-*
D 0 RSP-*
F 7 RSP-*
Recover A 0 REC-*
B 0 REC-*
C 0 REC-*
D 0 REC-*
F 1 REC-*
Column Chart
A B C D
Backup & Recovery Survivability 0 0 0 0
Plan, Inventory & Process Maintenance 0 0 0 0
Threat Monitoring, Mitigation & Reduction 0 0 0 0
0 0 0 0
 F
21 21
14 14
11 11
46 Totals