Author Ed Rojas
In the previous blog, The Ransomware Control Matrix: Introducing a New Framework, we provided a history of how and why the RCX was created.
In this blog, we will provide guidelines on how to use the RCX and present a few use cases as a starting point.
Please leave us your comments. Would love to know how you are using the RCX at your organization.
Step 1: Understand Your Risk Profile
The first step in using the Ransomware Control Matrix (RCX) is to assess your organization's cyber risk profile. Your cyber risk profile refers to the level of acceptable risk your organization is willing to tolerate when it comes to ransomware attacks.
There are several ways organizations can find their current cyber risk profile. One way is to perform a cybersecurity risk assessment. This involves identifying and analyzing all internal and external risks, documenting the likelihood and impact of various threat events through cybersecurity risk registers integrated into an enterprise risk profile, and prioritizing and communicating enterprise cybersecurity risk response and monitoring (https://www.nist.gov/publications/identifying-and-estimating-cybersecurity-risk-enterprise-risk-management)
The RCX is designed to help you identify and mitigate risks associated with ransomware. By comparing your existing security controls with those recommended by the RCX, you can quickly identify any gaps and prioritize areas for improvement.
Step 2: Assess the Maturity of Controls
Once you have determined your cyber risk profile and inventoried your security controls, you can begin assessing the maturity of the recommended controls that have been deployed. The RCX provides a detailed list of controls for each level (Foundational, Advanced, and Elite) to guide your assessment efforts. It is important to note that the RCX is a living document, and you should regularly monitor and update your security controls to ensure they remain effective and aligned with the latest ransomware threat landscape. To conduct a quick self-assessment using the RCX, refer to rcxmatrix.org and allocate no more than one minute per security control. There is a section where you can fill in an answer for each control: “Y” (Yes), “N” (No), “?” (Need more information).
Answer the following first part of the question for each control: "Is this control deployed across my organization”. If the answer is no, select “N” from the options presented and move on to the next control.
If the answer is “Y”, then proceed to the second part of the question: “Do I know everything about this control”. That is, do I have a network diagram showing me where this control is deployed; do I know what the latest configuration is or where to go to get this information quickly; do I know the current OS of the device; do I know who has access to it, etc. These are questions that help you quickly assess if you have a control that is at a CMMI level of 3 or higher. If you are confident answering these questions, then select "Y" for Yes, otherwise select "?" to identify this control as one you need to conduct a focused assessment on to improve its CMMI level. Please note it should only take less than 1 minute of your time per control. If you find yourself having an internal debate about a specific control, it is advisable to mark it with a "?".
Once you have completed the assessment, review the results to gain insights into your organization's maturity posture to defend against a ransomware attack.
All controls marked with a "Y," means you are very confident your organization has implemented the recommended controls effectively. Any controls marked with "N" means there is a gap, and it is up to you and your organization to determine if there are compensating controls or if you do need to prioritize the implementation of these controls. For controls marked with "?," it indicates areas that require attention. These are the controls you will need to focus on to gather more information and to improve their current maturity posture so you can update the answer from “?” to “Y”. Use Case 1 – Cybersecurity Strategy
You are the CISO, and you are working on creating your cybersecurity strategy to present to the BOD for budget approval.
By using the RCX, you can conduct a very focused assessment on 84 controls specific to Ransomware detection and mitigation capabilities.
The CISO schedules a work session with their team to go over the “Foundational” and “Advanced” controls of the RCX.
The team begins with the first controls in the “Foundational” category:
Web Application Firewalls (WAF):
CISO to the team:
What do we know about this control. Do we know where they’ve been deployed?
Do we know what they are protecting, how they are configured?
Do we know who owns this control? Who has access to the control?
Do we know the procedure for making changes to the configuration? Do we get notified when changes are made?
Simple but very effective set of questions. This is just for the first control. There are 27 more controls in “Foundational”.
At the end of the session, or sessions depending on the level of conversation generated by this workshop, the CISO and their team will have a detailed picture of their current posture from the “Foundational” perspective.
Now, it has become interesting. What information can you gather from this workshop:
Identify your gap: Count the number of rows with “N”. These are controls you don’t have installed. You need to determine if you have compensating controls withing Foundational or in Advanced. For example, you identified you don’t have 2FA, but you do have MFA in Advanced. Therefore, you do have a compensating control, so you don’t need to worry about the gap of 2FA not installed.
Focused assessments: Count the number of rows with “?”. These are the controls you need your team to focus on. These are the controls that are not well known firsthand, and you need to change that. Part of a mature cybersecurity program is knowing everything about each of the controls deployed. You could even use this information to receive a quote from your consulting partner. Instead of them doing a NIST CSF assessment on 100s of controls, they can provide you with a very focused NIST CSF assessment on fewer controls. Saves you time, effort, and costs.
Maturity posture: Count the number of rows with “Y”. These are the controls you feel good about. Divide this number by 28 for the Foundational category (there are 28 controls in Foundational) and multiply by 100. This is your current maturity posture at the Foundational level against ransomware attacks. This is by no means an accurate measurement, but it does provide you with information about your cybersecurity program based on your current knowledge of the cybersecurity controls deployed.
You can now create a good strategy road map to present to the BOD or your management:
Current maturity posture.
Identified gaps and recommendations.
Actionable road map on activities to improve your current maturity posture against ransomware (results of your focused assessments
Use Case 2 – New CISO understanding what they inherited.
You are the new CISO, and you are working on understanding the cybersecurity program you have inherited. Instead of conducting a thorough assessment (which is still recommended you do at some point), you can use the RCX to provide a focused approach to rapidly gain an understanding of your organization’s cybersecurity capabilities.
You ask your team to go over the RCX Matrix and provide you with information about each of the controls. In less than a week you have a report that provides you with very important information about your organization’s cybersecurity program and allows you to create your “First 100 days plan” that sets your vision and strategy moving forward.
As previously stated, this is the information you can use to create your 100-day plan:
Identify your gap: Count the number of rows with “N”. These are controls you don’t have installed. You need to determine if you have compensating controls withing Foundational or in Advanced. You will need to create a strategy on how to reduce the risk because of those identified gaps.
Focused assessments: Count the number of rows with “?”. These are the controls you need your team to focus on. These are the controls that are not well known firsthand, and you need to change that. Part of a mature cybersecurity program is knowing everything about each of the controls deployed. You could even use this information to receive a quote from your consulting partner. Instead of them doing a NIST CSF assessment on 100s of controls, they can provide you with a very focused NIST CSF assessment on fewer controls. Saves you time, effort, and costs.
Maturity posture: Count the number of rows with “Y”. These are the controls you feel good about. Divide this number by 28 for the Foundational category (there are 28 controls in Foundational) and multiply by 100. This is your current mature posture at the Foundational level against ransomware attacks. This is by no means an accurate measurement, but it does provide you with a realistic insight into your cybersecurity program based on your current knowledge of the cybersecurity controls deployed.
You can now create a good strategy road map to present to your team and upper management:
Current maturity posture.
Identified gaps and recommendations.
Actionable road map on activities to improve your current maturity posture against ransomware (results of your focused assessments)
Use Case 3 – Need to determine how susceptible you are to a specific type of ransomware attack.
You are the CISO of a company in a certain industry, and CISA.GOV just issued a directive to stay alert for a new ransomware family that is focusing on your industry using Phishing attacks to deploy the ransomware.
You gather your team and use the RCX to focus on those controls that have been identified to detect and mitigate Phishing attacks. (See figure below).
There are a total of 43 controls identified by RCX to deal with Phishing attacks.
You go through the same steps as Use Case 1 above and collect the information for each control.
At the end of the exercise, you and your team will have a better understanding of your current detection and mitigation capabilities specific to Phishing attacks.
You can provide the report to upper management with current cybersecurity posture and recommendations on how to mitigate risks associated with this new ransomware family that is affecting your industry.
Utilize the RCX as an ongoing reference tool for your organization's security efforts. Regularly review and update your security controls to ensure they remain effective and aligned with the evolving ransomware threat landscape. Stay informed about new ransomware trends and adjust your control implementation accordingly. Continuously monitoring and enhancing your security measures will contribute to a more resilient defense against ransomware attacks.
By following these steps and leveraging the insights provided by the RCX, you can strengthen your organization's defense against ransomware and minimize the associated risks. Take proactive measures to implement and improve the recommended controls, and regularly assess and update your security posture to stay ahead of emerging threats. The RCX is a valuable tool that empowers you to protect your organization from the ever-evolving landscape of ransomware attacks.
About the author: Ed Rojas is an accomplished technology leader with over 30 years of experience in data networking and information security. With a talent for designing new technologies, developing business strategies, and introducing products to new markets, Ed has a proven track record of success. He is the creator of the Ransomware Control Matrix (RCX), a framework that assesses an organization's security posture and identifies areas for improvement to detect and mitigate ransomware attacks. Ed has founded Tactical Edge, which hosts infosec events in Latin America.