Author Ed Rojas
As cyber attacks continue to threaten organizations of all sizes, my colleague Aria Rahimi and I recognized the need for a framework that focuses on preventing ransomware attacks. Our objective was to identify a specific set of controls that would detect and mitigate ransomware attacks. We discovered that most existing services in the market primarily focus on an organization's ability to recover from a ransomware attack, more specifically, dealing with technical controls like backup and restore, data recovery, and resiliency. After conducting extensive research, we identified a set of controls that would help organizations prevent a ransomware attack and developed the RCX Matrix. This blog will explore the process we took to develop the RCX Matrix, our findings on ransomware techniques and attack methods, and how the RCX Matrix has proven to be a valuable resource for many organizations.
To create this framework, we researched industry recommendations for the minimum set of controls required to deal with ransomware. We reviewed multiple documents on ransomware on cisa.gov and other industry reports or news on the topic. We also read articles that outlined how to avoid becoming a ransomware victim and expected them to list controls like the top CIS 20. However, we were surprised to find no industry recommendations on this topic.
As we researched articles on preventing ransomware attacks, we discovered that about 90% of the articles we read were clickbait. For example, they typically recommend using multi-factor authentication without providing specific prevention controls. We realized that these articles quickly went back into discussing recovery processes like having a good backup and restore solution or incident response plans, which was not our focus.
During our research, we were able to identify a specific set of controls, such as web filtering, anti-phishing, multi-factor authentication, two-factor authentication, and security awareness. With these controls as our starting point, we began developing the framework.
Our investigation into ransomware attacks involved identifying the techniques and tactics that cybercriminals use, as well as reviewing specific reports on different types of attacks. We found that phishing was the most common technique used to initiate a ransomware attack, along with social engineering. We also identified other techniques, such as Drive-by Compromise and External Remote Systems for example. We acknowledged that these attack vectors are difficult to defend against using a single control and that several controls working together will provide a good defensive solution.
We reviewed the MITRE ATT&CK framework, specifically focusing on the Initial Access phase, to identify the initial attack techniques used by each ransomware family. The framework lists nine well-known techniques, seven of which we chose to concentrate on.
After identifying the attack techniques, we needed to identify the controls required to mitigate them. We identified the MITRE D3FEND framework as the best resource for this purpose. Peter Kaloroumakis and his team had already identified the mitigating controls that need to be in place to map against each of the MITRE ATT&CK Initial Access techniques. We used this information to create the first version of the RCX Matrix, which mapped cybersecurity countermeasures to each technique that they help mitigate.
Once we completed the RCX Matrix, which identified 84 controls needed to detect and mitigate a ransomware attack as early as possible, we sought to validate it. We made sure to prioritize the readability and accessibility of our framework and aimed to make it easy to use, digestible, and actionable, without losing the technical precision required for such a project.
We presented it to colleagues whose opinions we valued and respected, receiving valuable feedback that helped us improve it. We also contacted 40-60 CISOs to validate the RCX Matrix and incorporate their feedback. Some of the suggestions included grouping the controls into basic and advanced categories and identifying which controls were detection or mitigation controls. After some work, we arrived at the current version of the Ransomware Control Matrix.
Our efforts to develop the RCX Matrix have paid off, with rcxmatrix.org seeing over 55k visitors in one month. Over 2k people have used the tool online, and over 1k have downloaded the RCX Matrix spreadsheet. We are pleased that our framework has proven to be a valuable resource for so many and will continue to update and improve it as needed.
About the author: Ed Rojas is an accomplished technology leader with over 30 years of experience in data networking and information security. With a talent for designing new technologies, developing business strategies, and introducing products to new markets, Ed has a proven track record of success. He is the creator of the Ransomware Control Matrix (RCX), a framework that assesses an organization's security posture and identifies areas for improvement to detect and mitigate ransomware attacks. Ed has founded Tactical Edge, which hosts infosec events in Latin America.