The first step in using the Ransomware Control Matrix (RCX) is to assess your organization's cyber risk profile. Your cyber risk profile refers to the level of acceptable risk your organization is willing to tolerate when it comes to ransomware attacks.
There are several ways organizations can find their current cyber risk profile. One way is to perform a cybersecurity risk assessment. This involves identifying and analyzing all internal and external risks, documenting the likelihood and impact of various threat events through cybersecurity risk registers integrated into an enterprise risk profile, and prioritizing and communicating enterprise cybersecurity risk response and monitoring (https://www.nist.gov/publications/identifying-and-estimating-cybersecurity-risk-enterprise-risk-management).
The RCX is designed to help you identify and mitigate risks associated with ransomware. By comparing your existing security controls with those recommended by the RCX, you can quickly identify any gaps and prioritize areas for improvement.
Once an organization has identified its risk profile and inventoried its security controls, it can begin to assess the maturity of the recommended controls that have been deployed. RCX provides a detailed list of controls for each level (Foundational, Advanced, and Elite) to guide an organization's assesments efforts.
RCX is intended to be a living document that an organization can use to guide its ongoing security efforts. An organization should regularly monitor and update its security controls to ensure that they remain effective and aligned with the latest ransomware threat landscape.
To conduct a quick self-assessment using the RCX, allocate no more than two minutes per security control. There is a section where you can fill in an answer for each control: “Y” (Yes), “N” (No), “?” (Need more information).
Answer the following first part of the question for each control: "Is this control deployed across my organization”. If the answer is no, select “N” from the options presented and move on to the next control.
If the answer is “Y”, then proceed to the second part of the question: “Do I know everything about this control”. That is, do I have a network diagram showing me where this control is deployed; do I know what the latest configuration is or where to go to get this information quickly; do I know the current OS of the device; do I know who has access to it, etc. These are questions that help you quickly assess if you have a control that is at an acceptable CMMI level for you. If you are confident answering these questions, then select "Y" for Yes, otherwise select "?" to identify this control as one you need to conduct a focused assessment on to improve its maturity level.
Please note it should only take less than 2 minutes of your time per control. If you find yourself having an internal debate about a specific control, it is advisable to mark it with a "?".
Once you have completed the assessment, review the results to gain insights into your organization's maturity posture to defend against a ransomware attack.
All controls marked with a "Y," means you are very confident your organization has implemented the recommended controls effectively. Any controls marked with "N" means there is a gap, and it is up to you and your organization to determine if there are compensating controls or if you do need to prioritize the implementation of these controls. For controls marked with "?," it indicates areas that require attention. These are the controls you will need to focus on to gather more information and to improve their current maturity posture so you can update the answer from “?” to “Y”.
You are the CISO, and you are working on creating your cybersecurity strategy to present to the BOD for budget approval. By using the RCX, you can conduct a very focused assessment on 84 controls specific to Ransomware detection and mitigation capabilities.
The CISO schedules a work session with their team to go over the “Foundational” and “Advanced” controls of the RCX. The team begins with the first controls in the “Foundational” category:
Simple but very effective set of questions. This is just for the first control. There are 25 more controls in “Foundational”.
At the end of the session, or sessions depending on the level of conversation generated by this workshop, the CISO and their team will have a detailed picture of their current posture from the “Foundational” perspective.
What information can you gather from this workshop:
You can now create a good strategy road map to present to the BOD or your management:
You are the new CISO, and you are working on understanding the cybersecurity program you have inherited. Instead of conducting a thorough assessment (which is still recommended you do at some point), you can use the RCX to provide a focused approach to rapidly gain an understanding of your organization’s cybersecurity capabilities.
You ask your team to go over the RCX Matrix and provide you with information about each of the controls. In less than a week you have a report that provides you with very important information about your organization’s cybersecurity program and allows you to create your “First 100 days plan” that sets your vision and strategy moving forward.
As previously stated, this is the information you can use to create your 100-day plan:
You can now create a good strategy road map to present to your team and upper management:
You are the CISO of a company in a certain industry, and CISA.GOV just issued a directive to stay alert for a new ransomware family that is focusing on your industry using Phishing attacks to deploy the ransomware.
You gather your team and use the RCX to focus on those controls that have been identified to detect and mitigate Phishing attacks. Just filter on T1566 column (use the Ransomware Control Matrix spreadsheet in resources)
There are 43 controls identified by RCX to deal with Phishing attacks. You go through the same steps as Use Case 1 above and collect the information for each control.
At the end of the exercise, you and your team will have a better understanding of your current detection and mitigation capabilities specific to Phishing attacks.
You can provide the report to upper management with current cybersecurity posture and recommendations on how to mitigate risks associated with this new ransomware family that is affecting your industry.
Utilize the RCX as an ongoing reference tool for your organization's security efforts. Regularly review and update your security controls to ensure they remain effective and aligned with the evolving ransomware threat landscape. Stay informed about new ransomware trends and adjust your control implementation accordingly. Continuously monitoring and enhancing your security measures will contribute to a more resilient defense against ransomware attacks.
By following these steps and leveraging the insights provided by the RCX, you can strengthen your organization's defense against ransomware and minimize the associated risks. Take proactive measures to implement and improve the recommended controls, and regularly assess and update your security posture to stay ahead of emerging threats. The RCX is a valuable tool that empowers you to protect your organization from the ever-evolving landscape of ransomware attacks.