Norea Ransomware Control Framework
After seeing one too many news reports in the Netherlands and internationally on ransomware attacks, we felt compelled to create a control framework that could help protect organizations against this increasingly dire cyber threat. We were motivated not just by concern for the massive devastation that ransomware has the potential to cause, but the reality that no such control framework yet existed. The framework we developed selects the most relevant controls organizations can take to boost their defenses against ransomware and responses to an attack. Its goal is to help organizations protect themselves, their customers or end users, and ultimately society as a whole. As we learned from our research, the complexity of ransomware attacks is growing drastically within very short timespans. Meanwhile, our hope for a safer digital world has gained even more urgency as the past few years have shown that for the vital industries, the impact has transcended any individual organization. Security incidents affecting hospitals, grocery stores, financial institutions, and mail delivery have the potential to cause, at best, chaos, and, in worst-case scenarios, destruction to lives and livelihoods.
Accordingly, digital resilience has received greater attention over the past few years. The European Union introduced the Digital Operational Resilience Act (DORA), a regulation that entered into force in early 2023 and will become mandatory from early 2025 to better protect society’s dealings in the financial sector. Another major law that entered into force in early 2023 is the NIS2 Directive, which succeeds the Network and Information Security Directive (NIS) to strengthen cybersecurity across the EU. A notable difference between NIS2 and NIS is the large expansion of the scope to 16 sectors – now newly including food, pharmaceuticals, healthcare, telecommunications, digital service providers, water suppliers, postal and courier services– fall in the scope of the directive. These new laws reflect the seriousness of security breaches and their highly disruptive power, which we are only seeing more and more of globally.
To contextualize the technological and social climates in which ransomware has taken hold, to share insights and guidance from interviews we held with IT experts, and to explain why we chose particular controls, we decided to present our framework via this white paper. For readers seeking present-day and background information about ransomware, it may be useful to read the paper in full. For those eager to start applying the controls, focusing on the contents of chapter 3 and the framework itself, presented in section 3.4, will suffice.
The NOREA Ransomware Framework is published as an open source tool because we want to keep improving the selection and application of controls. Writing this in early 2023, we want to enable the framework to evolve with the same efficiency and sophistication that we’re observing of waves of ransomware attacks. We therefore invite interaction, shared experiences, and feedback from interested parties or individuals, particularly those from the vital industries, as we all aim to keep ransomware in control.
From the authors,
Sandeep Gangaram Panday
Leon Zwakenberg
Framework maintenance
The NOREA Ransomware Framework presented in the next chapter is groundbreaking because it is the first of its kind to be created and freely disseminated. However, we see it as just one step in the ongoing journey to combat this global cyber threat. The control framework addresses the current state of ransomware and world affairs as best as possible. Yet, we acknowledge that no control framework can ever be considered complete or finished. Technology keeps evolving. Alas, cyberattack tactics and techniques do too.
Because our aim is to maintain and continuously enhance this framework, we are publishing it as an open source tool. We invite security experts, IT professionals, and anyone else interested in or affected by ransomware to share experiences, ideas, and strategies for how organizations can better prevent attacks and protect themselves.
While a condensed table of our framework is embedded in this document, the full version has been made available via GitHub. We formatted the file in Excel because it is user-friendly and easy to edit. Take a look, download the file, and contribute to keeping it relevant and rigorous. We welcome your comments and feedback.
License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode).
To further clarify the Creative Commons license related to the CIS Controls® content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Controls framework are also required to refer to (http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to the prior approval of CIS® (Center for Internet Security, Inc.).