Inside MIT's New Ransomware Readiness Index

MIT’s Internet Policy Research Initiative (IPRI) has formulated a Ransomware Readiness Index (RRI) that tracks the progress of organizations and municipalities in adopting measures to tackle ransomware. It will be helpful to explain why MIT has decided to develop the RRI and what it entails.

Threat actors are using increasingly sophisticated tactics for carrying out ransomware attacks. This, combined with an expansion of internet-connected assets and a thriving cryptocurrency system, has made the threat of ransomware both within the US and abroad a significant issue.

High-profile ransomware attacks on healthcare firms, tech giants, local municipalities, and energy infrastructure have led policymakers and industry leaders to prioritize this cybersecurity issue. To help curb this threat, the Biden Administration issued security controls guidance tailored to ransomware in the spring of this year. 

Protection against ransomware comes in many different forms, such as investment in new technologies, updating security practices, and drafting new US policies. However, all of these solutions require a foundation that is lacking: accurate and timely cybersecurity risk data. This is why MIT was motivated to develop the RRI, as this index will provide meaningful metrics that track enterprise-wide progress against ransomware attacks.

How the RRI Works

The RRI will provide an aggregate look at organizations’ security readiness and level of risk in the context of ransomware. To create this view, controls data will be collected across a diverse set of public and private sector participants through MIT CSAIL’s multi-party computation platform SCRAM (Secure Cyber Risk Aggregation and Measurement). 

SCRAM generates in an aggregated fashion by carrying out computations on encrypted data collected from participating stakeholders. By using this platform, the data stays completely anonymous, so participating organizations can feel at ease knowing that their sensitive data won’t be compromised.

Through an extensive independent review and analysis, MIT policy and cybersecurity researchers have defined and codified ransomware controls. The 10 ransomware control categories are:

  • Multi-factor authentication
  • Encryption
  • Training
  • Patching
  • Check the work
  • Endpoint detection and response
  • Empowerment
  • Backup
  • Incident response
  • Segmentation

These controls are grounded by the guidance in the White House Executive Order (EO) and related White House Memo regarding ransomware issued in Spring 2021. Participating entities will be asked to rate their organization’s level of adoption across this specific set of ransomware-related controls. These ratings will be aggregated via SCRAM, which will result in the RRI.

There are two phases of output that are worth highlighting:

Phase 1 Output: Security Controls Benchmarking

In establishing the RRI, the IPRI’s initial aim is to understand the level of readiness against ransomware and the collective areas of greatest risk to our most critical infrastructure. Over the long term, the RRI will underscore how well participating entities are managing their risk over time. Information provided through the RRI will enable the analysis of trends related to ransomware techniques, new vulnerabilities, and the ransomware market writ large.

 

The output of the computation will include an aggregate view of security readiness across the 10 ransomware control categories, as well as across 22 more granular controls laid out in the Biden Administration EO and White House Memo. This collated information will then be further segmented according to company size and industry, creating a set of highly curated RRIs with anonymous data.

Phase 2 Output: Ransomware Loss Data Benchmarking

While the IPRI wants the initial focus of the RRI to be on security controls data, planned future-state output will concentrate on the monetary side of the ransom demand itself. The ability to collect data from organizations securely and anonymously puts SCRAM in a unique position to collect sensitive yet vital questions related to the frequency and amount of ransom demanded by cybercriminals, as well as whether the ransom was ultimately paid out to the attackers.

 

The IPRI believes that the economy and ecosystem allowing threat actors to both solicit and gain ransom is worthy of dedicated analysis, especially since there is a lack of transparency with respect to this issue.

How the IPRI Works

The IPRI states that its goal, through the RRI, is to provide greater transparency into the state of cybersecurity readiness against ransomware, leveraging the US government’s 2021 recommendations as a set of expectations to work from. 

As a result of the RRI, the IPRI believes that companies and local governments will gain a better understanding of where they stand in relation to security, both generally and within their sector, without needing to sacrifice anonymity, hire costly consultants, or maintain a dependency on particular services. This will further allow companies to pinpoint their strengths and weaknesses and then modify their security investment spending accordingly.

The IPRI also hopes that the RRI will be used to inform policy and federal resources. Once this index is launched, it can effectively serve as a ‘trailing check’ on how well specific policies have worked once implemented. Following this, the government can then choose to adjust policies, regulations, training, and spending.

The IPRI is currently focusing its efforts on bolstering the security of local municipalities, but its next area of focus will be within various private sector categories, including finance, insurance, and technology.

Cyberlocke is a comprehensive, full-service IT services provider that architects and implements efficient and secure solutions for enterprise customers and their data centers. We specialize in security, cloud, managed services, and infrastructure consulting. Contact Us today to learn more.

more insights