Ransomware attacks – incidents which involve an attacker taking your data, services, and business practices hostage in the hopes of selling them back to you, for a substantial price. These types of attacks are seeing a relentless increase in popularity, with most becoming highly publicized. Recently, the Colonial Pipeline oil system was crippled by a ransomware attack that impacted the cost of gas for households and businesses nationwide.
As cybersecurity professionals, we are on the frontlines of recognizing and responding to ransomware attacks. As we all know, the right approach to these threats is to consider them imminent and unavoidable – it’s not a matter of if, it’s a matter of when.
Federal Guidance
In response to the need for industry guidance on ransomware, the National Institute of Standards and Technology published NIST SP 1800-26 – Detecting and Responding to Ransomware and Other Destructive Events.
This publication encourages the use of strategies and technologies to protect and respond to ransomware incidents. Importantly, it bases most of its prescriptive suggestions on another NIST publication: the NIST Cybersecurity Framework (NIST CSF).
The NIST Cybersecurity Framework
The NIST CSF is a framework that helps organizations better manage and reduce cybersecurity risk to critical infrastructure and other sectors. It consists of five functions – high level security domains that contain specific sub-categories and controls that can be used to build an effective security program.
Inside its current evolution, you may want to learn more about the NIST 2.0.
In this article, we’ll explore how three of the five NIST CSF functions, Protect, Respond, and Detect, can be used to bolster your defense against ransomware.
NIST CSF – Protect (PR) your data against ransomware
The Protect function of the NIST CSF describes the organization’s ability to limit or contain the impact of a potential cybersecurity event. Specifically, NIST suggests that organizations focus on protecting the integrity of their data to defend against ransomware attacks.
Integrity checking solutions are able to monitor the data in your environment, including application data, databases, even endpoints. They can quickly detect and respond to an unexpected change in a file’s content or metadata.
Admins can configure them to rapidly isolate and contain systems or parts of a network that are experiencing a degradation of integrity – stopping a ransomware from spreading through your network.
Monitoring the integrity of critical parts of your network can greatly reduce the impact of ransomware attacks, which rely on altering files (specifically, encrypting them!).
The authors of NIST SP 1800-26 used the following products for file integrity monitoring in their demonstration of an anti-ransomware environment:
- Tripwire Enterprise v8.7
- Semperis Directory Services Protector (DSP)
NIST CSF – Detect (DE) a ransomware attack
During a ransomware attack, time is critical.
Ransomware attacks happen quickly and usually without warning. Companies may find themselves at the mercy of a hacker group in a matter of hours. By the time you are exposed to the most obvious sign of a ransomware attack – usually a locked computer displaying a ransom message – your data is already encrypted and irretrievable.
The sooner a security team becomes I.S. Partners aware of anomalous activity, the sooner they can respond and get ahead of a ransomware attack in progress.
The detection of those anomalies and events is at the core of the second of three functions NIST identifies as being critical to a ransomware event: Detect (DE).
The subcategories of the Detect function include establishing a baseline, monitoring the network holistically, prioritizing and escalating to incident response teams.
Consider the following policies, processes, and technologies:
- Configure application, server, and network device logging to establish a baseline and detect events happening on the system and network-level.
- Centralize your logging and monitoring information in a SIEM.
- Highlight, filter, and prioritize events that indicate a potential attack
- Escalate indicators based on severity and according to documented incidence response notification procedures.
These steps will equip your security teams with the visibility they need to quickly identify and escalate anomalous activity, empowering them to quickly identify a ransomware attack in progress.
The authors of NIST SP 1800-26 used the following products for event detection and logging in their demonstration of an anti-ransomware environment:
- Cisco Advanced Malware Protection (AMP)
- Glasswall FileTrust ATP for Email
- Cisco Stealthwatch
- Semperis DSP
- Micro Focus ArcSight Enterprise Security Manager (ESM)
- Tripwire Log Center
These are steps that map back to the NIST CSF and best practices for detection – a critical mechanism for identifying and responding to ransomware attacks.
NIST CSF – Respond (RE) to a ransomware attack
So far, we’ve protected the integrity of our data and implemented a detection process to alert our security teams to ransomware attacks. Next, NIST suggests we consider how we react to cybersecurity events – and how we Respond (RE) to ransomware attacks.
The NIST CSF Respond function is the development and implementation of appropriate activities to take action regarding a detected cybersecurity incident.
Your incident response processes should support the ability to contain the impact of a potential cybersecurity incident. If a ransomware attack occurs, your incident response teams should have a plan for responding, isolating, mitigating, and restoring business processes in the wake of a ransomware attack.
Equipping your security teams with technologies for responding to ransomware attacks greatly improves their chances of success and reduces the impact of a ransomware event. Solutions that isolate and remove malicious files and malware, revert detected changes, and automatically disable compromised or maliciously created accounts are all great tools for responding to ransomware.
The authors of NIST SP 1800-26 used the following products for event detection and logging in their demonstration of an anti-ransomware environment:
- Cisco AMP
- Symantec Security Analytics
- Cisco Identity Services Engine (ISE)
- Semperis DSP
NIST CSF – How do you stack up?
Obviously, the NIST CSF provides a valuable framework for protecting against, detecting, and responding to ransomware attacks. In fact, the NIST CSF applies to much more than just ransomware. It consists of five distinct functions that help guide an organization toward a mature security program.
At I.S. Partners, we’re experts at evaluating your company’s security program against the NIST Cybersecurity Framework. By engaging with us, you’ll be equipped with actionable insight on how to leverage the NIST CSF to build and maintain your security posture – for protection against ransomware and more.