How to use the NIST Cybersecurity Framework to combat ransomware attacks
Table of Contents
Throughout its history, mankind has created tools and devices of great technical value, but which did not find favor with the people, largely due to their lack of usability and practicality. For example, during the 1970s and 1980s, the videotape war took place, pitting the Betamax and VHS systems against each other. Although the quality of Beta was superior, it ended up being defeated by VHS because this system allowed recording for a longer period. If you wanted to record a 2-hour movie on a single tape, you had to opt for VHS. In the cybersecurity arena, the ease of implementation and management of tools is also key. That’s why the NIST cybersecurity framework can be useful to combat ransomware attacks or other types of assaults of concern today.
This framework is a fickle tool, adapting to the different and changing characteristics and needs of companies. We are not talking about a closed list of targets, but an open tool, with a multitude of results that can be achieved. In this way, it can be used to build a general security strategy, or, on the other hand, it is possible to design a strategy focused on specific vulnerabilities, attacks, or risks.
For this reason, NIST this year published an outline of its cybersecurity framework, focused on managing the risk of ransomware. Below, we will unravel how this profile can be used when offering cybersecurity services to secure an organization. And protect its systems against this type of program that serves to hijack the data of a company or institution.
1. Basic tips to reduce the risks of ransomware
As the NISTIR 8374 guide itself points out, not all the measures proposed in the ransomware profile are within the reach of any company. Some solutions require an investment of resources that make them inaccessible to small or medium-sized companies. As we indicated when we delved into the operation of the cybersecurity framework, each organization must balance the results it seeks to achieve with the resources and needs it has.
So before we get into the profile for combating ransomware attacks, the NIST guide offers five basic suggestions, that any type of company should consider when preparing to detect, mitigate and combat ransomware attacks.
1.1. Educate the workforce
Although often overlooked, educating an organization’s entire workforce is critical to shutting the door on ransomware. Thus, all professionals must be made aware of the importance of cybersecurity threats and instructed to:
- Do not open files or click on links from unknown sources (email..)
- Avoid using their applications, such as email or social networks, on work devices.
- Do not connect their devices to work networks, unless they have been previously authorized by cybersecurity managers.
1.2. Avoiding vulnerabilities
Vulnerabilities and risks can be avoided or at least minimized. To do so, the company must implement a security strategy that takes into account at least the following basic measures:
- Update crucial systems with patches.
- Apply the Zero Trust philosophy to all systems and networks.
- Install and run only authorized applications.
1.3. Optimizing detection and response to attacks
Early detection of ransomware attacks is one of the crucial issues for successfully dealing with them. Organizations must, therefore:
- Have malware detection software that automates the scanning of emails and devices.
- Continuously monitor directory services for indicators of compromise or even the launch of active attacks.
- Block access to resources to malicious or untrusted servers, addresses, ports, and protocols.
1.4. Hindering the spread of ransomware
After the detection of ransomware attacks, the organization must address their mitigation. How can this be achieved?
- By using standard user accounts with multi-factor authentication.
- Introducing authentication delays and setting up automatic account lockout against automated attempts to unravel passwords.
- Managing the granting of credentials based on the law of least privilege.
- Storing data in an immutable format.
- Employing secure virtual private network (VPN) connections for external access to resources.
1.5. Facilitating information recovery
The last of NIST’s basic recommendations for combating ransomware attacks focus on the recovery of hijacked data. In this regard, the guide sets out three core measures to implement:
- Design and implement an incident recovery plan.
- Performing data backups, securing them, and conducting restore tests. Securing and isolating the most important data.
- Maintaining an up-to-date list of key contacts for handling ransomware attacks, including the legal counsel team or the state’s own law enforcement agencies.
2. Identify
Leaving aside these basic recommendations, the NIST cybersecurity framework profile focused on combating ransomware attacks addresses, first and foremost, the identify function.
Identifying involves, first and foremost, understanding all the elements that come into play in managing the risks associated with ransomware attacks, such as the resources that support critical functions. This function allows companies to prioritize and optimize the management of their resources, based on the risks and needs of the organization.
The NIST guide divides it into six core categories, which in turn have subcategories and recommendations for applying them to successfully combat ransomware attacks.
2.1. Asset management
This category deals with the management of an organization’s data, devices, and systems. And how it must combine security with business objectives.
To this end, an inventory of physical devices must be carried out and reviewed to ensure that they are not vulnerable to ransomware, and this inventory can speed up the recovery phase after an attack. It is also necessary to have a software inventory, including all the information about the software: from its current version to the patches installed or known vulnerabilities. All this data helps to address vulnerabilities that could be exploited by a ransomware attack.
On the other hand, it is also possible to map data flows and know which ones are at risk in case malicious attackers manage to move laterally within the system. As well as cataloging external information systems, to manage communication with third parties in the event of an attack.
Another measure that can be implemented is the prioritization of resources, taking into account whether it is critical for the company and its business value. In the case of ransomware attacks, it is essential to know their scope and establish mechanisms to prioritize some resources over others.
Finally, it is also extremely useful to establish clear roles and responsibilities for preventing and responding to ransomware attacks.
2.2. Business environment
Concerning this category, the key lies in business decision-making in risk management. To do so, the organization must:
- Understand its place in the critical infrastructure environment.
- Establish priorities for managing resources when responding to incidents.
- Identify critical components in support of core business functions. A critical issue when developing contingency and response plans to combat ransomware attacks.
2.3. Governance
How are legal, risk, or operational requirements managed? This category covers three core actions:
- Establish policies to prevent or mitigate ransomware incidents.
- Effectively manage regulatory and legal requirements and take them into account in attack response planning.
- Governance mechanisms must take into account ransomware risk management.
2.4. Risk assessment
It is not enough to identify risks; they must also be assessed, taking into account their potential impact on the organization. It is, therefore, necessary to identify and document the vulnerabilities to ransomware attacks existing in business assets, and to prioritize the actions to be taken to eliminate or limit these vulnerabilities.
This task also requires the use of external threat data, using information exchange sources.
Risk assessment is used to study the effects of attacks, as well as the probability of their occurrence, to carry out a cost-benefit analysis to indicate which measures are cost-effective and which are not.
In addition to identifying vulnerabilities, it is also necessary to specify possible responses to combat ransomware attacks. If the response plan is not effective, the costs generated by the attack will be higher.
2.5. Risk management strategy
Once the risks have been assessed, it is time to design a strategy to manage them successfully. Such a strategy includes the establishment of policies, roles, and responsibilities among the actors involved, taking into account the risk of a ransomware attack taking place.
2.6. Supply chain risk management
It is also important to consider the supply chain. That is, ransomware contingency planning must be coordinated with suppliers and third-party providers to be prepared in case they are all affected by ransomware.
3. Protect
Given that the previous function has identified and assessed the risks, this second function must plan and implement protection mechanisms to secure critical services and thus facilitate the task of containing a possible attack.
3.1. Identity, authentication, and access control management
Access to assets is one of the keys to any security strategy. NIST points out that most ransomware attacks are executed through network connections and are initiated by compromised credentials. Hence, credential management is a crucial issue.
It is also important to manage remote access, as most ransomware attacks are carried out remotely. Hence, multifactor authentication is a relevant measure to implement. In addition, the law of least privilege should be applied when managing permissions. Since many ransomware attacks take place when user credentials are compromised and users have a higher permission level than they should, unnecessarily compromising systems.
Along the same lines, we find ourselves with network segmentation to prevent ransomware from spreading between different systems. For this reason, NIST recommends separating information technology (IT) networks from operational technology (OT) networks. In this way, critical operations can continue to function while IT systems recover from the attack.
Finally, it is important to validate identities and link them to credentials to reduce the possibility of them being compromised. Especially since compromised credentials are a major ransomware attack vector.
3.2. Awareness and training
As mentioned above, education and training are of great importance. By making all users aware of the importance of cybersecurity, insecure practices and developments can be reduced.
3.3. Data security
This issue is critical when combating ransomware attacks: it is necessary to manage data to safeguard the integrity and confidentiality of the information and ensure its availability. This requires:
- Have the ability to maintain offsite and offline data backups, as well as test recovery times and system redundancy.
- Implement protections to avoid data leaks.
- Have data integrity verification mechanisms in place that are capable of detecting altered updates through which ransomware can be introduced.
- Separate development environments from production environments, to prevent ransomware from circulating from one to the other.
3.4. Information protection procedures and processes
The organization must have security policies and procedures in place to effectively manage the protection of its assets. This implies having:
- Control system configurations and baselines to be able to assess any deviations that may occur, as well as their risk. Unauthorized configuration changes can be an indicator that a ransomware attack is underway.
- Configuration change control processes to help maintain security settings and reduce the chances of a ransomware attack by changing the code.
- Fully secured backups that facilitate recovery after an attack.
- Response and recovery plans, designed, implemented, and tested, that take into account ransomware incidents and priorities to limit their impact.
3.5. Maintenance
Within the protection function, it is important to pay attention to the remote maintenance of the company’s assets. This is a channel of access to an organization’s systems and hardware. If management is not optimal and security risks are not taken into account, attackers can modify configurations to open the door to ransomware.
3.6. Protection technology
When it comes to security technologies, it is critical:
- Review logs and perform log auditing to detect unforeseen actions.
- Take into account the principle of least functionality to reduce the possibility of migration between systems.
4. Detect
Security strategies should include mechanisms to detect ransomware attacks as quickly as possible.
4.1. Events and anomalies
Security systems detect anomalous activity and collect information about the incident, also drawing on multiple sources. The objective is twofold. On the one hand, to achieve early detection of ransomware. On the other, to be able to understand how it works and its ability to spread through the network.
In addition, the impact of events must be determined, as this can provide valuable information for prioritizing the last two functions: response and recovery.
4.2. Continuous security monitoring
A good detection system involves monitoring assets on an ongoing basis, to:
- Monitor networks. To be able to detect intrusions and implement protective actions. Before ransomware enters the system or data is exfiltrated.
- To monitor the activity of professionals. Being able to detect both insider threats, insecure practices, and compromised credentials and thus prevent the launch of a ransomware attack.
- Detect malicious code. This is important because malicious code is often not executed immediately, leaving a window of time to detect it before the attack is launched.
- Detect unauthorized resources: people, connections, devices, software… that can be used to execute a ransomware attack.
- Scan vulnerabilities to mitigate them before they are exploited by a ransomware attack.
4.3. Detection processes
Concerning ransomware attacks, it is essential to constantly monitor detection procedures and to optimally distribute the roles and responsibilities of each person or team.
To this end, it is necessary to carry out periodic tests to verify that the detection processes are adequate to catch ransomware-based attacks. These tests also serve to train the people who have to implement these procedures.
It is not enough to test their efficiency; it is also necessary to ensure that the channels for communicating anomalous events are fully operational and, above all, it is crucial to perfect the tactics used to manage ransomware attacks and thus keep them permanently updated in the face of new malicious techniques that may arise.
5. Respond
The organization must have tools and mechanisms in place to effectively combat ransomware attacks and reduce their impact on the operation of the company and its data.
5.1. Response planning
The organization must have a response plan and implement it immediately upon detection of a ransomware attack. In this way, its impact can be minimized, stopping data exfiltration and restricting its spread to other systems, networks, or equipment.
Such a response plan must not only be technical but must also take into account the communication, reputational and legal dimensions of any ransomware attack. It is not only the company’s systems that must be protected but also its public image and its legal liability in the event of a breach of private data.
5.2. Communications
NIST emphasizes the importance of articulating both technical and business responses to ransomware attacks. The key lies in ensuring that everyone is aware of their role and that communication mechanisms and actions are defined in advance.
Likewise, the exchange of information must be fluid, both to reduce the impact of the attack and its propagation and to avoid the generation of misinformation. In addition, the need to exchange information with agents outside the organization must be taken into account, since this can help the company to limit the success of the attack.
5.3. Analysis
Analysis of all available data on the ransomware attack is of paramount importance. In this way, response actions and recovery activities are optimized. Hence, it is necessary to:
- Study the notifications generated by detection systems in an agile and comprehensive manner and thus combat ransomware attacks at early stages.
- Understand the effects of the attack, both in terms of technical issues (which systems are unavailable) and in terms of the impact on the business and its activities. In this way, resources can be prioritized, focusing on recovering critical services and implementing the plan to ensure business continuity while recovery efforts are underway.
- Carrying out forensic activities to identify the cause of the attack to put an end to it. Restoring the services and functions attacked and eliminating the program and mechanisms used by the attacker.
- Implement mechanisms to receive and analyze vulnerabilities disclosed to the organization, both from internal and external sources. The analysis is essential to prevent and combat ransomware attacks that may occur in the future. As well as to improve the response capacity and reduce the possibility of spreading to other systems and networks.
5.4. Mitigation
This category focuses on an organization’s ability to limit the spread of an attack, reduce its effects and successfully resolve the incident. Firstly, it is essential to take immediate action to prevent the spread of ransomware. And, finally, to terminate the attack.
Secondly, actions must be implemented as quickly as possible. To isolate the malicious program and minimize its impact on the company’s data.
Lastly, it is necessary to mitigate the vulnerabilities detected and, if this is not possible, to collect all the information so that the risk can be taken into account in decision-making and future incidents.
5.5. Enhancements
The last phase of the response function focuses on the analysis of the information generated during the attack and the lessons learned. With all this data, the organization can update its security strategy and response plans, optimizing them to reduce the likelihood of further attacks.
6. Recover
The final function captured by the NIST cybersecurity framework is recovery. Whatever the impact of the ransomware attack, the company must have plans for resiliency and restoration of assets that have been attacked. The more optimal the recovery plans are, the sooner the company will be back to business as usual and the consequences of the incidents will be reduced.
6.1. Recovery planning
In this phase, the previously designed recovery plan is executed. NIST maintains that by initiating the recovery plan once the cause of the attack has been accurately identified, data losses and the negative impact on the company can be reduced.
6.2. Improvements
The analysis of the data collected is used to extract lessons to be taken into account and incorporate them into the recovery plan to optimize it and reduce the possibility of future attacks.
6.3. Communications
Communication is a highly valuable part of the design and implementation of security strategies. Therefore, it is necessary to pay attention to it and make the most of it. Communications in the event of a ransomware attack include:
- Public relations management. To avoid damage to partner and customer confidence.
- Reputation repair. In case of reputation has been affected by the attack and its consequences.
- All stakeholders are informed of the recovery activities that have been carried out.
7. Adapt the profile to the company’s needs and resources
All the measures we have outlined throughout the article serve as a basis for designing a comprehensive security strategy, in which ransomware attacks are taken into account when planning all phases of an incident.
If the basic recommendations presented by NIST represent a program of minimums, to ensure essential protection, the cybersecurity framework profile includes a wide range of measures and outcomes that an organization can achieve to secure its assets.
The advantage of the NIST cybersecurity framework is that this set of measures can be tailored based on an organization’s needs, business objectives, and available human and financial resources.
For this reason, the profile stresses the importance of prioritizing resources in all phases, from identification to recovery. As well as establishing which measures are cost-effective, taking into account their costs and the benefits they produce.
8. Measures and informative references: what to do, not how to do it
The vast amount of documentation generated by NIST, from guidelines to cybersecurity framework to cybersecurity profiles, serves as a methodological basis for designing and implementing cybersecurity strategies and services.
These documents do not tell analysts and organizations how to perform actions. Rather, they focus on what measures and aspects should be taken into account when determining the actions to be taken.
Thus, the information in the cybersecurity framework profile focused on combating ransomware attacks does not have technical specifications that can be executed automatically but presents a multiplicity of relevant measures when it comes to securing an organization against this type of malicious program. As well as informative references that can be of great help in this task.
These actions are a set of best practices that improve the protection of companies and limit the impact of attacks. And, as we have seen, they include not only technical aspects but also commercial and reputational issues. It is this generalist vocation that has enabled NIST to become a reference source and a worldwide standard in cybersecurity.
In essence, the NIST cybersecurity framework profile shows us in a practical way how this framework can be used to lay the foundations of a comprehensive security strategy. A strategy capable of effectively combating ransomware attacks, one of the most relevant in the world today and one that puts companies’ data at risk. Thus threatening business results and the very survival of the business.
This article is part of a series of articles about NIST
- NIST Guidelines: a methodological underpinning for cybersecurity analysts
- NIST Cybersecurity Framework: A compass for navigating the ocean of cyber risks
- How to use the NIST Cybersecurity Framework to combat ransomware attacks
- The 4 keys to the NIST Cybersecurity Framework v2