Ransomware is one of the most significant security threats and perhaps one of the most recognizable threats in modern cybersecurity. These attacks cost businesses millions of dollars and can result in the loss of massive volumes of mission-critical information that supports business operations, national infrastructure, or government agencies. As part of the Cybersecurity Framework, the National Institute of Standards and Technology has released a new internal report known as the “Ransomware Report” (NISTIR 8374) to aid agencies and companies in resisting these threats.
What Is Ransomware?
Ransomware is a form of malware that, as its payload, encrypts system data and holds it ransom for money or other (potentially political) purposes.
Encryption gives attackers a solid weapon to use against targets. Encryption functions through complex mathematical functions that obfuscate data to render it unreadable to outside viewers. Because of how this kind of math works, it’s impossible to reverse-engineer the encryption function from the key and functionally impossible to decrypt the information without the key.
This is a double-edged sword. On the one hand, this creates excellent security for the information in question. On the other hand, it places quite a bit of responsibility on the administrator to protect and safeguard keys, so the data remains accessible.
This reality creates the threat of ransomware, which works through a few simple steps:
- Infection: The ransomware is placed on an infected system through typical hacks. This can include injection via external attack, corrupted software, and phishing attacks compromising user accounts.
- Encryption: When the infection executes, it surveys systems for specific forms of information or data storage–local disk drives, network drives, attacked storage devices, particular file types or names, etc. The ransomware encrypts this information using a powerful method, rendering it inaccessible. This fact can impact the use of the data and any systems relying on that data.
- Ransom: Once the information is encrypted, the hackers hide the key. The victim cannot break the encryption without the key–and should the key be withheld or destroyed, that information is essentially gone forever. With this leverage, the attacker creates a ransom situation; capitulate to our terms or lose this information.
- Fallout: The organization can take several steps… They can report the issue to security and law enforcement agencies to attempt to stop the attackers before they delete the key or steal the data, or they can pay the ransom. Whatever steps they take, there is a certain lack of control in the situation. The hacker may delete the key or distribute the data on the dark web even if the organization pays.
Ransomware has become one of the significant forms of attack in modern computing, and it potentially impacts every agency, business and organization with IT systems in place.
What Is NIST Internal Report 8374?
To help government agencies and contractors mitigate the ransomware challenge, the National Institute of Standards and Technology (NIST) released Internal Report 8374, “Ransomware Risk Management: A Cybersecurity Framework Profile,” in February 2022. This report stands as a profile of acceptable security practices that address the threat of ransomware from prevention to response.
The profile itself breaks down security based on the requirements under the Cybersecurity Framework, the NIST document governing best practices and procedures for agencies, organizations, and contractors working with the federal government.
The Ransomware Profile
The ransomware profile outlined in NISTIR 8374 covers several wide-ranging security control families and priorities. These controls are highlighted with references to more detailed discussions in NIST and ISO documents.
Some of the major requirements described in this profile include the following:
Companies need to have the capacity to manage their hardware, software, and data to understand better the threats they face.
- Inventory: Organizations must inventory the software and hardware used to store and process data better to understand the potential for malware and ransomware threats.
- Data Flows: Data flows must be inventoried to help situate how attackers can threaten information during its lifecycle, undermine operations through the use of that data, and move laterally throughout the system to identify vulnerable assets and resources.
- Configurations: Configurations, updates, and patches must be documented and recorded for management against emerging threats. There must also be a plan to make decisions and implement patches as they arise.
- Roles and Responsibilities: Executives, managers, and employees must all have clearly defined roles around the above practices, with accountability enshrined in those roles for execution and audits.
Organizational systems and objectives must align with security and management. Otherwise, it is challenging, if not impossible, to maintain protection against ransomware.
- Positioning and Infrastructure: The organization must identify where it fits into the national infrastructure to understand better potential threat vectors, security responsibilities, and downstream impacts.
- Resource Prioritization: The organization must be able to take resources and create priorities around security controls, business demands, and other practices (response, monitoring, etc.).
- Dependencies: Simply put, identify the dependencies that critical technology and business processes have to function effectively in the context of mitigating software.
Enterprises and agencies should be able to, and begin to implement, governance plans around ransomware security. This includes having the capacity to create, deploy, and communicate policies around ransomware protection and including any legal or regulatory requirements into that plan.
Risk Assessment and Management
Risk is one of the defining practices of modern cybersecurity, which is just as true for ransomware. The ransomware profile accordingly includes several approaches to risk as a ransomware solution:
- Risk Assessment and Intelligence: Identity vulnerable assets and resources and input them into cost and risk analysis processes. Establish priorities around those assets, and determine the costs and rewards of responding to those threats should they occur.
- Risk Strategies: Implement organizational controls to support people, practices, and technologies to assess and manage risk throughout a system.
- Supply Chain Risk Management: Understand your relationship with upstream vendors (particular managed service providers and cloud service providers) and how it impacts your risk profile.
Identity and Access Management
Secure organizations must have clear IAM policies and processes to ensure that user accounts and associated resources remain safe. These revolve around identity, access policies, and authentication processes:
- Digital Identity: All systems must be protected through secure digital identity and authentication tools supporting identification, verification, and audits.
- Remote Access: Remote access to a secure system must follow all security protocols and include robust IAM controls.
- Principle of Least Privilege: Access controls, whether implemented through role-based or other access paradigms, should operate with the principle of least privilege to mitigate unauthorized access to system resources outside the scope of a particular role.
- Identity Proofing: Organizations should follow procedures to verify identity and submit employees and users to identity proofing methods outlined in NIST 800-63-3, “Digital Identity Guidelines.”
All organizations should include current and ongoing employee training and education to help stop ransomware attacks. This will consist of education for technical professionals managing IT systems, users with system access, and compliance officers monitoring changes to regulations.
Data and Information Protection
Data protection isn’t limited to access management or encryption. It’s critical that data remain available, backed up, and insulated from unauthorized access as much as possible:
- Availability and Integrity: Information should remain available to users as needed. This helps the business maintain minimum operations and reduces the chances of data silos that can help ransomware attacks be more successful.
- Testing Environments: Software and data testing environments should be staged privately, without direct connection to deployment platforms, to avoid a total loss of resources or capabilities.
- Baseline Configuration Plans: Your organization should include its plans to adhere to a security baseline that can serve as the foundation for risk management, data protection, and the evaluation of data management and security events.
- Data Backups: Organizations should maintain backups of major system data to avoid system lockout from ransomware attacks.
Anomaly Detection and Monitoring
If a potential ransomware attack occurs, then agencies and enterprises must be able to pick them up reliably through a variety of methods:
- Event Audit Logs: All system events, from user events to system access and file access events, should be logged and recorded into secure logs that can be used for investigations and forensics.
- Map Event Impacts: Your organization should be able to take threats, real and theoretical, and map out the potential fallout from those events.
- Continuous Monitoring: All relevant systems should undergo continuous monitoring, including system checks, vulnerability assessments, and regular log assessments.
- Detection Processes: Events should raise alarms, notify the right personnel, and kickstart response activities that can move quickly to neutralize the threat or respond to issues that have already happened.
Response and Recovery Planning
In the case that a ransomware attack has occurred, successfully or not, your organization should be able to respond quickly to mitigate and recover from that threat:
- Roles and Responsibilities: Response and recovery positions and responsibilities should be clearly defined, readily available and well-communicated to all relevant personnel.
- Implementation and Execution: Your organization must implement and execute recovery procedures. This includes restoring mission-critical data, removing offending ransomware, and securing entry points exploited by the ransomware. There should also be plans to notify outside agencies and regulators and what to do in situations where negotiation might be required.
- Communication, Reporting, and Analysis: In the occurrence of an attack, your organization must have clear communication and reporting capacities to notify relevant parties, share information during the event, and maintain a record for post-event investigation.
Securing Your Systems Against Ransomware?
It’s critical to work with knowledgeable, experienced security experts to deploy the recommendations of NISTIR 8374. Lazarus Alliance has decades of experience with cybersecurity compliance and monitoring, particularly in the federal sector. Our extensive expertise with NIST and CSF requirements makes us the go-to security firm to address threats like ransomware in government and government contractor systems.
Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- FARS NIST 800-171
- SOC 1, SOC 2, SOC 3
- PCI DSS
- IRS 1075
- COSO SOX
- ISO 27000 Series
And more. We are also the only FedRAMP and StateRAMP authorized compliance and risk management solution in the world.
Continuum GRC is a proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform in the world. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.