The National Institute of Standards and Technology (NIST) has released the revised draft of NISTIR 8374 that defines a Ransomware Profile, which identifies security objectives from the NIST Cybersecurity Framework that support preventing, responding to, and recovering from ransomware events. The Ransomware Profile is intended for a general audience. Organizations such as small to medium-sized businesses (SMBs) and operators of industrial control systems (ICS) or operational technologies (OT) may also leverage this guidance and the Cybersecurity Framework.

The Need for Concise Guidelines

This publication comes at a time when cybersecurity incidents and ransomware attacks against critical infrastructures are at all-time high. As Anna Ribeiro reported, ransomware attacks have targeted the food sector, while another incident affected the Port of Houston.  In the wake of these increased number of attacks targeting U.S. critical infrastructures, the Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly told the Senate that “we are working to address our nation’s shared cybersecurity risk. We must collectively and with great urgency strengthen our nation’s cyber defenses, invest in new capabilities, and reimagine how we think about cybersecurity to recognize that all organizations are at risk and our efforts must focus on ensuring the resilience of essential services.”

This guidance is yet another indication that ransomware is the emerging leader in the rise of cyberattacks, and that your organization must take action to keep your data safe. Creating an effective security risk management program requires staying current with the latest threats, and then planning accordingly.

As NIST notes in the draft publication “organizations can follow recommended steps to prepare for and reduce the potential for successful ransomware attacks. This includes identifying and protecting critical data, systems, and devices; detecting ransomware events as early as possible (preferably before the ransomware is deployed); and preparing for responses to and recovery from any ransomware events that do occur.”

The Five Functions

The publication establishes the Ransomware Profile which serves as a guide to help organizations assess the state of their own readiness for a ransomware attack. The profile maps security objectives from the NIST Cybersecurity Framework (CSF) to security capabilities. Informed by NIST CSF, the Ransomware Profile is divided into five categories: identify, protect, detect, respond, and recover.

  • Identify. Develop an organization-wide understanding of cybersecurity risks to focus and prioritize efforts, consistent with organizational risk management strategy and business needs.
  • Protect. Implement security systems and safeguards that prevent the disruption of critical services.
  • Detect. Develop and implement appropriate activities to enable the timely discovery of cybersecurity events.
  • Respond. Act regarding a detected cybersecurity incident to contain the impact this event.
  • Recover. Maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

The security capabilities and measures in the NIST Ransomware Profile support a detailed approach to preventing and mitigating ransomware events.

Preventing a Ransomware Attack

The publication outlines some basic preventative steps that an organization can take now to protect against the ransomware threat. These include:

  • Always use antivirus software. Set your software to automatically scan emails and flash drives.
  • Keep computers fully patched. Run scheduled checks to identify available patches and install these as soon as feasible.
  • Segment networks. Segment internal networks to prevent malware and threat actors from pivoting among critical systems.
  • Continuously monitor directory services and access management platforms for indicators of abnormal behavior or active attack.
  • Block access to potentially malicious web resources. Use products or services that block access to server names, IP addresses, or ports and protocols that are known to be malicious or suspected to be indicators of malicious system activity.
  • Allow only authorized apps. Configure operating systems and/or third-party software to run only authorized applications. Establish processes for whitelisting or blacklisting apps.
  • Use standard user accounts versus accounts with administrative privileges whenever possible.
  • Restrict personally owned devices on business and ICS networks.
  • Avoid using personal apps—like email, chat, and social media—on any business computer.
  • Educate employees about social engineering and phishing attacks.
  • Assign and manage credential authorization for all enterprise assets and software, and periodically verify that each account has the appropriate access only.

Mitigating a Ransomware Attack

To help organizations recover from future ransomware events, the NIST publication suggests the following steps:

  • Make an incident recovery plan. You should develop and implement an incident recovery plan with defined roles and strategies for decision making. This can be part of a business continuity plan.
  • Backup and restore. Carefully plan, implement, and test a data backup and restoration strategy. Secure and isolate backups of important data, too.
  • Keep your contacts. Maintain an up-to-date list of internal and external contacts that can help with ransomware attacks, including law enforcement.

How ITEGRITI can help you

Cybersecurity threats are evolving, footprints are expanding, and attackers have become even more sophisticated. Organizations must now consider the impact from service disruption, data destruction and ransomware, and erosion of customer confidence in terms of operational cost, regulatory penalties, and brand or reputational damage.

To operate, organizations require the reliability of their information technology systems and IT/OT managed assets. Well-designed cybersecurity programs defend against and withstand most attacks but, despite best efforts, a motivated adversary will break into a system they target.

ITEGRITI designs and implements programs that help companies avoid hacks, detects breaches when they occur, minimize business disruption during a cybersecurity event, and reduce incident recovery time. The first step to building your cybersecurity program is to understand your cyber risk baseline.

Take the free ITEGRITI assessment available via our secure portal.