How NIST hopes network defenders will stop ransomware

Networks defenders in the U.S. and beyond are struggling to keep pace with scale and intensity of ransomware attacks, particularly as the issue has emerged as a subject of concern during the coronavirus pandemic. 

Organizations ranging from the Department of Homeland Security to the Federal Bureau of Investigation have warned that government agencies of all sizes and private companies can take basic steps to avoid hacking groups. The U.S. National Institute of Standards and Technology also has published a number of updates aimed at helping cyber staffers safeguard data.

The larger issue is about protecting data integrity, Bill Fisher, security engineer at NIST’s National Cybersecurity Center for Excellence (NCCoE), explained during a Q&A session with CyberScoop. There’s a range of tactics that organizations can deploy to protect their information, he said, including the use of blocking technology and stronger authentication techniques that provide dynamic risk assessments. 
 
CyberScoop: Should security personnel trying to safeguard data at their organizations mitigate ransomware in the same way they mitigate other threats? If not, what are the differences in the way they should aim to protect their data?
 
Bill Fisher: Ransomware is an issue of data integrity and availability. Frequently, organizations focus more heavily on issues of data confidentiality, trying to make sure that private data is kept that way. While this is an important aspect of data security, it is not the whole picture. When dealing with ransomware, it is important to consider the use case that data is not stolen, but rather manipulated such that it is no longer usable to your organization.
 
CS: What are the two or three most effective strategies organizations should implement to avoid ransomware?
 
BF: To avoid ransomware, network protection strategies and block listing tools are both very useful for avoiding infection. The NCCoE demonstrated the use of a Zero-Trust networking tool to prevent ransomware from being able to propagate around a network. This can be a very effective way to reduce the impact of a ransomware attack. This was used in conjunction with block listing, implemented in our lab through a web proxy. This sort of tool allows you to prevent users from being targeted by known malicious websites. In combination, these tools allow strong protections against both known threats (such as those that have attacked an organization before), and help mitigate unknown attackers, potentially using unpatched exploits.
 
CS: What is the best response in the event ransomware attackers victimize an organization?
 
BF: The best response to ransomware requires proper preparation. In the case that a ransomware attack successfully encrypts files and does damage to the enterprise, the first place to look is to your backups. Backups should be securely stored, kept up to date, and tested. If any of these things are not true, they can fail you when you need them the most. In particular, testing is an essential step to both employing backups and having a good organizational response to ransomware. Recovering from such an attack can be an all-hands-on-deck situation, and it is essential that the first time the various stakeholders in your organization are thinking about ransomware is not when ransomware successfully runs on the system.
 
CS: How does NIST’s Cybersecurity guidance apply to stopping ransomware?
 
BF: NIST’s current practical guidance for protecting against ransomware comes in the form of three NIST SP 1800 series documents, 1800-11, 25, and 26. Each document looks at a different stage in the life cycle of a ransomware attack. If you are interested in technologies that will allow you to prevent an attack from occurring, 1800-25 provides such guidance. 1800-26 provides recommendations for technologies that allow you to maintain awareness of your data and systems as an attack occurs, as well as being to mitigate the scope of impact of an attack. 1800-11 provides recommendations to help you restore to the last known good state before a ransomware attack occurs.
 
CS: To what extent should security practitioners follow NIST’s confidentiality, integrity and availability principles around data protection? Why is that important?
 
BF: NIST’s 1800 series practice guides provide recommendations of technologies and security controls that should be considered when addressing a cybersecurity challenge. We aren’t expecting everyone to go out and implement the exact same architecture we did. Every organization is different, and has different needs and different technologies that they employ. What we hope that organizations do with our guidance depends on their existing cybersecurity infrastructure. If they have already put resources into addressing these issues, our guidance can be a way to check to make sure you haven’t missed any edge cases or capabilities. If you are considering the notions of data security for the first time, these guides can provide a list of capabilities to keep in mind as you begin to improve your organization’s data security. Each guide also documents the exact way we set up our example architecture.