The National Institute of Standards and Technology release Ransomeware Risk Management; a Cybersecurity Framework Profile and quick start guide

March 11, 2022 |

Ransomware remains an ongoing, growing and developing form of malware that is particularly damaging to businesses.  Ransomware encrypts an organization’s data and demands payment as a condition of restoring access to that data. It can also be used to steal  information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public. Ransomware attacks target the organization’s data or critical infrastructure, disrupting or halting operations and posing a dilemma for management: pay the ransom and hope that the attackers keep their word about restoring access and not disclosing data, or do not pay the ransom and attempt to restore operations themselves. The Australian Cyber Security Centre has provided some guidances on how organisations can minimise the risk of suffering a ransomware attack and what to do when attacked. In my experience many organisations do not have regard to this or any other guidance until it is too late.  Given the potential disastrous impact of a ransomware attack this is false economy.

By far and away the best source of guidance and practical assistance are the publications put out by the US National Institute of Standards and Technology (“NIST”). NIST recently released Ransomware Risk Management: A Cybersecurity Framework Profile.  It is a very useful and timely document. The abstract provides:

Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. Attackers may also steal an organization’s information and demand an additional payment in return for not disclosing the information to authorities, competitors, or the public. This Ransomware Profile identifies the Cybersecurity Framework Version 1.1 security objectives that support identifying, protecting against, detecting, responding to, and recovering from ransomware events. The profile can be used as a guide to managing the risk of ransomware events. That includes helping to gauge an organization’s level of readiness to counter ransomware threats and to deal with the potential consequences of events.

Through a table it sets out the appropriate ISO/ID.AM/NIST guides against issues and explains how the guides operate.

Also released with it was a White Paper titled Getting Started with Cybersecurity Risk Management: Ransomware.

With the threat of ransomware growing, this “quick start guide” will help organizations use the National Institute of Standards and Technology (NIST) “Ransomware Risk Management: A Cybersecurity Framework Profile” to combat ransomware. Like the broader NIST Cybersecurity Framework, which is widely used voluntary guidance to help organizations better manage and reduce cybersecurity risk, the customized ransomware profile fosters communications and risk-based actions among internal and external stakeholders, including partners and suppliers.

The Framework provides a very useful section containing basic ransomware tipsbeing:

1.  Educate employees on avoiding ransomware infections.

    • Don’t open files or click on links from unknown sources unless you first run an antivirus scan or look at links carefully.
    • Avoid using personal websites and personal apps – like email, chat, and social media

– from work computers.

    • Don’t connect personally owned devices to work networks without prior authorization.

2.  Avoid having vulnerabilities in systems that ransomware could exploit.

    • Keep relevant systems fully patched. Run scheduled checks to identify available patches and install these as soon as feasible.
    • Employ zero trust principles in all networked systems. Manage access to all network functions and segment internal networks where practical to prevent malware from proliferating among potential target
    • Allow installation and execution of authorized apps only. Configure operating systems and/or third-party software to run only authorized applications. This can also be supported by adopting a policy for reviewing, then adding or removing authorized applications on an allow
    • Inform your technology vendors of your expectations (e.g., in contract language) that they will apply measures that discourage ransomware attacks.

3.  Quickly detect and stop ransomware attacks and infections.

    • Use malware detection software such as antivirus software at all times. Set it to automatically scan emails and flash drives.
    • Continuously monitor directory services (and other primary user stores) for indicators of compromise or active
    • Block access to untrusted web resources. Use products or services that block access to server names, IP addresses, or ports and protocols that are known to be malicious or suspected to be indicators of malicious system activity. This includes using products and services that provide integrity protection for the domain component of addresses (e.g.,

4.     Make it harder for ransomware to spread.

    • Use standard user accounts with multi-factor authentication versus accounts with administrative privileges whenever
    • Introduce authentication delays or configure automatic account lockout as a defense against automated attempts to guess passwords.
    • Assign and manage credential authorization for all enterprise assets and software, and periodically verify that each account has only the necessary access following the principle of least
    • Store data in an immutable format (so that the database does not automatically overwrite older data when new data is made available).
    • Allow external access to internal network resources via secure virtual private network (VPN) connections only.

5.     Make it easier to recover stored information from a future ransomware event.

    • Make an incident recovery plan. Develop, implement, and regularly exercise an incident recovery plan with defined roles and strategies for decision making. This can be part of a continuity of operations plan. The plan should identify mission-critical and other business-essential services to enable recovery prioritization, and business continuity plans for those critical
    • Back up data, secure backups, and test restoration. Carefully plan, implement, and test a datao backup and restoration strategy—and secure and isolate backups of important
    • Keep your contacts. Maintain an up-to-date list of internal and external contacts for ransomware attacks, including law enforcement, legal counsel, and incident response

As with many US guidelines and manuals the authors very helpfully breakdown the process to deal with ransomware into 5 functions:

    • Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.
    • Protect – Develop and implement appropriate safeguards to ensure delivery of critical The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.
    • Detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity
    • Respond – Develop and implement appropriate activities action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident.
    • Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident.

This is the starting point.  For each organisation, the issues and needs differ.  For practitioners it is a matter of applying these principles to the organisations requirements. That requires more than a cursory understanding of what the organisation does and what systems it operates.  The NIST report collates and sets out many important processes well known to privacy and security practitioners, and some less well known, in one document including:

  • undertaking an inventory of physical devices, reviewing and and maintained to ensure these devices are not vulnerable to ransomware.
  • Identifying and documenting the vulnerabilities is crucial in developing plans for and prioritizing mitigation or elimination of those vulnerabilities.
  • it is beneficial to have a hardware inventory during the recovery phases after a ransomware attack, should a re- installation of applications be necessary
  • software inventories  track information such as software name and version, devices where it is currently installed, last patch date, and current known vulnerabilities. This isupports the remediation of vulnerabilities.
  • mapping communication and data flows enumerates what information or processes are at risk, should the attackers move laterally within an environment.
  • cataloging external connections allows for planning communications to others and possible actions to temporarily disconnect from external systems in response to ransomware attack. Identifying these connections helps  plan security control implementation and identify areas where controls may be shared with third parties.
  • prioritising resources permits an understanding of the true scope and impact of a ransomware attack.  That permits more effective contingency planning , emergency response, and recovery actions.
  • it is important that members of an organisation have clear and understandable roles and responsibilities involving cybersecurity.  That way they can understand their roles and responsibilities for preventing ransomware events and, if applicable, for responding to and recovering from ransomware attacks. These roles and responsibilities should be formally documented in an incident response plan. The incident response plan should specify regularly exercising the plan (e.g., running incident response tabletop simulations at least annually).  A response to ransomware events includes both technical and business responses. Communications response roles should be formally documented in incident response and recovery plans.
  • it is critical to establish and communicate policies needed to prevent or mitigate ransomware events. These policies should be reviewed periodically to reflect the dynamic nature of risk and the reality of needed ongoing adjustments.
  • having a response and recovery plan should be kept offline in case the incident eliminates access to soft copies held within the targeted network. Ransomware attacks should be prioritised appropriately during incident triage with the goal of immediate containment to prevent the ransomware’s spread. Ransomware response and recovery plans should be tested periodically to ensure that risk and response assumptions and processes are current with respect to evolving ransomware threats.
  • proper training.  Most ransomware attacks are made possible by users who engage in unsafe practices, administrators who implement insecure configurations, or developers who have insufficient security training
  • establishing dependencies and critical functions for delivery of critical services helps identify secondary and tertiary components critical in supporting the organisation’s core business functions. This permits prioritising contingency plans for future events and emergency responses.
  • factoring in ransomware risks  into organisational risk management governance is important to  establish adequate cybersecurity policies
  • having a system of receiving and using cyber threat intelligence from information sharing sources is an important way of reducing the exposure to ransomware attacks and facilitate early detection of new threats
  • understanding the business impacts of potential ransomware attacks assists in undertaking  cybersecurity cost-benefit analyses as well prioritising activities in a ransomware response and recovery plans.
  • ransomware contingency planning should be coordinated with suppliers and third-party providers and should include testing planned activities. The plan should include a scenario where the organisation, its suppliers, and third-party providers are all impacted by ransomware
  • identifying, cataloguing, managing, verifying, auditing identities and credentials for authorized devices and their users and processes. Most ransomware attacks occur through network connections and often start with credential compromise (e.g., unauthorised sharing or capture of login identity and password). Proper credential management is essential.
  • managing remote access is important because most ransomware attacks are conducted remotely. As such managing privileges associated with remote access maintains the integrity of systems and data files to protect against malicious code insertion and data exfiltration. Using multi-factor authentication is a key – and easily implemented – way to reduce the likelihood of account compromise
  • managing access permissions and authorisations including incorporating the principles of least privilege and separation of duties.  Ransomware attacks commonly occur by compromising user credentials or invoking processes that have unnecessary privileged access to systems.
  • if possible have network segmentation or segregation,  That limits the scope of a ransomware attack by preventing malware from proliferating among potential target systems (e.g., moving into an operational technology or control system from a business information technology network).
  • separating the IT and OT networks and regularly validating their independence. This reduces the risk of OT systems being compromised and allows low-level critical operations to continue while business IT systems recover from a ransomware attack.
  • proofing identities and binding them to credentials (e.g., two-factor authentication of formally authorised individuals).  Compromised credentials are a common attack vector in ransomware attacks.
  • having adequate capacity to ensure availability is maintained.  Having adequate availability of data reduces the impact of a ransomware attack. This includes the ability to maintain offsite and offline data backups, testing mean time to recovery and system redundancy where necessary.
  • having protections against data leaks because a feature of some ransomware attacks is double extortion – demanding payment both to restore data access and to not sell or publish the data elsewhere .
  • having integrity checking mechanisms to detect tampered software updates that can be used to insert malware that enables ransomware events.
  • developing and testing environments separate from production environments.  This can prevent ransomware from promulgating from development and testing systems into production systems.
  • implementing baselines so as to establish the set of functions a system needs to perform so that any deviation from that baseline could be evaluated for its cyber risk potential. Unauthorised changes to the configuration can be used as an indicator of a malicious attack, which may lead to the introduction of ransomware.
  • establishing proper configuration change processes helps to enforce timely security updates to software, maintain necessary security configuration settings, and discourage replacement of code with products that contain malware or do not satisfy access management policies.
  • having regular backups which are maintained and tested.  Backups should be secured to ensure they cannot become corrupted by the ransomware or deleted by the attacker. The backups should be stored offline.
  • as remote maintenance provides an access channel into networks and technology if that is not managed properly this could be used to access to alter configurations to permit introduction of malware. Remote maintenance of all system components by the organization or its providers must be validated to ensure that this process does not provide backdoor access to OT or IT networks.
  • having audit/log records assists in detecting unexpected behaviors and support forensics response and recovery processes
  • maintaining the principle of least functionality prevents movement among potential target systems.
  • having multiple sources and sensors along with a Security Information and Event Management (SIEM) solution improves network visibility, assists in the early detection of ransomware and aids in understanding how ransomware may propagate through a network
  • network monitoring may detect intrusions and initiate protective actions before malicious code can be inserted or large volumes of information are encrypted and exfiltrated.  Malicious code is often not immediately executed, so there may be time between insertion of malicious code and its activation to detect it before the ransomware attack is executed.
  • unauthorised people, connections, devices, and software are potential resources from which to launch a ransomware attack. Monitoring personnel activity may detect insider threats or insecure staff practices or compromised credentials and thwart potential ransomware events.
  • regular scans for vulnerabilities can allow an organisation to detect and mitigate most vulnerabilities before they are used to execute ransomware.
  • timely communication of anomalous events is necessary o take remedial actions before a ransomware attack can be fully realised.
  • coordination with key internal and external stakeholders is important for priorities such as stemming the spread of misinformation and establishing preemptive messaging.
  • notifications from detection systems should be promptly and fully investigated, as these often indicate a ransomware attack in its early stages so that it can be preempted or so impacts can be mitigated.
  • having effective public relations minimises the business impact by being open and transparent and restores confidence among stakeholders.  That includes communication about recovery activities which helps to minimize the business impact and restore confidence among stakeholders.

While the list may look long and daunting much of it is grounded in long standing fundamental cyber security and privacy principles. In my experience most of the above principles and practices set out above are part of any review or analysis (or recovery action) of an organisation’s systems.

Leave a Reply

Verified by MonsterInsights