NIST Drafts Guidelines for Coping With RansomwareLessons Learned from WannaCry and Other Attacks
The National Institute of Standards and Technology has unveiled a pair of draft practice guidelines that offer updated advice and best practices on how to protect the confidentiality, integrity and availability of data in light of increasing threats from ransomware and other large-scale cyber events.
The guidelines offer recommendations for enterprises to contain a ransomware attack or mitigate the impact. For example, they offer details on how to implement backups tied to secure storage capabilities, use network protection and inventory assessments, and create policies to help ensure endpoints are safeguarded.
The draft practice guidelines, Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events, and Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events, were developed by NIST’s National Cybersecurity Center of Excellence.
NIST will accept comments on the draft advice until Feb. 26, and then will issue final guidance later this year.
In drafting the guidance, NIST researchers looked at events such as the WannaCry attacks of 2017 and other recent ransomware incidents and attempted to draw lessons for how organizations can either better protect their data from attackers or recover faster in the wake a significant security event.
While NIST has previously developed ransomware-related guidance, the new drafts look at the entire lifecycle of a data integrity attack, says Michael Ekstrom, the data security task lead for the nonprofit research organization MITRE Corp. of McLean, Virginia.
"We are more interested in ransomware that models behavior that we saw in the WannaCry attacks, where ransomware can exploit a vulnerability and propagate across a network," Ekstrom, who helped work on the documents, tells Information Security Media Group. "So you are not just looking at a single machine where you have damaged files that you need to remediate but the bigger picture and larger threat space that exists.
And while other federal agencies, such as the FBI, have issued warnings about ransomware, NIST is the position to offer technical assistance and guidance for organizations.
Changing Nature of Ransomware
One significant reason why NIST created these practice guidelines now is that the nature of ransomware has changed over the last two years, Ekstrom says.
"You now have ransomware moving around the system and interacting with applications such as [Microsoft's] Active Directory and encrypting backups, so we wanted to give a more realistic view of what enterprises should keep in mind," he says.
In its draft guidance, NIST is attempting to address current issues, including how to implement vulnerability management, as well as network protection and awareness, throughout the entire IT infrastructure.
"The threat of ransomware is not just a single incident of a computer with a virus running on it, but it requires a look at the entire network and the entire enterprise and understanding what that threat represents," Ekstrom says.
Each practice guideline offers ways organizations can address issues of ransomware.
The document “Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events” offers a guide for organizations to better identify and protect their IT assets from data integrity attacks, including ransomware.
The draft also includes a reference design that acts a technical blueprint for action items, plus a guide to commercially available technologies that can help create stronger security controls within a network.
The proposed guidance offers a “how to” guide to implementing best practices. For example, it includes tips on vulnerability management and using backups to protect data.
The second draft, “Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events,” offers advice on improving the detection and mitigation of ransomware and other security issues within their infrastructure. It also delves into how integrity monitoring, event detection, vulnerability management, reporting capabilities and mitigation and containment can be implemented to improve network defenses.
Much like the NIST Cybersecurity Framework, these guidelines offers best practices that organizations can pick and choose based on their own network architectures, says Jennifer Cawthra, the National Cybersecurity Center of Excellence lead for data security and healthcare.
"We put together a reference architecture to demonstrate that you can solve a cybersecurity challenge," Cawthra tells ISMG. "Now this is not the only way to solve a problem; it's just an example. The idea is that if we can demonstrate that it's possible, then the readers of our documents can pick and choose what parts can fit into their architecture. It's not a standard and it's not the only solution, it's just an example."
The draft guidelines from NIST come at a time when ransomware attacks are increasingly destructive and costing businesses and other organizations even more money - whether it's paying the attackers or rebuilding the infrastructure.
In January, incident response firm Coveware published a report showing ransoms paid after ransomware attacks were much higher in the fourth quarter of 2019, compared with the previous quarter. The report shows that attackers using Ryuk and Sodinokibi ransomware strains were increasingly "focusing their attacks on large companies where they can attempt to extort the organization for a seven-figure payout" (see: Ryuk and Sodinokibi Surge as Ransom Payments Double).
In December, security firm Emsisoft reported that over 960 government agencies, educational institutions and healthcare providers sustained ransomware attacks in 2019.
In December, the city of New Orleans was hit with a ransomware attack that may likely caused more than $3 million in damages (see: New Orleans' Mission: Clean 4,000 Computers in 48 Hours).