Ransomware Risk Management: A Cybersecurity Framework Profile
The San Francisco 49ers, confirmed a ransomware attack, Cisco was attacked by the Yanluowang ransomware gang, and Entrust was attacked by Lockbit. And that’s just a handful of ransomware accounts noted in 2022.
On the surface, ransomware is relatively easy for any criminal to perpetrate, however, those who develop this malicious software are part of established businesses, complete with traditional hierarchies, and corporate structures, selling their product under the moniker of Ransomware-as-a-Service (RaaS).
The chart below, from Outpost24, shows the countries most targeted by ransomware in 2022. “From the 101 different countries that registered victims, 42% of them are from the United States alone, while around 28% come from European countries.”
Enter NIST Ransomware Risk Management: NIST IR 8374
To bring some form and function to this endless fight against ransomware. The National Institute of Standards and Technology (NIST), has provided an immensely helpful document with NIST IR 8374.
The NIST Ransomware Risk Management guide provides best practices and strategies for preventing, and mitigating ransomware events. As part of the NIST Cybersecurity Framework (CSF), it focuses on organizational behaviors and practices to reduce the impact of ransomware attacks, as well as reducing the likelihood of a successful attack.
The five CSF groups used to categorize the profile are:
- Identify: Establish the context of the organization’s ransomware risk management effort and identify the assets that require protection.
- Protect: Implement safeguards to prevent unauthorized access to assets and information.
- Detect: Develop and implement the capability to detect the occurrence of ransomware attacks.
- Respond: Develop and implement the capability to respond to ransomware events in a timely and effective manner.
- Recover: Develop and implement the capability to restore normal operations after a ransomware even
The Key Components of NIST IR 8374 are:
A. Incident Response Planning.
B. Backup and Recovery Strategies.
C. User Awareness and Education.
D. Vulnerability Management.
E. Configuration Management.
F. System and Application Security.
G. Malware Detection and Analysis.
Taming the Text
Although the document is concisely organized, spanning less than 30 pages, I’ve provided the overview table below, with the formal grouping on the left, and some relevant accompanying tasks relating to the components on the right.
Group |
Specific activities |
Identify Asset Management (ID.AM) Business Environment (ID.BE) Governance (ID.GC) Risk Assessment (ID.RA) Risk management strategy (ID. RM) Supply Chain Risk Management (ID.SC) |
Inventory all resources. Document how the information flows. Identify external resource connections. Identify critical assets. Establish cybersecurity policies that denote responsibilities. |
Protect Identity Management, Authentication and Access Control (PR.AC) Awareness and Training (PR.AT) Data Security (PR.DS) Information Protection Processes and Procedures (PR.IP): Maintenance (PR.MA): Protective Technology (PR.PT) |
Manage access to all resources. Manage device vulnerabilities. Employee education. Secure corporate devices. Protect sensitive data. Regularly perform, and test backups. |
Detect Anomalies and Events (DE.AE) Security Continuous Monitoring (DE.CM): Detection Processes (DE.DP) |
Test update processes. Staff education. Establish baseline for data flows to detect anomalous activity. Timely communication of events of interest.
|
Respond Response Planning (RS.RP): Communications (RS.CO): Analysis (RS.AN) Mitigation (RS.MI) Improvements (RS.IM) |
Implement and test the Incident response plan.
Include all stakeholders – internal and external – for appropriate communiques. |
Recover Recovery Planning (RC.RP): Improvements (RC.IM): Communications (RC.CO) |
Make, test, and update the Disaster Recovery Plan (DRP), Communicate the plan to all stakeholders, Watch your Public Relations,
|
Implementation
Here are several steps to help with implementing NIST IR 8374.
1. Preparation: Establish the context of the ransomware risk management effort, including identifying key stakeholders, and the assets that require protection.
2. Risk Assessment: Conduct a risk assessment to identify the organization’s current level of ransomware risk, and to prioritize the areas that require attention. This step includes identifying potential threats, vulnerabilities, and impacts, as well as developing a risk mitigation plan.
3. Incident Response Planning: Develop and implement a comprehensive Incident Response plan that includes handling ransomware attacks. Include the roles and responsibilities of key stakeholders and backup and recovery strategies to minimize the impact of any successful attack.
4. User Awareness and Education: Implement a user awareness and education program for employees and other stakeholders on the risks associated with ransomware, and best practices for avoiding attacks.
5. Vulnerability Management: Implement a vulnerability management program to identify, assess, and prioritize vulnerabilities in the organization’s IT infrastructure, and to implement appropriate controls that reduce the risk of a successful attack. This step should include regular vulnerability scans, penetration testing, and the implementation of software patches, and updates.
6. Configuration Management: Implement a configuration management program to ensure that systems and applications are configured securely and consistently. This step may include deploying security configuration management tools, and the development of security baselines and standards.
7. Malware Detection and Analysis: Implement antimalware to not only identify the presence of malware, but to also respond quickly and efficiently to malware incidents. This step may include the implementation of anti-virus software, intrusion detection systems, and malware analysis tools.
Roles and Responsibilities of Key Stakeholders
Roles and responsibilities play a major part in NIST IR 8374. Strengthening individual responsibility and the ties between departments is essential.
Some common roles and responsibilities to consider in securing from and preparing for ransomware are (NOTE: the role played is more important than the title – ransomware is an equal opportunity threat):
1. Chief Information Security Officer (CISO): The CISO will work closely with other stakeholders to develop and implement policies, procedures, and controls to manage the risk of ransomware attacks.
2. Information Technology (IT) Department: The IT department will implement technical controls and manage of the organization’s IT infrastructure, including malware detection and analysis tools, and the configuration of systems and applications.
3. Business Unit Managers: Business unit managers should ensure that their employees and stakeholders are aware of the risks associated with ransomware, and take the appropriate steps to reduce their risk of attack. Managers may also be involved in the development of incident response plans, and they can also prioritize the data that they require to operate, in order to help refine backup and recovery strategies.
Moving Forward
Taking action can be complicated and time-consuming, and organizational-wide changes can make it more so. Taking the NIST Ransomware Risk Management guide to heart can make the way forward a lot easier by providing a solid framework for any organization. There’s enough detail in the guide to provide a solid outline, and resources for action, while at the same time providing plenty of leeway for companies to personalize the guidance.
The profile and the ensuing resources, commitment, and planning, can help organizations significantly reduce their risk of ransomware events, and enhance their overall cybersecurity posture.
About the Author:
Ross Moore is the Cyber Security Support Analyst with Passageways. He was Co-lead on SOC 2 Type 1 implementation and Lead on SOC 2 Type 2 implementation, facilitated the company’s BCP/DR TTX, and is a HIPAA Security Officer. Over the course of his 20 year IT career, Ross has served in a variety of operations and infosec roles for companies in the manufacturing, healthcare, real estate, business insurance, and technology sectors. He holds (ISC)2’s SSCP and CompTIA’s Security + certifications, a B.S. in Cyber Security and Information Assurance from WGU, and a B.A. in Bible/Counseling from Johnson University.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.