In the continuing quest to battle ransomware in our networks, as well as other types of malware, just this month (Jan 2020) the National Institute of Standards and Technology (NIST) has released a brand-new guide to assist in this battle. While still in the comment period, this new guide NIST SPECIAL PUBLICATION 1800-26B entitled “Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events” is meant to be a practical guide for executives, CISO’s, system administrators or anyone else who has a stake in protecting an organizations data, privacy and overall network security.
A copy of this document can be found here:
This project is a collaboration between NIST and several commercial Technology Partners / Collaborators. The goal was to produce a reference design and then show possible implementations using commercially available technologies to develop example solutions that organizations could follow to improve their security controls.
Quoting directly from the project summary:
“This project focuses on detailed methods and potential toolsets that can detect, mitigate, and contain data integrity events in the components of an enterprise network. It also identifies tools and strategies to aid in a security team's response to such an event.”
The project identifies the following list of capabilities that need to exist in today's modern networks to effectively defend again ransomware and other modern threats:
Integrity Monitoring provides capabilities for comparing current system states against established baselines.
Event Detection provides capabilities for detecting ongoing events and can be composed of intrusion detection, malware detection, user anomaly detection, and others, depending on the established threat model of the organization.
Logging records and stores all the log files produced by components within the enterprise.
Forensics/Analytics provides the capability to probe/analyze logs and machines within the enterprise to learn from DI events.
Mitigation and Containment allows responding to DI events by containing and limiting the threat’s ability to affect the system.
Reporting provides the capability to report on all activities within the enterprise and within the reference architecture for analysis by a security team.
The publication is quite comprehensive, it currently contains three sections starting with section A, a five-page executive summary. This is followed by section B an over 60-page section discussing the architecture, how it maps to the NIST standards and details out some potential commercial products that could be used to implement the framework. This section has lots of appendices and tables so the bulk of what you want to read is probably in the first 20 pages or so unless you need to find something in one of the reference tables.
The last section, section C, is an over 450-page set of “How-to-guides” provided by the various vendors with at least some basic initial information about using their tools in implementing the example solutions in the document.
Even if you are not quite ready to pioneer the implementation of these solutions on your own a read-through of section B will help you better understand the needed components and functions to address this continuously emerging threat. With that understanding, you can better begin to map out your particular roadmap to improve your network's ability to handle these types of attacks.