NIST just released a new draft of the NISTIR 8374, called the “Cybersecurity Framework Profile for Ransomware Risk Management” framework. This revision includes comments incorporated from a review of the preliminary draft in June 2021. Any member of the public who wishes to make comments on this draft may do so by October 8, 2021. The draft NIST document can be downloaded at this link: https://csrc.nist.gov/publications/detail/nistir/8374/draft
The following information is from this new NIST document:
The Ransomware Profile maps security objectives from the Cybersecurity Framework to security capabilities and measures that support preventing, responding to, and recovering from ransomware events. The profile can be used as a guide to manage the risk of ransomware events. That includes helping to gauge an organization's level of readiness to mitigate ransomware threats and react to the potential impact of events. The profile can also be used to identify opportunities for improving cybersecurity to help thwart ransomware.
Organizations can follow recommended steps to prepare for and reduce the impact of successful ransomware attacks. This includes identifying and protecting critical data, systems, and devices, detecting ransomware events as early as possible (preferably before the ransomware is deployed) and preparing for responses to and recovery from any ransomware events that do occur.
Some basic preventative steps that an organization can take now to help prevent ransomware threat include:
- Always use antivirus software. Set your software to automatically scan emails and flash drives.
- Keep computers fully patched. Run scheduled checks to identify available patches, and install these as soon as feasible.
- Segment networks. Segment internal networks to prevent malware from proliferating among potential target systems.
- Continuously monitor directory services (and other primary user stores) for indicators of compromise or active attack.
- Block access to potentially malicious web resources. Use products or services that block access to server names, IP addresses, or ports and protocols that are known to be malicious or suspected to be indicators of malicious system activity.
- Allow only authorized apps. Configure operating systems and/or third-party software to run only authorized applications. Establish processes for reviewing, then adding or removing authorized applications on an allowlist.
- Use standard user accounts versus accounts with administrative privileges whenever possible.
- Restrict personally owned devices on work networks.
- Avoid using personal apps like email, chat, and social media from work computers.
- Educate employees about social engineering. Don’t open files or click on links from unknown sources unless you first run an antivirus scan or look at links carefully.
- Assign and manage credential authorization for all enterprise assets and software, and periodically verify that each account has the appropriate access only.
Steps that organizations can take now to help recover from a future ransomware event include:
- Create an incident recovery plan. Develop and implement an incident recovery plan with defined roles and strategies for decision making. This can be part of a continuity of operations plan. The plan should identify business-critical services to enable recovery prioritization, and business continuity plans for those critical services.
- Backup data, secure backups, and test restoration. Carefully plan, implement, and test a data backup and restoration strategy—and secure and isolate backups of important data.
- Keep your contacts. Maintain an up-to-date list of internal and external contacts for ransomware attacks, including law enforcement.
The five NIST CSF Functions are used to organize the categories within this framework:
- Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
- Protect – Develop and implement appropriate safeguards to ensure delivery of critical services.
- Detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
- Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
- Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
This new document was released on the heels of a series of ransomware attacks against agricultural co-ops, including NEW Cooperative, which received a ransom demand of $5.9 million from cybercriminal group BlackMatter, and Crystal Valley.
For more information on how to use the NIST Cybersecurity Framework to prevent and recover from ransomware in OT environments, check out this blog post: https://www.industrialdefender.com/using-nist-csf-prevent-recover-from-ransomware/