As IT professionals, when we hear ransomware and cybersecurity, we may get shivers down our spine. Why? We know that ransomware is real, it comes in various forms, and it keeps many of us up at night. We can all take practical steps to protect our environment, but what are we protecting? The DATA; it’s all about the data. Do you have an inventory of your data? This could include payroll data, proprietary trade secrets, and financials. See our blog about data classification here https://www.peters.com/blog/data-classification-what-are-your-crown-jewels/
The National Institute of Standards and Technology (NIST) has created the NIST Cybersecurity Framework. The Framework is practical and time-tested business logic that can be adopted by organizations of all sizes.
Early this year (2020), NIST issued two special publications related to Cyber-Security, and these documents specifically address ransomware. The SP1800-25 focuses on Identify and Detect, while PS1800-26 focuses on Detect and Respond. https://csrc.nist.gov/publications/sp1800
While I understand that these types of documents are phenomenally dull to read, this one caught my attention because they provide actual documentation of their lab testing. The National Cybersecurity Center of Excellence (NCCoE) at NIST proposed a project that could help organizations identify and protect their assets from data integrity attacks across multiple industries.
Do you have existing technologies that provide the following capabilities?
- Policy Enforcement
- Vulnerability Management
- Secure Storage
- Integrity Monitoring
- Event detection
- Integrity monitoring
- Mitigation and containment
Let’s cut to the chase.
Scenario: Ransomware via Web Vector and Self-Propagation
A user mistakenly downloads ransomware from an external web server. When the user executes this malicious software, it generates a cryptographic key (digital lock), which is sent back to the external web server. The malware then utilizes a privilege escalation exploit (the hacker exploits a system flaw and gains access to resources that should be restricted) to propagate across the network. The malicious software encrypts files on the machines it propagated to, and it demands payment in exchange for decrypting these files.
In the NCCoE and NIST lab scenario, the ransomware was thwarted! Why? The lab environment was protected because the environment had appropriate solutions installed to provide a defense in depth strategy for this use case.
- The Blacklisting capability is used to prevent the user from reaching the malicious site that hosts the ransomware, preventing the download before it happens
- The Vulnerability Management capability is used to detect the vulnerability exploited by the ransomware to propagate, allowing resolution before the attack occurs.
- The Network Protection capability is used to prevent the ransomware’s propagation by disallowing network traffic between computers on the network, through a traffic white-list policy.
- The Inventory capability is used to identify the enterprise’s assets for backup and monitoring.
- The Backups capability is used to take backups of potential ransomware targets before the attack hits, nullifying the effects of potential attacks on files.
- The Integrity Monitoring capability, in tandem with the Logging capability, is used to take a baseline of the file system, so that an attack on the file system is detected and the scope can be identified.
How prepared are you? Reach out to Peters & Associates at firstname.lastname@example.org to discuss appropriate products and mitigation strategies for your environment. We are happy to help!