NIST recommends complementary solutions, much like a team of security superheroes
To succeed in protecting your company’s data against ransomware, you need to proceed as if you’re assembling a team of superheroes. Each team member has a singular power that individually appears limited. But together, they can conquer evil.
As the number of cyberattacks continues to soar, and attackers’ tactics become more sophisticated and innovative, companies are understandably feeling outmatched in this battle. Every week, more examples of security breaches make global headlines, turning brands like SolarWinds into household names—for the wrong reasons.
The financial toll of these breaches is staggering. The Ponemon Institute reports that one out of every four organizations will experience a data breach in the next year and that the average cost of these breaches is $3.92M—each. In addition, it takes 206 days on average to identify a breach and 73 days to contain it.
The onslaught of cyberattack reports is daunting, but resources are available to help companies systematically address threats.
About NIST’s Data Integrity Practice Guides SP 1800-25 and SP 1800-26
A set of practice guides released from the National Institute of Standards and Technology (NIST) highlights the effectiveness of using complementary technologies to address threats—in other words, using a team of superheroes to help you fight the enemy. These guides address identifying and protecting assets against ransomware and detecting and responding to cyberattacks:
To demonstrate an example solution that would help companies protect their business-critical data assets from ransomware—only one form of potential data integrity attacks—NIST assembled capabilities from a handful of security vendors, including Cisco, Symantec, and Semperis.
Here are a few examples of how the NIST project brings together vendor expertise to address different aspects of detecting and responding to ransomware threats (one of the two practice guide focus areas). Tripwire and Semperis provide integrity monitoring. Cisco, Glasswall, and Semperis contribute event detection, including the ability to monitor for user anomalies, scan email attachments for file deviations, and either statically or dynamically detect malicious software. Micro Focus and Tripwire contribute logging capabilities. Cisco, Symantec, and Micro Focus provide forensics and analytics on—for example—the effects of malware, network traffic, and anomalies in enterprise activity.
In other words, bringing these vendors together is like assembling the Avengers.
Super-powers in hand, NIST embarked on an ambitious mission to guide organizations in practical methods of protecting data integrity from ransomware.
NIST example use case: Malicious email attachments
To illustrate how NIST brought relevant solutions together to address ransomware, let’s delve into an example from one of the practice guides: detecting and responding to ransomware. One scenario NIST identifies is “backdoor creation via email vector.” In this scenario a user opens a malicious attachment to an email (not uncommon), and the attachment then fetches files from an external web server. These files then create accounts on the authentication server. The resolution to this problem as defined in the NIST practice guide includes a combination of activities:
- Logging and reporting (so the security team can take action on alerts)
- Event detection at two points in time—before the attachment reaches the user’s inbox and after it downloads to the system
- Mitigation and containment
- Forensics and analytics, defined in this use case as the ability to view network traffic as the attachment is fetching malicious files from the web server
For this use case, several vendors (including Semperis) had roles in integrity monitoring, including providing file hashes and integrity checks for files and software, integrity monitoring for data, and integrity monitoring for Active Directory.
NIST warns: beware the “sensitive nature of AD”
In describing the resolution to this use case, the guide points out the importance of tracking Active Directory changes as part of integrity monitoring—and not in a way that relies on a single source of information, but multiple aspects of AD.
Citing the “sensitive nature of AD,” the NIST guide recommends tracking both the malicious download and the changes it made to the account structure. This multi-faceted approach captures any change to permissions or privileged credentials, as well as any change that hackers try to hide by circumventing security auditing.
The NIST example solution provides, according to the report, “several layers of defense” against various use cases of ransomware.
Key take-away from the NIST project: You need a collection of approaches and solutions that each address a different aspect of the security shield. No single product excels at delivering every piece of the security puzzle. But with a full understanding of how these pieces fit together, you can help guard your company’s data from malicious attacks.
Testing your security shield
Much as Loki constantly tests the collective Avengers, you need to test your defense against ransomware attacks to your organization’s data integrity.
But many companies fail to follow through on testing plans. In a Semperis survey of IT security pros, IAM leaders, and C-level executives, many respondents said that “they have an AD cyber disaster recovery plan but have never tested it.”
Don’t let that happen to you. The NIST example solution gives practical guidance about common scenarios and the capabilities you need to address ransomware threat. You can use the how-to pieces of the NIST guide to replicate the practice solution and test it in your own environment.
And while NIST doesn’t explicitly endorse the products used in the build, the guide does show how the researchers pulled the solutions together to form a cohesive defense against the example ransomware use cases. The NIST researchers recommend using the guide as a launchpad for formulating a plan that works for your environment, assembled from a suite of products that meet your organization’s needs.
Have you been putting off conducting a thorough test of your ransomware defenses? That lack of preparedness is not going to get you through the kind of epic battle faced by the companies that have been the victims of ransomware.
Like Thor, you need to assemble a team of superheroes to save your company from the onslaught of cyber-criminals.