Share this article on:
The National Cybersecurity Center of Excellence at NIST (NCCoE) has released two draft cybersecurity practice guides on ransomware and other destructive events. The first guide concerns identifying and protecting assets (SP 1800-25) and the second concerns detection and response to cyberattacks that compromise data integrity (SP 1800-26).
The guides consist of three volumes, an executive summary; approach, architecture and security characteristics; and how to guides. They are intended to be used by executives, chief Information security officers, system administrators, or individuals who have a stake in protecting their organizations’ data, privacy, and overall operational security.
The first guide concerns the first two core functions of the NIST Cybersecurity Framework: Identify and Protect. Organizations need to take steps to protect their assets from ransomware, destructive malware, malicious insiders, and accidental data loss. In order to protect assets, organizations must first identify where they are located. Only then can the necessary steps be taken to secure those assets and protect against a destructive data event.
To develop the first guide, NCCoE explored different methods that can be used to identify and protect assets from different types of data integrity attacks in a range of environments. An example solution was built in the NCCoE lab using commercially available solutions to mitigate attacks before they occur. The example solution uses solutions that that provide secure storage, create backups for data, VMs, and file systems, generate event logs, assist with asset inventory, and provide integrity checking mechanisms.
By using the cybersecurity guide, organizations can identify their assets, assess vulnerabilities, and baseline the integrity and activity of systems to prepare for an attack. Backups can then be created and protected to ensure data integrity. The guide also helps organizations manage health by assessing machine posture.
The second guide concerns the Detect and Respond core functions of the NIST Cybersecurity Framework. The guide details how organizations can monitor data integrity and respond quickly to a security incident in real time. Fast action is necessary to contain a data integrity incident to minimize the harm caused. A fast response can greatly limit the damage caused and will help to ensure a quick recovery.
The guide covers event detection, vulnerability management, reporting capabilities, mitigation and containment, and provides detailed information on methods, tool sets to use, and strategies to adopt to aid the security team’s response to a data integrity event. The example solution consists of multiple systems working together to detect and respond to data corruption events in standard enterprise components such as mail servers, databases, endpoints, VMs, and file share servers.
NCCoE is seeking feedback from industry stakeholders on the new publications until February 26, 2020.