NIST’s Ransomware Guidelines Look A Lot Like Cyber Resilience
When the Institute for Security & Technology’s Ransomware Task Force published its report on combatting ransomware this spring, the Colonial Pipeline, JBS meatpacking and Kaseya VSA attacks were still around the corner.
Nevertheless, the report took the danger presented by ransomware to both businesses and global security for granted. Already in 2020, according to the report:
- 2,4000 governmental agencies, healthcare facilities and schools had been hit with ransomware
- $350 million had been paid out ransomware actors, a 311% increase over 2019
- It was taking 287 days on average for a business to fully recover from a ransomware attack
Even given what we now know – that 2021 would feature some momentous ransomware attacks against physical and IT infrastructure – the report’s expert authors recognized the threat was dire. That led to them devising a “comprehensive framework for action, ”policy recommendations, in other words, for tackling the threat.
“The immediate physical and business risks posed by ransomware are compounded by the broader societal impact of the billions of dollars steered into criminal enterprises, funds that may be used for the proliferation of weapons of mass destruction, human trafficking, and other virulent global criminal activity.”
-Ransomware Task Force, IST
While many of these would fall to law enforcement, U.S. and international governments to enact, the report makes for fascinating reading for anyone interested in ransomware. It also provides a number of helpful tips businesses of all sizes can enact to protect themselves against ransomware.
A key recommendation throughout is that business’ anti-ransomware policies “should be consistent with existing cybersecurity frameworks,” like those released by NIST, “but specific to ransomware.”
Luckily, it wouldn’t be long before NIST would publish its ransomware-specific recommendations for businesses. It just so happens, their recommendations look a lot like our cyber resilience framework.
Meeting NIST Benchmarks
Earlier this summer, NIST released updated tips and tactics for dealing with ransomware.
The recommendations are split between actions users can take avoid infection and those businesses can take to quickly recover in case their compromised. This dual-focus approach to prevention and recovery aligns neatly with cyber resilience best practices (and similar thinking influenced our product roadmap).
On the preventative side, NIST advises:
- Using antivirus software at all times
- Keeping computers fully patched with security updates
- Using security products or services that block access to known ransomware sites on the internet
- Configuring operating systems or using software allowing only authorized applications to run
- Restricting or prohibiting the use of personal devices for work
It’s worth noting that blocking access to known ransomware sites is a recommendation that can be accomplished with network-level security. When paired with the strong recommendation to use antivirus software at all times, NIST’s recommended prevention measures already cover two key areas of focus in a cyber resilience strategy: endpoint security and network protection.
On the recovery side, NIST urges the following:
- Develop and implement an incident recovery plan with defined roles and strategies
- Carefully plan, implement and test a data backup and restoration strategy
- Maintain an up-to-date list of internal and external contacts for ransomware attacks, including law enforcement
Another core aspect of cyber resilience is the ability to recover data and return to business in the event of an attack. While natural disasters and unplanned outages were once the focus of these contingency plans, ransomware’s current popularity is another reason to ensure backup and recovery are accounted for.
NIST notes the importance of making sure backups are isolated from one another to prevent infections from spreading between them. For more information on configuring backups and meeting NIST’s other backup guidelines, check out our guide to disaster preparation, recovery and remediation.
Don’t Overlook Security Awareness Training
One aspect of ransomware prevention not mentioned by NIST is the importance of security awareness training. The RTF report cites a lack of understanding among business leaders as a contributing factor to its success and recommends increasing knowledge of the problem as a recommended objective.
But, perhaps because it’s seen primarily as a phishing-related problem as opposed to a ransomware-related one, NIST’s tips do not mention user education. We recommend this be added as a key component of a comprehensive ransomware protection plan – or any cyber resilience strategy, for that matter.
In a report by insurance firm Hiscox, phishing was by far the number one method of infiltration in ransomware attacks. Our data show that regular, ongoing training can help cut phishing by up to 72%. To tackle the root cause of ransomware infections, security awareness training should be considered an essential element of a cyber resilience strategy.