NIST seeks comment on ransomware, cyber-attack guidance

On Jan. 27, NIST’s National Cybersecurity Center of Excellence (NCCoE) released Special Publication 1800-25, which addresses “Identifying and Protecting Assets Against Ransomware and Other Destructive Events,” and Special Publication 1800-26, which addresses “Detecting and Responding to Ransomware and Other Destructive Events.”

The NCCoE said the draft guides are intended to “benefit executives, chief information security officers, system administrators, or those who have a stake in protecting their organizations’ data, privacy, and overall operational security.” Both guides consist of three sections: an executive summary; a section on approach, architecture, and security characteristics; and how-to guides. They also both closely align with NIST Cybersecurity Framework version 1.1, published in April 2018.

The NCCoE said the goals of Special Publication 1800-25 are to help organizations:

• Identify systems, users, data, applications, and entities on the network;
• Identify vulnerabilities in enterprise components and clients;
• Baseline the integrity and activity of enterprise systems, in preparation for an attack;
• Create backups of enterprise data in advance of an attack;
• Protect these backups and other potentially important data against alteration; and
• Manage enterprise health by assessing machine posture.

Comparatively, the goals of Special Publication 1800-26 are to help organizations:

• Detect malicious and suspicious activity generated on the network, by users, or from applications that could indicate a data integrity event;
• Mitigate and contain the effects of events that can cause a loss of data integrity;
• Monitor the integrity of the enterprise for detection of events and after-the-fact analysis;
• Utilize logging and reporting features to speed response time to data integrity events;
• Analyze data integrity events for the scope of their impact on the network, enterprise devices, and enterprise data; and
• Analyze data integrity events to inform and improve the enterprise’s defenses against future attack.

“The new NIST ransomware framework is very valuable in providing an emphasis to organizations on the need for establishing and following basic and comprehensive security best practices across the enterprise,” says Stephen Boyce, principal consultant at The Crypsis Group. “Unfortunately, these best practices and defense-in-depth strategies are too often still not being followed.”

Boyce says one area not addressed by the ransomware guides is user awareness training. “Ransomware actors are dedicated to the success of their malicious activity: If one vector is unsuccessful, they will try another, and unfortunately, the human factor is often the Achilles’ Heel of the enterprise,” he says. “Users must be educated on phishing, spear-phishing, and social engineering tactics. If enterprises follow the entirety of the NIST CSF 1.1, plus the ransomware recommendations, it is a solid overall set of guidelines, but we recommend enterprises ensure ample focus on user education.”

The comment period for Special Publication 1800-25 and Special Publication 1800-26 closes Feb. 26, with final guidance to follow later this year.

Cyber Supply Chain Risk Management

A third draft guidance, issued by NIST on Feb. 4, addresses how to reduce cyber-security risk in global supply chains. The draft guide, “Key Practices in Cyber Supply Chain Risk Management,” cross-references NIST’s 2018 Cybersecurity Framework so that organizations can use both guidance together, said NIST’s Jon Boyens, co-author of the draft report.

NIST authors based the guide on an analysis of interviews with companies in 2015 and 2019. It includes a high-level summary of the following key practices deemed by subject-matter experts to be foundational to any effective cyber supply-chain risk management program:

• Establish a formal program;
• Know and manage your critical suppliers;
• Understand your supply chain;
• Closely collaborate with your key suppliers to improve their cyber-security practices;
• Include key suppliers in your resilience and improvement activities;
• Assess and monitor throughout supplier relationship; and
• Plan for the full lifecycle.

Each practice further includes several recommendations on how to implement each from a people, process, and technology standpoint. Acknowledging that companies in different economic sectors might manage supply-chain risk differently, the authors additionally have developed a set of 24 case studies in risk management that feature a variety of industries, ranging from aerospace and IT manufacturers to consumer goods companies.

“Many companies share the same suppliers, but their overall supply chains are still very different,” Boyens said. “To supplement our report, you can look for the case studies that are relevant to your industry.”

The draft Cyber Supply Chain Risk Management guide comes at an especially important time. According to Symantec’s 2019 Internet Security Threat Report, supply chain attacks increased by 78 percent in 2018.

NIST is seeking public comment on the guide until March 4.