Applying the NIST Framework to Ransomware Risk Management

Top Takeaways for Preparing for and Managing a Ransomware Attack with NISTIR 8374

By Gil Kirkpatrick, Microsoft MVP and Chief Architect, Semperis

Your organization likely adheres to at least some National Institute of Standards and Technology (NIST) standards. Unfortunately, that approach alone isn’t enough to protect you against ransomware.

To that end, NIST has released a framework, NISTIR 8374, that specifically covers the process of preparing for and managing a ransomware attack. I recently co-hosted a presentation on the framework with my colleague Asad Ali, Director of Technology at Thales. Here are our top takeaways.

1. Protecting against ransomware shouldn’t be complicated

Arguably, the most interesting thing about NISTIR 8374 is that none of the advice it provides is particularly groundbreaking. It’s stuff everybody should know how to do. It’s stuff everybody should be doing—but that many aren’t doing well.

These baselines include the following elements:

• Endpoint protection. Every ransomware attack involves your organization’s endpoints to one degree or another. NIST has some good recommendations on the systems and tools you should use.
• Ransomware attacks actively exploited hundreds of vulnerabilities in 2021. Every one had patches available. Patch systems regularly—and often. (More on this point in a moment.)
• Network segmentation. It’s incredibly easy for a threat actor to move laterally within a flat network. Network segmentation creates barriers to that movement, making it more difficult for an attacker who controls one compromised endpoint to compromise others.
• Device management. Perhaps one of NIST’s more controversial recommendations is to restrict the use of personal devices on the network. If you can’t, at the very least enforce some form of device management or containerization.
• Application controls. Either limit access to unsecure or unapproved applications or prevent the use of applications that IT has not approved. Again, in a workplace defined by consumerization, this is easier said than done.
• Employee training. Ransomware attacks overwhelmingly begin with phishing or spear-phishing emails. Educating your employees doesn’t guarantee that they will spot such tactics, but it does reduce the likelihood that they will fall for these tricks.

2. Keep your systems patched

Especially in large IT organizations, patching often involves multiple review and testing cycles. In some cases, these cycles could mean a patch isn’t applied until months after release.

We strongly advise organizations to develop a framework that enables you to acquire, test, and apply patches straight away, particularly security-sensitive patches. As Ali notes, automation represents one possible solution. By automating testing and installation, your organization can considerably reduce the lag between release and deployment.

3. Balance security and convenience

Several years ago, I worked with agencies in the public sector. Their networks were heavily segmented—to the point that you needed to jump through hoops just to get from one segment to another. I won’t deny that it was an effective means of partitioning sensitive resources from attackers, but it’s also an absolute nightmare from a usability standpoint.

Focus on usability when you apply measures such as device management, application management, authentication, and network segmentation. As Ali notes, “If you burden people too much, they’ll move away and find an alternative. There’s a quote I always go back to from the first Jurassic Park by the mathematician Doctor Ian Malcolm: Life finds a way. Regardless of the model you follow, if you don’t make things easy for the users, they will find a way around your security controls.”

4. Make your cybersecurity education engaging

Educate your employees and you increase your organization’s resistance to ransomware attacks. The mistake I see in many organizations is that they simply drop a stack of training materials in front of their staff and call it a day. For training to be effective, make it interesting and create mechanisms by which to test its effectiveness, such as red team simulations.

“Security awareness training has to be repeated every six months or so to prevent complacency,” says Ali. “But you also need more than conference rooms or zoom calls—let them experiment to see where they falter, and measure to see where your training may be lacking.”

5. Ransomware requires a different incident response plan than other disruptive events

Most organizations have an incident response and recovery plan. Unfortunately, these plans are often ill suited to dealing with ransomware.

Ransomware attacks can spread through an entire distributed network in seconds. With ransomware, you don’t have the luxury of relying on some working systems: You’re starting from scratch. That leads to a question that many organizations fail to consider: How do you recover your IT environment in a network that’s been completely flattened?

Your response might require multiple stakeholders, pulled from a list of external and internal contacts stored outside your Active Directory environment.

“There are numerous moving pieces, including legal, technical, [human resources], and [public relations],” says Ali. “They must come together almost concurrently or simultaneously for the system to be up and running again. On the backup and restoration front, you need to make sure your backups are regularly tested, unless you want to find out they don’t work when you need to restore from one.”

6. Always account for Active Directory

Active Directory is the brass ring for cyber-attackers. It’s easy to see why. The extreme level of complexity in Active Directory makes it easy to configure Active Directory in an insecure manner. At the same time, Active Directory serves as a repository for all the information about your organization—it is the primary resource attackers use to reconnoiter your network and to identify critical systems and privileged accounts.

Continuously monitoring your Active Directory environment and all related services for indicators of exposure and compromise is imperative. Otherwise, features such as Group Policy and Sysvol can be turned into built-in exploitation tools. Also, be aware of the most common weak points in Active Directory: account security and Kerberos configuration.

“There are so many things an administrator has to do, problems can very easily creep into the environment,” says Ali. “Accounts with no passwords, weak passwords, information stored in plain text, misconfigured legacy systems. . . . [T]aken in the context of security and ransomware, even a minor mistake can lead to huge consequences.”

The most important guidance of all

Ultimately, NISTIR 8374 provides a useful framework by which your organization can prepare for, prevent, and mitigate ransomware attacks. Most of the guidance is quite basic…but ultimately, that’s the point. Although you’ll likely benefit from implementing a few advanced processes and features, a strong Active Directory security foundation is critical, and a strong, layered, in-depth security posture remains the best defense.

About the Author

Gil Kirkpatrick is the Chief Architect for products at Semperis, a leading provider of cyber preparedness, incident response, and disaster recovery solutions for enterprise directory services on-premises and in the cloud. Gil has been building commercial products for enterprise IT for a very long time, focusing primarily on identity management and security-related products. He has been named a Microsoft MVP for Active Directory and Enterprise Mobility for each of the last 17 years, and is the author of Active Directory Programming, as well as the founder of the Directory Experts Conference. At Semperis Gil builds products to prevent, detect, and recover from cyber-attacks on enterprise hybrid identity environments. Gil speaks on cyber-security, identity, and disaster recovery topics at IT conferences around the world. Gil can be reached online at [email protected], @gkirkpatrick and at https://www.semperis.com/.