Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events

Businesses face a near-constant threat of destructive malware, ransomware, malicious insider activities, and even honest mistakes that can alter or destroy critical data. These types of adverse events ultimately impact data integrity (DI). It is imperative for organizations to be able to detect and respond to DI attacks.

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) built a laboratory environment to explore methods to detect and respond to a data corruption event in various information technology (IT) enterprise environments. The example solution outlined in this guide describes the solution built in the NCCoE lab. It encourages detection and mitigation of DI events while facilitating analysis of these events.

The goals of this NIST Cybersecurity Practice Guide are to help organizations confidently:

• detect malicious and suspicious activity generated on the network, by users, or from applications that could indicate a DI event
• mitigate and contain the effects of events that can cause a loss of DI
• monitor the integrity of the enterprise for detection of events and after-the-fact analysis
• utilize logging and reporting features to speed response time to DI events
• analyze DI events for the scope of their impact on the network, enterprise devices, and enterprise data
• analyze DI events to inform and improve the enterprise’s defenses against future attacks

For ease of use, here is a short description of the different sections of this volume.

• Section 1: Summary presents the challenge addressed by the NCCoE project with an in-depth look at our approach, the architecture, and the security characteristics we used; the solution demonstrated to address the challenge; the benefits of the solution; and the technology partners that participated in building, demonstrating, and documenting the solution. Summary also explains how to provide feedback on this guide.
• Section 2: How to Use This Guide explains how readers—business decision-makers, program managers, and IT professionals (e.g., systems administrators)—might use each volume of the guide.
• Section 3: Approach offers a detailed treatment of the scope of the project and describes the assumptions on which the security platform development was based, the risk assessment that informed platform development, and the technologies and components that industry collaborators gave us to enable platform development.
• Section 4: Architecture describes the usage scenarios supported by project security platforms, including Cybersecurity Framework [1] functions supported by each component contributed by our collaborators.
• Section 5: Security Characteristic Analysis provides details about the tools and techniques we used to perform risk assessments.
• Section 6: Future Build Considerations is a brief treatment of other data security implementations that NIST is considering consistent with Cybersecurity Framework Core Functions: Identify, Protect, Detect, Respond, and Recover.

Download the report to find more.