NIST Cybersecurity: Ransomware Protection

Written by: Matthew Burns

Since the beginning of the recent pandemic, there’s been a significant spike in ransomware attacks—with malicious actors capitalizing on the uncertainty and panic spurred by COVID-19. According to VMware Carbon Black, organizations around the globe have seen a 148% increase in ransomware attacks, leaving institutions either scrambling to remediate breaches or generate new procedures to prevent them.

Recognizing the severe impact data integrity attacks can have on businesses, The National Institute of Standards and Technology (NIST) has issued multiple publications detailing steps businesses can take to protect their organizations before an attack or in the event of a breach. Such guidance includes:

  • NIST Cybersecurity Practice Guide Special Publication 1800-26, Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events
    • Steps to help an organization during an attack
  • NIST Cybersecurity Practice Guide Special Publication 1800-11, Data Integrity: Recovering from Ransomware and Other Destructive Events
    • Steps to help organizations recover after an attack has occurred
  • NIST Cybersecurity Practice Guide Special Publication 1800-25, Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events
    • Steps, protocols, and procedures to prevent an attack before it happens

From detection and prevention, to remediation and mitigation, these NIST frameworks allow organizations to strengthen their cybersecurity posture. We take a look at how each of these publications can help an institution during a real-life attack.

Set the Scene

Let’s say Employee X is working from home for Organization Y during the pandemic. They happen to receive an email that appears to be from the Centers for Disease Control and Prevention (CDC). The email informs Employee X that there’s been an important update regarding the pandemic in their local area. The email instructs them to click on an attached file to see the update. Unbeknownst to the employee, the attachment includes malware, and if downloaded, the attacker will be able to lock out a portion of Organization Y’s important data.

NIST 1800-26: React & Respond

In an unprotected organization, this could cause extreme consequences. Luckily, Organization Y is following the guidance from NIST 1800-26: Detecting and Responding to Ransomware and Other Destructive Events. By following this practice guide, Organization Y is able to implement a solution that includes:

  • Integrity monitoring
  • Event detection
  • Logging
  • Mitigation and containment
  • Forensics and analytics
  • Reporting

Integrity monitoring is used by Organization Y to detect when the attachment is downloaded. This event is then logged by the organization when the attachment sparks malicious activity (this logging information can be used in future event detection). Event detection can then be used by Organization Y to detect the malicious download and any activity the attachment may have caused.

Mitigation and containment is used by Organization Y to then quarantine Employee X’s device, giving them time to remove the harmful code from the device. Finally, Organization Y can use their forensics and analytics solution to review all information regarding the attack, looking for any other malicious activity to better prepare for future events.

Not every attack can be stopped 100% of the time. The solution presented can actively help fight and stop a data integrity attack while it’s happening.

NIST 1800-11: Recuperate

Let’s say Organization Y didn’t have time to implement a solution based on NIST 1800-26, but they did have time to follow a solution from NIST 1800-11: Recovering from Ransomware and Other Destructive Events. This NIST cybersecurity guideline helps Organization Y plant a solution that allows them to identify data that’s been affected in an attack, and then recover that data to its last known secure state.

NIST 1800-11 helps Organization Y implement a solution with:

  • Secure storage
  • Logging
  • Virtual infrastructure
  • Corruption testing
  • Backup capability

Secure storage allows the organization to store its data with additional protections. Logging gives insight into activity taking place on all assets. Virtual infrastructure easily restores entire systems. Corruption testing allows the organization to test if a file has been altered and then reports on these alterations.

In the case of ransomware, this component can detect when a file’s systems are changed or locked. It can also provide contexts for the changes made (timestamps, user responsible, etc.). In combination with logging, this information can be presented to the admin of the system and then used to determine:

  • Where the files were changed (e.g. Employee X’s device)
  • What files were changed
  • When the last known secure file was accessed

Finally, backup capabilities create alternates or duplicates for components that aren’t virtualized. Organization Y can use the backup capability implemented to re-secure Employee X’s device.

In a worst case scenario, an organization should only be down a few hours when recovering from a ransomware attack if they follow the guidelines from NIST 1800-11. The framework should be able to get a company up and running again in the case of a successful attack.

NIST 1800-25: Ready for Next Time?

Organization Y made it through this ransomware attack because they followed the guidance in NIST 1800-11 and 26. However, if Organization Y wanted to avoid any data integrity attacks before they occurred, they should begin to follow the best practices outlined in NIST 1800-25: Identifying and Protecting Assets against Ransomware and Other Destructive Events, which covers how an organization can identify assets vulnerable to data integrity attacks and protect these assets.

Much like the other practice guides, NIST 1800-25 gives organizations the ability to implement the National Cybersecurity Center of Excellence’s (NCCoE) solution or one very similar. This solution includes:

  • Inventory of assets
  • Integrity monitoring
  • Vulnerability management
  • Logging
  • Blacklisting
  • Network protection
  • Policy enforcement
  • Backups
  • Secure storage

Let’s take a look at Employee X downloading ransomware again. If Organization Y had followed NIST 1800-25, they would have used their inventory system to recognize that Employee X’s device needed to be monitored due to the important data it contained. The organization would also have integrity monitoring and logging in place to conduct a baseline assessment of the assets identified through inventory. If this baseline changes due to an attack, the organization can then respond in real time.

The blacklisting component of their solution would be able to block the malicious attachment before it entered the email. Even if blacklisting failed because Organization Y has a strong vulnerability management process, the organization would have already patched the vulnerability that the ransomware could use to propagate. If the vulnerability isn’t patched, then the organization would have network protections in place to stop the ransomware from connecting to other devices on the network. And even if the attack is successful, with this solution the organization would have a backup of vulnerable assets ready to be easily restored.


With all the chaos and commotion in the world today, it’s hard for employees to know what’s real and what’s fake. An organization can be defeated by a single ransomware attack if it doesn’t have adequate cybersecurity controls in place, which is why it’s crucial to implement solutions such as those presented in NIST 1800-26, 11, and 25.

These guides make it easy for any organization to install protections at any stage of a ransomware attack. By following the best practices outlined, companies can reduce the negative impact of breach, or even stop it in its tracks.