Key Takeaways From the NIST Ransomware Risk Management Profile

Ransomware groups have generated so much damage that the United States Federal government has made it a top priority to thwart such efforts including, hosting a major international summit on the topic, setting up a ransomware task force and repeatedly urging organizations to improve their cyber resilience. As part of those efforts, the President directed the National Institute of Standards and Technology (NIST) to draft guidance on which controls organizations should focus on in response to ransomware risk.

Building on their existing Cybersecurity Framework (CSF), NIST released its “Cybersecurity Framework Profile for Ransomware Risk Management” in September, identifying specific controls and areas of focus to reduce ransomware risk. The NIST CSF serves as a comprehensive yet accessible collection of controls organizations should deploy as they mature their cyber security program. Since its launch, the CSF has become a widely utilized document that serves as an excellent guide to organizational cyber risk management. The CSF Profile for ransomware risk management is a lens of over 60 NIST CSF sub-controls that organizations should emphasize to help them reduce the likelihood and impact of a ransomware incident.

The sub-controls highlighted by NIST’s Ransomware Profile address many of the most common attack vectors and techniques   Kroll has seen in the last 18 months, across thousands of incidents, and we urge organizations to embrace them. This article takes a look at some of the key controls in the profile and their real-life impact.

Access Control (PR.AC-3) and Multi-Factor Authentication

Organizations are running out of excuses to not have a robust multi-factor authentication structure in place, and NIST dedicates an entire category (Identity Management, Authentication and Access Control) to address identification, authorization and access controls. One of the most common ransomware attack vectors is Remote Desktop Protocol (RDP). This software protocol is used by organizations to support remote access to computers or servers for employees and contractors. If improperly configured, however, RDP can allow attackers to access that same computer or server as well. Kroll identified RDP as the transmission vector in nearly half (47%) of Kroll-supported cases.

The NIST Ransomware Profile identified many of the controls that would assist with properly securing an RDP deployment. Specifically, focusing on the Access Control (PR.AC-3), which restricts how “remote access is managed.” Managing remote access, such as reviewing what accounts have access, how they achieve access, and monitoring access for anomalous activity (such as odd hours or logins from unusual geographies), can help an organization identify a ransomware attack in progress and respond to limit the impact.   RDP is a powerful type of access, and we highly recommend that it not be used externally. There are more secure methods such as setting up a Virtual Private Network (VPN), which offer some of the same benefits but have additional controls.

Awareness Training (PR.AT-1) and Limiting Access to Required Functionality (PR.PT-3)

In addition to Access Control, the review of user accounts is also critically important. Our data indicates 26% of ransomware cases can be traced back to a phishing email. Phishing emails have grown in their sophistication, and attackers regularly utilize social cues (such as an urgent deadline or a need for help) or deceptive tactics (such as using very similar looking fraudulent email addresses) to manipulate users. Well-intentioned users then respond to these attacks by downloading malware disguised as a legitimate attachment or logging into a legitimate-looking site, thereby divulging credentials.

The NIST Ransomware Profile suggests countering these threats through awareness training (PR.AT-1) and limiting access to required functionality (PR.PT-3). These limitations make it difficult for threat actors to leverage user permissions to access specific powerful programs or capabilities and carryout an attack. The combination of these two controls, and careful review to ensure they are appropriately implemented, will greatly diminish the success of email-based ransomware attacks. If fewer users fall for phishing emails, and those that do lack abilities to invoke administrator-level actions on behalf of threat actors, ransomware risks can be meaningfully reduced.

Identify, Document and Scan for Vulnerabilities (ID.RA-1 and DE.CM-8)

The NIST Ransomware Profile also encourages organizations to find vulnerabilities within their environments before malicious actors do. Most organizations use software with vulnerabilities that, if left unpatched, could allow threat actors to deploy ransomware remotely.  Kroll’s data indicates vulnerabilities in software is present in 17% of Kroll-supported cases. The NIST Ransomware Profile highlights the need for the organization to identify, document (ID.RA-1) and regularly scan for (DE.CM-8) these vulnerabilities.  This process ensures organizations understand the IT assets they have in place, have a prioritized plan for securing them.

Ransomware remains a threat to organizations of all sizes, and we salute NIST and others in the federal government for their efforts to combat this threat. In our experience, the best way to mitigate ransomware is to ensure proper controls are deployed prior to an incident. The old saying, "an ounce of prevention is worth a pound of cure”  has never been truer than when it comes to ransomware.

If your organization would like to better understand their risk posture as it relates to ransomware, Kroll’s Ransomware Preparedness Assessment is a great starting point.