As you may or may not be aware, the National Cybersecurity Center of Excellence (NCCoE) at NIST has released a draft version of NIST Cybersecurity Practice Guide SP 1800-25 – Identifying and Protecting Assets Against Ransomware and Other Destructive Events.
As per usual with documents like these from NIST, there is an open comment period for the public and industry to provide their feedback. Because Owl has lately been involved in various ransomware mitigation and prevention projects, I wanted to share our perspective on the topic, via the comments that I submitted regarding this new guide.
To the Authors:
First, congratulations on the completion of this important NCCOE work product. The topic is of increasing relevance to businesses of all sizes here in the US and abroad. I believe your guide will help many entities to cope with the threat of ransomware and destructive attacks in the coming years.
Second, I would like to point out an important protection strategy that I believe was overlooked in the document. There is no mention of offline or air-gapped architectures for isolation of critical backups.
Some of the most damaging ransomware attacks have been perpetrated, over many months, by adversaries that are living inside the victim’s network. This enables the adversary to accumulate assets, credentials, and network information to launch an attack that targets backup infrastructure in addition to production files. As a result, backup mechanisms may fail to accomplish their mission because the adversary is effectively an insider threat. Malware like SamSam/Samas can also traverse the network and impact attached backups.
When a backup set is maintained offline, whether it is on tape, removable storage media or in an separate air-gapped network, adversaries cannot damage the backup snapshots unless they can gain physical access. There are comprehensive solutions on the market (Dell EMC PowerProtect Cyber Recovery is one example) that use physical disconnection and data diodes to maintain an isolated network, thereby providing higher security and rapid recovery when needed. Any offline approach will help entities to follow a 3-2-1-1 backup rule (3 copies of data, at least two different formats, at least one offsite and at least one offline).
NIST has already recognized the security benefits of data diodes in other domains. From NIST Special Publication 800-82 Revision 2: Guide to Industrial Control Systems (ICS) Security:
“A data diode (also referred to as a unidirectional gateway, deterministic one-way boundary device or unidirectional network) is a network appliance or device allowing data to travel only in one direction, used in guaranteeing information security or protection of critical digital systems, such as industrial control systems, from inbound cyberattacks. While use of these devices is common in high security environments such as defense, where they serve as connections between two or more networks of differing security classifications, the technology is also being used to enforce one-way communications outbound from critical digital systems to untrusted networks.”
Therefore, I submit that some mention of offline / air-gapped approaches to data protection from ransomware would be consistent with past NIST guidance and helpful for the community.
If you would like to learn more about Owl’s ransomware mitigation and prevention solutions, including cyber recovery data vault architectures that incorporate data diodes, check out this use case. If you’re interested in a potential partnership, through technology or managed services and integrations, I encourage you to contact us through our partnership page.