Presentation on the NIST Cybersecurity Framework and how it can be applied to Ransomware

1. Ransomware & the
NIST Cyber-security
Framework

2. #Whoami?
Jack L. Shaffer, Jr.
Business Transformation Director
https://www.linkedin.com/in/jack-shaffer-jr/
jshaffer@advantage.tech
-Former IT Director
-Former Healthcare CIO
-Former Federal IT Contractor COO
25 years+ Diverse Enterprise IT Experience

3. “The Scary Slides”

4. More Ransomware Headlines:
• October 7th, 2019 - Cherry Hill N.J. School district's computer network
suffers possible ransomware attack
• District employees have been unable to send or receive emails for nearly a week
• October 4th, 2019 - 500+ Schools Have Been Affected by Ransomware in
2019 (Campus Safety Magazine)
• A new report found in the past two weeks, 15 school districts made up of over 100
K-12 schools have been hit by ransomware attacks. Universities are also being
targeted.
• October 1st, 2019 –Ransomware's mounting toll: Delayed surgeries and
school closures (CBS News)
• Ransomware has impacted at least 621 entities this year through September, a new
study finds.
• The targets include hospitals, health care centers, school districts and cities.
• The total cost so far this year could be about $186 million.
• September 20th, 2019 - Ransomware Strikes 49 School Districts & Colleges
in 2019 (Dark Reading)
• The education sector has seen 10 new victims in the past nine days alone,
underscoring a consistent trend throughout 2019.

5. Are you scared yet?

6. Unfortunately, this is
not an effective cyber-
security strategy…..

7. Cyber-security is really
about managing risk
And managing risk
calls for a consistent
and flexible
methodology
People, Process,
Technology

8. The NIST CSF is organized into five core Functions also known as the Framework Core:
• Identify: Develop the organizational understanding to manage cybersecurity risk to systems,
assets, data, and capabilities.
• Protect: Develop and implement the appropriate safeguards to ensure delivery of critical
infrastructure services.
• Detect: Develop and implement the appropriate activities to identify the occurrence of a
security event.
• Respond: Develop and implement the appropriate activities when facing a detected security
event.
• Recover: Develop and implement the appropriate activities for resilience and to restore any
capabilities or services that were impaired due to a security event.
National Institute of Standards and Technology’s (NIST)
Cybersecurity Framework (CSF) was published in
response to Presidential Executive Order 13636,
“Improving Critical Infrastructure Cybersecurity,” which
called for a standardized security framework for critical
infrastructure in the United States.
Cyber-Security is not a “one and done” type of project,
but is instead and ongoing effort. NIST CSF was created
to assist firms in this sometimes large and daunting
process.

9. https://www.nist.gov/cyberframework

10. https://www.nist.gov/cyberframework
So How Can NIST CSF help with
Ransomware?

11. Identify
Roman reconnaissance team views
Hannibal’s army

12. •Good Asset Management
•You can’t protect what you don’t know
about
•Identify critical systems
•Perform a risk assessment
•Know your vulnerabilities
•NESSUS
•KnowBe4 Ransomware simulator
•Third party connections / vendors
•Governance is important
•Senior leadership understanding and
buy-in

13. A word about Risk Assessments
True Risk Assessments
allow for the organization
to properly analyze
threats and put them into
context as to their
likelihood of occurrence
and their impact to the
organization
By performing this analysis an
organization can prioritize security
related spending to focus on those
threats with the highest probability
to occur and the greatest impact to
the organization

14. A word about Risk Assessments

15. • EternalBlue hit center stage last May as it became the common denominator in the global
ransoware attacks in 2017 from WannaCry, Petya and NotPetya to cryptocurrency mining
campaigns. In WannaCry alone, over 300,000 computers in over 200 countries were effected.
• EternalBlue is a vulnerability in Windows SMB 1.0 (SMBv1) servers that, if successfully
exploited, can allow attackers to execute arbitrary code in the targeted systems creating a
wormlike capability. This and other exploits were released by the hacking group Shadow
Brokers.
• As WIRED noted, users were first widely made aware of the EternalBlue flaw in March of
2017. Despite a patch being issued by Microsoft ahead of these more large-scale attacks,
many organizations did not carry out their due diligence when it came to EternalBlue, and
therefore fell victim to the attack. In fact, Microsoft identified this as such a severe threat,
that the tech giant even released a critical update for its Windows XP systems, despite ending
support for the platform in 2014.
• “Risk based vulnerability management is critical to organizations today. The speed at which
disclosed vulnerabilities are weaponized requires CISOs to deploy timely and targeted
patches.” Ed Cabrera, Chief Cybersecurity Officer at Trend Micro.
• Through the lens of the NIST Framework Identify function, the EternalBlue exploit
underscores the criticality of asset management, risk assessments and risk management.
Identify in the real world: Eternal Blue

16. Protect!
Barbarians at the gate!

17. •Good Access Control
•Enforce principle of “least privilege”
•Limit use of administrator credentials
•Security Awareness Training
•Understand critical data and protect
accordingly
•Perform scheduled maintenance
•Multiple layers of protection
technologies and processes

18. Protect in the real world:
• Train employees
• Filter emails
• Scan emails
• Configure firewalls
• Next Generation
Anti-Virus / end-
point protection
• Disable Remote
Desktop Protocol
(RDP)
• Use Whitelisting
(Applocker – only
allow programs to
execute from
specific folders)
• Manage the use of
privileged accounts
• Control access to
network locations
• Disable macros in
emailed Office files
• Use a virtualized
environment
How Do We
• Physical and logical
separation of
networks (vLANs)
• Patch, patch, patch
• Limit Powershell
access
• Block SMB Port
445/UDP 137-139
Protect?

19. Depending on which survey
you read, up to 91 percent of
all cyber attacks begin with a
successful e-mail phishing
attempt.
https://digitalguardian.com/blog/91-percent-cyber-attacks-start-phishing-email-heres-how-protect-against-phishing

20. •Use Active Directory Group Policies to limit
access
•Third Tier:
https://www.thirdtier.net/ransomware-
prevention-kit/
•Special focus on e-mail
•DNS - SPF/DMARC/DKIM
•Banners
•Spam/Anti-virus
•TRAIN YOUR EMPLOYEES!
•Phishing especially

21. Detect!
Trojan horse?

22. Anomalies and events: CISOs and their teams should be able
to detect activity considered anomalous. This activity is or
could be associated with a cybersecurity incident, and should
be detected in a timely manner.
Continuous monitoring: This function also calls for end-to-
end monitoring of IT systems and assets in order to pinpoint
security issues and gauge the ability of safeguards put in place
as part of the Protect function. The network, physical
environments, user and service provider activity should all be
monitored, and vulnerability scans are performed on
protected systems.
Detection processes: Here, CISOs and their stakeholders work
to maintain all processes and procedures related to the
detection of anomalous activity and protections against
cybersecurity events.

23. Detect in the real world:
• NIST defines the Detect function as the development and
implementation of activities “to identify the occurrence of
a cybersecurity event,” with a focus on supporting the
timely discovery of such events.
• Infocyte's Mid-market Threat and Incident Response Report stated that the average
attack dwell time—the time between an attack penetrating a network's defenses and
being discovered—ranged from 43 to 895 days for SMBs. The average dwell time for
confirmed, persistent malware was 798 days. Dwell time for riskware—including
unwanted applications, web trackers, and adware—averaged 869 days.
• Use world-class Anti-virus and Malware detection
technologies with a single, reporting console
• Next generation end-point protection solutions
• Advanced behavior monitoring that can assist in pinpointing
anomalous activity

24. Detect in the real world:
• Managed detection and response
• Security operations center (SOC)
• Either internal or as-a-service (SOC as-a-service)
• Security information and event management (SIEM)
• Splunk / Graylog – log management
• Smoke detectors for your network
• Be vigilant and aware
• Know and understand current threats
• Subscribe to cyber-security RSS feeds
• https://blog.feedspot.com/cyber_security_rss_feeds/

25. Respond!
Vandals sack Rome

26. Response planning: Upon the threat being recognized as part of the Detect function, the
Respond function begins with the execution of previously created response procedures.
These response plans must be carried out in a timely fashion, either while the
cybersecurity event is still taking place, or after, depending upon the timeliness of threat
detection.
Communications: Here, internal and external stakeholders – typically lead by the CISO
and IT admins – coordinate response activities, and may reach out to law enforcement
for support, if needed. During this process, individuals follow response plans and
understand their roles therein, the initial threat event and any other associated events
are reported on, and this data is shared with stakeholders to ensure coordinated
consistency according to response plans. In addition, details about the event can be
voluntarily shared with key stakeholders outside the company.
Analysis: During this process, CISOs and their teams examine and investigate detection
system notifications to analyze the impact of the event, as well as the adequacy of the
enterprise’s response. This is also when forensics are performed.
Mitigation: This critical step includes processes to contain the incident, prevent it from
spreading and mitigate the potential damage of the threat. In addition, any new
vulnerabilities not identified in the past are documented and included as part of the
company’s overall understanding of risks.
Improvements: Finally, CISOs and other stakeholders examine the lessons learned from
responding to the threat, and work to incorporate these findings into future response
strategies.

27. • Have an incident response plan!
• And test them….I.E. Why do we have fire-drills?
• Develop mitigation plans for when a threat happens to occur
• Immediately report Incidents
• Report abuse and other problems
• Immediately report phishing attempts
• Centralized reporting
• Attacks usually comes in “waves”
• Good communication plan in place
• When in “panic mode” not a good time to plan
Response in the real world:

28. • Consider having a retainer with a “quick response”
cyber-security / remediation team
• Immediately report missing devices or theft of
company data
• Change all passwords
• Wipe mobile phones
Response in the real world:

29. Recover
Roman construction rebuilding

30. Recovery planning: The CISO and his or her stakeholders lead
as the recovery plan is carried out. Depending on timing, this
can occur while the event is still taking place, or after the
incident has ended. Again, the key here is timeliness – any
systems or platforms impacted by the incident must
be addressed and support restored.
Improvements: It’s important that lessons learned during the
incident are identified and utilized to update and improve
upon recovery plans.
Communications: The final part of this function includes
coordinating efforts with internal and external stakeholders,
where necessary. The CISO and his or her team should
communicate recovery plans and processes with internal
managers and the executive team.

31. • Backups, Backups, Backups!
• Can limit the damage from a ransomware attack
• Backup your network data – I.E. Barracuda
• Backup your laptop data – I.E. Barracuda, Backblaze, Carbonite
• Regularly test the recoverability of backups
• Keep backups offsite – in the cloud better
• Use asset tracking technologies (more for stolen assets)
• Cybersecurity Insurance
• Root Cause Analysis
Recover in the real world:

32. NIST Cybersecurity
Framework (CSF)
Reference Tool
Electronic tool to help
implement the NIST CSF
The Core presents industry
standards, guidelines, and
practices in a manner that allows
for communication of
cybersecurity activities and
outcomes across the organization
from the executive level to the
implementation/operations level.https://www.nist.gov/cyberframework/csf-reference-tool

33. Using the NIST CSF
can move your
organization along
the CMM curve
This is truly the best
path toward
managing the on-
going ransomware
threat

34. Avoid “The Finger of Blame!”
Start working on security now!

35. Questions?