Consider this increasingly common scenario: an employee visits an apparently legitimate website. Unbeknownst to them, the website is hosted by an organized crime group. By visiting the site, the employee has allowed the group to quietly install ransomware on their organization’s file system. Malicious code begins to encrypt files on the server, before moving laterally to encrypt other servers on the network. The crime group then demands ransom in exchange for unencrypting the files.
The threat of ransomware is one of three example scenarios highlighted in a recent white paper released by the National Institute of Standards and Technology (NIST), titled Data Integrity: Reducing the Impact of an Attack. The paper launches a joint project led by the National Cybersecurity Center of Excellence (NCCoE), with participation by the Financial Services Information Sharing and Analysis Center (FS-ISAC) and several private sector organizations.
The NCCoE project responds to a rapidly growing problem faced by companies: a relentless barrage of attempts to destroy, corrupt, exfiltrate, or hold valuable data for ransom. According to the Ponemon Institute, the average cost of a data breach rose to $3.8 million this year, an increase of 23 percent since 2013. And when operational data is destroyed or manipulated, critical business operations may be paralyzed.
NCCoE seeks to provide businesses with practical methods to detect when their data is tampered with, so that they can reduce the harmful impact of an attack. To do so, NCCoE plans to cooperate with FS-ISAC and other organizations to develop a set of best practices for implementing an automated, secure data integrity solution. When complete, these practices will be outlined in a Cybersecurity Practice Guide to be published by NIST.
In addition to the threat of ransomware, NCCoE highlights two other common scenarios: data destruction and data manipulation. As with ransomware, the former scenario often begins with the installation of malware on an organization’s network. Attackers may use a wide range of vectors, or entry points, to gain access. For example, the attacker might launch a spear-phishing campaign that tricks an employee into clicking on a malicious link, which prompts malware to install itself on the employee’s computer. The malware may be programmed to remain dormant for a predetermined period of time to avoid detection. Once activated, it may encrypt data, write over original unencrypted content, and then delete the encryption key, rendering that data inaccessible.
Data manipulation, by contrast, is a common threat posed by employees or others with legitimate network access. These individuals’ credentials allow them to modify—and sometimes falsify—data stored on an organization’s network. Because these individuals often have the benefit of time, they may modify data in subtle or apparently legitimate ways, allowing their actions to remain undetected until a significant amount of data has been corrupted. Such manipulation may also occur when malicious attackers compromise valid access credentials.
The NCCoE envisions a data integrity solution that combats these threats by several means. For example, when data is regularly backed up using a trusted method, it can be restored to a previous state following an attack. Implementing techniques such as activity logging and versioning allow administrators to track changes within the system to identify both the onset of an attack and previous “good states.” The NCCoE project seeks to identify ways to effectively automate these processes, so that alert systems will monitor data, notify administrators of abnormal activity, and intervene appropriately.
Although the project remains in its early stages, NCCoE has identified several challenges. Backup software is effective at making exact copies of data—an approach that is effective only if the original data has not been already corrupted. Similarly, antivirus software may not be able to detect malware that remains dormant in backed-up data. And even when data is successfully backed up, automated systems generally do not test data to confirm its integrity before restoring it.
Given the significance and diversity of the threats, NCCoE’s efforts are likely to be a welcome and influential contribution to efforts by organizations of all sizes to safeguard valuable data. NIST invites the public to participate in the project by submitting comments. The deadline for contributions will be January 22, 2016.
Brian Kennedy, an associate in our Washington, D.C. office, contributed to this entry.