Skip to Content

NIST Ransomware Resources

Lately, I’ve been doing quite a bit of work around ransomware recovery and incident response. Many of the NIST documents have been a great starting point, and I’ve come across some real gems during my research.

Here is a list of documents I have found helpful or interesting, and a little bit about each of them. I keep referring to the same stuff over and over I have noticed, so I decided to put this list together.

Guide for Cybersecurity Event Recovery – SP 800-184

Link: NIST Special Publication 800-184

This document is dated December 2016, which made me almost not look at it. While almost 5 years is a very, very long time in the technology industry, this document focuses more on planning for recovery, and even has a scenario example.

If you’re scratching your head and scrambling about where to start, this is a great place, even if it is a bit on the general side.

Cybersecurity Framework Profile for Ransomware Risk Management (Preliminary Draft) NISTIR 8374

Link: Preliminary Draft NISTIR 8374

While this is still in draft status (which makes it a bit of a pain to read because there are line numbers throughout the document) this is huge.

This document focuses specifically on ransomware. Now, while I have mixed feelings on focusing specifically on ransomware, let’s face it, it is a hot topic. If you haven’t been able to get budget to fix things in the past, chances are breaking out the R word will get you at least someplace.

One of the great things about this particular doc is that it has a ton of links to other NIST resources in it.

Our friends Identify, Protect, Detect, Respond and Recover come out to play in this document, and takes a deep dive into the Cybersecurity Framwork with respect to Ransomware.

NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations

Link: SP 800-53 Landing Page

This is a huge one, and can be hugely overwhelming at first. I’ve linked to the landing page since there are so many ways this information is available.

Protecting Data from Ransomware and Other Data Loss Events: A Guide for Managed Service Providers to Conduct, Maintain, and Test Backup Files

Link to Guide to Conduct, Maintain, and Test Backup Files

I know this says for managed service providers, but hear me out.

This is a really basic guide, complete with diagrams and clear language on how you can actually protect the various assets in your environment.

This MSP talk easily translates to large infrastructures, and this is another great doc to read if you are trying to get started.

Of course, it mentions automated testing of your backups because remember friends, your backups are worthless unless you can recover from them!

NIST Data Integrity Ransomware Projects

There are three NIST projects dedicated to data integrity when it comes to ransomware, and these are some of the most interesting, most detailed guides I have read.

The Jackpot: Data Integrity – Recovering from Ransomware and Other Destructive Events, NIST Special Publication 1800-11

Link: Recovering from Ransomware – NIST Special Publication 1800-11 Landing Page

This is seriously the jackpot. This is a collection of guides that consists of an architectural summary and a detailed overview of what you need to build to be able to recover.

Personally, I would design things a tiny bit differently, but this is probably the best completely free thing out there if you don’t know where to start.

It consists of three parts:

  • SP 1800-11a: Executive Summary
  • SP 1800-11b: Approach, Architecture, and Security Characteristics
  • SP 1800-11c: How-To Guides

I randomly stumbled across this somehow.

NIST SP 1800-25, Identifying and Protecting Assets Against Ransomware and Other Destructive Events

Link to Landing Page for NIST SP-1800-25

Of course, identifying and protecting your assets are important to be able to recover them. This really puts together the full solution when it comes to getting a handle on what is going on in your environment.

NIST 1800-26: Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events

Link to Landing Page for NIST SP 1800-26

This is probably one of my favorites. I know at least my tendency is to jump to recovery when it comes to ransomware, but the fact of the matter is there is a lot to be done before you hit the recover button.

I found these guides very interesting, and very helpful when trying to figure out the bigger picture.

Be sure to bookmark this page, because I’ll be adding more resources as I discover them.