Lately, I’ve been doing quite a bit of work around ransomware recovery and incident response. Many of the NIST documents have been a great starting point, and I’ve come across some real gems during my research.
Here is a list of documents I have found helpful or interesting, and a little bit about each of them. I keep referring to the same stuff over and over I have noticed, so I decided to put this list together.
NIST Ransomware Guides
You can spend years going though all of the NIST resources, but here are the ones I have found the most helpful in the context of ransomware.
Guide for Cybersecurity Event Recovery – SP 800-184
Link: NIST Special Publication 800-184
This document is dated December 2016, which made me almost not look at it. While almost 5 years is a very, very long time in the technology industry, this document focuses more on planning for recovery, and even has a scenario example.
If you’re scratching your head and scrambling about where to start, this is a great place, even if it is a bit on the general side.
NISTIR 8374 – Ransomware Risk Management: A Cybersecurity Framework Profile
NISTR 8374 is new as of February 2022 and one of my favorite documents right now. There is also a quick start guide to help you get started.
Why is this particular document so important? It is a really good basic primer that sets the stage for what we need to understand to build a comprehensive ransomware defense strategy.
I’ve also been saying for quite some time now that we need to look at risk in the context of ransomware, because everything we know in the cybersecurity world about risk goes out the window now.
NIST SP 800-53 Rev. 5 Security and Privacy Controls for Information Systems and Organizations
This is a huge one, and can be hugely overwhelming at first. I’ve linked to the landing page since there are so many ways this information is available.
Protecting Data from Ransomware and Other Data Loss Events: A Guide for Managed Service Providers to Conduct, Maintain, and Test Backup Files
Link to Guide to Conduct, Maintain, and Test Backup Files
I know this says for managed service providers, but hear me out.
This is a really basic guide, complete with diagrams and clear language on how you can actually protect the various assets in your environment.
This MSP talk easily translates to large infrastructures, and this is another great doc to read if you are trying to get started.
Of course, it mentions automated testing of your backups because remember friends, your backups are worthless unless you can recover from them!
NIST Data Integrity Ransomware Projects
There are three NIST projects dedicated to data integrity when it comes to ransomware, and these are some of the most interesting, most detailed guides I have read. Many are looking for a ransomware recovery guide from NIST, and these projects are exactly that. The important thing to remember is that these documents will not be helpful to you after a ransomware attack. These are the things you need to do before you are attacked, so you can recover. At that point, NIST does outline how recovery can happen.
The Jackpot: Data Integrity – Recovering from Ransomware and Other Destructive Events, NIST Special Publication 1800-11
Link: Recovering from Ransomware – NIST Special Publication 1800-11 Landing Page
This is seriously the jackpot. This is a collection of guides that consists of an architectural summary and a detailed overview of what you need to build to be able to recover.
Personally, I would design things a tiny bit differently, but this is probably the best completely free thing out there if you don’t know where to start.
It consists of three parts:
- SP 1800-11a: Executive Summary
- SP 1800-11b: Approach, Architecture, and Security Characteristics
- SP 1800-11c: How-To Guides
I randomly stumbled across this somehow.
NIST SP 1800-25, Identifying and Protecting Assets Against Ransomware and Other Destructive Events
Link to Landing Page for NIST SP-1800-25
Of course, identifying and protecting your assets are important to be able to recover them. This really puts together the full solution when it comes to getting a handle on what is going on in your environment.
NIST 1800-26: Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events
Link to Landing Page for NIST SP 1800-26
This is probably one of my favorites. I know at least my tendency is to jump to recovery when it comes to ransomware, but the fact of the matter is there is a lot to be done before you hit the recover button.
I found these guides very interesting, and very helpful when trying to figure out the bigger picture.
Be sure to bookmark this page, because I’ll be adding more resources as I discover them.
Questions about NIST and Ransomware
Many have questions when it comes to NIST and ransomware. Remember, NIST is best known for the NIST Cybersecurity Framework which is meant to be a comprehensive guide to “improving critical infrastructure cybersecurity”. This means much of the information is a good starting point for implementations of cybersecurity practices in an organization.
Does NIST Have a Ransomware Recovery Guide?
While NIST does not have a single ransomware recovery guide, there are many NIST resources to help you determine your strategy which I have outlined here. The most important thing is that before you can even consider ransomware recovery, there is quite a bit of work that needs to be done so you can recover.
Melissa is an Independent Technology Analyst & Content Creator, focused on IT infrastructure and information security. She is a VMware Certified Design Expert (VCDX-236) and has spent her career focused on the full IT infrastructure stack.