Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events

Data breaches, ransomware, destructive malware, insider threats, and even honest mistakes present an ongoing threat to an organization’s infrastructure. Database records, system files, configurations, user files, applications, and customer data are all at risk should an attack occur. Organizations that do not implement detection and response solutions leave themselves at risk for many types of data integrity attacks.

Detailing methods and sample tool sets to help organizations detect, mitigate, and contain data integrity events

The NCCoE Data Security Project Team collaborated with industry experts and technology vendors to develop a reference design using commercially available technologies that details methods and potential tool sets that can detect, mitigate, and contain data integrity events in the components of an enterprise network. It also identifies tools and strategies to aid in a security team’s response to such an event.
Status: Finalized Guidance

Upon review, we recognize that this NIST/NCCoE publication contains potentially biased terminology. As new publications are developed, they will follow NIST’s inclusive language guidance.

NIST SP 1800-26: Complete Guide (HTML)Web Version NIST SP 1800-26: Complete Guide (HTML)
NIST SP 1800-26: Complete Guide (PDF)Web Version NIST SP 1800-26: Complete Guide (PDF)
NIST SP 1800-26A: Executive SummaryDocument Version NIST SP 1800-26A: Executive Summary
NIST SP 1800-26B: Approach, Architecture, and Security CharacteristicsDocument Version NIST SP 1800-26B: Approach, Architecture, and Security Characteristics

Project Abstract

The process to mitigate an active attack on an organization’s data integrity requires use of strong, effective tools. Detection of a data integrity attack involves identification of its source, the affected systems, and sufficient data collection to allow for impact analysis. Once detected, swift response to a threat is critical to mitigate the need for recovery action after an event occurs.

The NCCoE is addressing the challenge of detecting and responding to malicious malware and other damaging attacks by collaborating with industry and the information technology (IT) community, including cybersecurity solution vendors.

The NCCoE developed and implemented a solution that incorporates multiple systems working in concert to detect an ongoing data integrity cybersecurity event. Additionally, the solution provides guidance on how to respond to the detected event. Addressing these functions together enables organizations to have the necessary tools to act during a data integrity attack.

Read the project description

Cyber threats are not abating, rather they are increasing and becoming more complex, pervasive, and damaging. Organizations that lack detection and response solutions are highly vulnerable to data integrity events.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.