Data Integrity: Recovering from Ransomware and Other Destructive Events

Constant threats of destructive malware, ransomware, malicious insider activity, and even honest mistakes create the imperative for organizations to be able to quickly recover from an event that alters or destroys data. Businesses must be confident that recovered data is accurate, complete, and free of malware.  

Demonstrating methods for organizations to be able to quickly recover from an event that alters or destroys data

The NCCoE Data Security Project Team collaborated with industry experts and technology vendors to develop and implement a solution that incorporates appropriate actions in response to a detected cybersecurity event. If data integrity is jeopardized, multiple systems work in concert to recover from the event. The solution includes recommendations for commodity components and explores issues relating to auditing and reporting to support recovery and investigations.
Status: Finalized Practice Guide

The NCCoE has released the final version of the NIST Cybersecurity Practice Guide SP 1800-11, Data Integrity: Recovering from Ransomware and Other Destructive Events. For ease of use, the guide is available in volumes.

Upon review, we recognize that this NIST/NCCoE publication contains potentially biased terminology. As new publications are developed, they will follow NIST’s inclusive language guidance.

Project Abstract

The NCCoE is helping enterprises ensure the integrity of their data through collaborative efforts with industry and the Information Technology (IT) community, including vendors of cybersecurity solutions. 

Multiple systems need to work together to prevent, detect, alert, and recover from events that corrupt data. This project explores methods to effectively recover operating systems, databases, user files, applications, and software/system configurations. It also explores issues with auditing and reporting (user activity monitoring, file system monitoring, database monitoring, and rapid recovery solutions) to support recovery and investigations. To address real-world business challenges related to data integrity, the example solution is composed of open-source and commercially available components. 

Organizations must be able to quickly recover from a data integrity attack and trust that any recovered data is accurate, complete, and free of malware.  

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.