NIST SPECIAL PUBLICATION 1800-26
Data Integrity:
Data Integrity:¶
Detecting and Responding to Ransomware and Other Destructive Events
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)
Jennifer Cawthra
Michael Ekstrom
Lauren Lusty
Julian Sexton
John Sweetnam
FINAL
This publication is available free of charge from https://www.nccoe.nist.gov/projects/building-blocks/data-integrity/detect-respond.
NIST SPECIAL PUBLICATION 1800-26
Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events
Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)
Jennifer Cawthra
National Cybersecurity Center of Excellence
NIST
Michael Ekstrom
Lauren Lusty
Julian Sexton
John Sweetnam
The MITRE Corporation
McLean, Virginia
FINAL
December 2020
U.S. Department of Commerce
Wilbur Ross, Secretary
National Institute of Standards and Technology
Walter G. Copan, Undersecretary of Commerce for Standards and Technology and Director
- 1 Summary
- 2 How to Use This Guide
- 3 Approach
- 4 Architecture
- 5 Security Characteristic Analysis
- 5.1 Assumptions and Limitations
- 5.2 Build Testing
- 5.3 Scenarios and Findings
- 5.3.1 Ransomware via Web Vector and Self-Propagation
- 5.3.2 Destructive Malware via USB Vector
- 5.3.3 Accidental VM Deletion via Maintenance Script
- 5.3.4 Backdoor Creation via Email Vector
- 5.3.5 Database Modification via Malicious Insider
- 5.3.6 File Modification via Malicious Insider
- 5.3.7 Backdoor Creation via Compromised Update Server
- 6 Future Build Considerations
- Appendix A List of Acronyms
- Appendix B Glossary
- Appendix C References
- Appendix D Functional Evaluation
- D.1 Data Integrity Functional Test Plan
- D.2 Data Integrity Use Case Requirements
- D.3 Test Case: Data Integrity DR-1
- D.4 Test Case: Data Integrity DR-2
- D.5 Test Case: Data Integrity DR-3
- D.6 Test Case: Data Integrity DR-4
- D.7 Test Case: Data Integrity DR-5
- D.8 Test Case: Data Integrity DR-6
- D.9 Test Case: Data Integrity DR-7
- 1 Introduction
- 2 Product Installation Guides
- 2.1 Active Directory and Domain Name System Server
- 2.2 Microsoft Exchange Server
- 2.3 Windows Server Hyper-V Role
- 2.4 MS SQL Server
- 2.5 Microsoft IIS Server
- 2.6 Semperis Directory Services Protector
- 2.7 Glasswall FileTrustTM for Email
- 2.8 Micro Focus ArcSight Enterprise Security Manager
- 2.8.1 Install the ArcSight Console
- 2.8.2 Install Individual ArcSight Windows Connectors
- 2.8.3 Install Individual ArcSight Ubuntu Connectors
- 2.8.4 Install a Connector Server for ESM on Windows 2012 R2
- 2.8.5 Install Pre-Configured Filters for ArcSight
- 2.8.6 Apply Filters to a Channel
- 2.8.7 Configure Email Alerts in ArcSight
- 2.9 Tripwire Enterprise
- 2.10 Tripwire Log Center
- 2.11 Cisco Identity Services Engine
- 2.11.1 Initial Setup
- 2.11.2 Inventory: Configure SNMP on Routers/Network Devices
- 2.11.3 Inventory: Configure Device Detection
- 2.11.4 Policy Enforcement: Configure Active Directory Integration
- 2.11.5 Policy Enforcement: Enable Passive Identity with AD
- 2.11.6 Policy Enforcement: Developing Policy Conditions
- 2.11.7 Policy Enforcement: Developing Policy Results
- 2.11.8 Policy Enforcement: Enforcing a Requirement in Policy
- 2.11.9 Policy Enforcement: Configuring a Web Portal
- 2.11.10 Configuring RADIUS with your Network Device
- 2.11.11 Configuring an Authentication Policy
- 2.11.12 Configuring an Authorization Policy
- 2.12 Cisco Advanced Malware Protection
- 2.13 Cisco Stealthwatch
- 2.13.1 Configure Stealthwatch Flow Collector, Stealthwatch Management Console, Stealthwatch UDP Director and Stealthwatch Flow Sensor
- 2.13.2 Change Default Stealthwatch Console Passwords
- 2.13.3 Configure the Stealthwatch Management Console Web Interface
- 2.13.4 Configure the Stealthwatch UDP Director, Stealthwatch Flow Collector and Stealthwatch Flow Sensor Web Interfaces
- 2.14 Symantec Analytics
- 2.15 Symantec Information Centric Analytics
- 2.16 Integration: Cisco Identity Services Engine and Cisco Stealthwatch
- 2.17 Integration: Tripwire Log Center and Tripwire Enterprise
- 2.18 Integration: Symantec ICA and ArcSight ESM
- 2.19 Integration: Micro Focus ArcSight and Tripwire
- 2.20 Integration: Micro Focus ArcSight and Cisco AMP
- 2.21 Integration: Micro Focus ArcSight and Cisco ISE
- 2.22 Integration: Micro Focus ArcSight and Semperis DSP
- 2.23 Integration: Micro Focus ArcSight and Symantec Analytics
- 2.24 Integration: Micro Focus ArcSight and Glasswall FileTrust
- 2.25 Integration: Micro Focus ArcSight and Cisco Stealthwatch
- List of Acronyms