Transcription
Ransomware Risk Managementon AWS Using the NIST CyberSecurity Framework (CSF)August 30, 2021This version has been archived.For the latest version of this document, tml
NoticesCustomers are responsible for making their own independent assessment of theinformation in this document. This document: (a) is for informational purposes only, (b)represents current AWS product offerings and practices, which are subject to changewithout notice, and (c) does not create any commitments or assurances from AWS andits affiliates, suppliers or licensors. AWS products or services are provided “as is”without warranties, representations, or conditions of any kind, whether express orimplied. The responsibilities and liabilities of AWS to its customers are controlled byAWS agreements, and this document is not part of, nor does it modify, any agreementbetween AWS and its customers. 2021 Amazon Web Services, Inc. or its affiliates. All rights reserved.This version has been archived.For the latest version of this document, tml
ContentsIntroduction .1NISTIR 8374 ransomware profile.2Basic preventative steps .2NIST Practice Guide goals .6Identify and protect.7Detect and respond .7Recover .7Technical capabilities .8Backup .8Corruption testing .9Denylisting .11Event detection.16Forensics and analytics .17Integrity monitoring .19Inventory .22Logging .24This.version has been archived.Mitigation and containment36Network protection .37Policy enforcement44For.the latest version of this document, visit:Reporting .48Secure storage Virtual singConclusion .58nist-csf.htmlVulnerability management .56Contributors .58Further reading .59
Document versions .59This version has been archived.For the latest version of this document, tml
AbstractToday, many Chief Information Security Officers (CISOs) and cybersecuritypractitioners are looking for effective security controls that will provide theirorganizations with the ability to identify, protect, detect, respond, and recover fromransomware events. The National Institute of Standards and Technology (NIST) haspublished practice guides and guidance to create a standards-based risk managementframework to serve this need. This paper outlines the AWS services you can use to helpyou achieve the prescribed security controls.This document is intended for cybersecurity professionals, risk management officers, orother organization-wide decision makers considering the implementation of securitycontrols to manage the risks associated with ransomware and other destructive eventsusing the NIST cybersecurity framework in their organization. For details on how toconfigure the AWS services identified in this document and in the associated customerworkbook (file download), contact your AWS Solutions Architect.This version has been archived.For the latest version of this document, tml
Amazon Web ServicesRansomware Risk Management on AWS Using the NIST Cyber SecurityFramework (CSF)IntroductionOrganizations have the responsibility to protect the data they hold and safeguard theirsystems. This can be challenging, as technology changes in size and complexity, andas resources and workforces become more limited. Organizations must remain vigilant,as outside parties may attempt to gain unauthorized access to sensitive data throughransomware.Ransomware refers to a business model and a wide range of associated technologiesthat bad actors use to extort money. The bad actors use a range of tactics to gainunauthorized access to their victims’ data and systems, including exploiting unpatchedvulnerabilities, taking advantage of weak or stolen credentials, and using socialengineering. Access to the data and systems is restricted by the bad actors, and aransom demand is made for the “safe return” of these digital assets.There are several methods such actors use to restrict or eliminate legitimate access toresources, including encryption and deletion, modified access controls, and networkbased denial of service attacks. In some cases, even after data access is restored, badactors have demanded a “second ransom,” promising that its payment guarantees thedeletion of victims’ sensitive data, instead of selling it or publicly releasing it.Ransomware attacks are typically opportunistic in nature, targeting end users throughemails, embedding malicious code within websites, or gaining access throughunpatched systems. Ransomware can cost organizations a significant amount ofresources in response and recovery, as well as impact their ability to operate.This version has been archived.To help entities establish a holistic defense, the National Institute of Standards andTechnology (NIST) developed the Framework for Improving Critical InfrastructureCybersecurity (NIST Cybersecurity Framework, or CSF). See NIST CybersecurityFramework (CSF):Aligningto the NISTCSF inofthethisAWSdocument,Cloud for additionalForthe latestversionvisit:information.NIST subsequently published additional draft guidance and practice guides apers/latest/specific to -nist-NIST's National Cybersecurity Center of Excellence (NCCoE) has published gGuides to demonstratehow organizations can develop and implement security controlsnist-csf.htmlto combat the data integrity challengesposed by ransomware and other destructiveevents. These are described in:1
Amazon Web ServicesRansomware Risk Management on AWS Using the NIST Cyber SecurityFramework (CSF) NIST Special Publication (SP) 1800-11, Data Integrity: Recovering fromRansomware and Other Destructive Events SP 1800-25, Data Integrity: Identifying and Protecting Assets AgainstRansomware and Other Destructive Events, SP 1800-26, Data Integrity: Detecting and Responding to Ransomware andOther Destructive EventsIn addition, the draft NISTIR 8374, Cybersecurity Framework Profile for RansomwareRisk Management, provides guidance on how to defend against the threat, what to do inthe event of an event, and how to recover from it. This framework can be used byorganizations to improve their risk posture. It can also help organizations seeking toimplement a risk management framework that deals with ransomware threats.This whitepaper outlines the security controls recommended by NIST related toransomware risk management, and maps those technical capabilities to AWS servicesand implementation guidance. While this whitepaper is primarily focused on managingthe risks associated with ransomware, the security controls and AWS services outlinedare consistent with general security best practices.NISTIR 8374 ransomware profileNISTIR 8374: Cybersecurity Framework Profile for Ransomware Risk Managementmaps security objectives from the Framework for Improving Critical InfrastructureCybersecurity, Version 1.1 to security capabilities and measures that supportpreventing, responding to,and versionrecovering hasfrom beenransomwareevents.Thisarchived.Basic preventative stepsThe security capabilitiesandlatestmeasuresoutlinedofin thisthe Profileprovide a detailedFor theversiondocument,visit:approach to preventing and mitigating ransomware events. The Profile recommendsthat organizations take basic preventative steps to prevent against the ransomwarethreat. The following table illustrates these steps, and includes a mapping to AWSservices that, n implemented, enable an entity to improve their security. Note is is a non-exhaustivelist (there are additional tools and services not listed here e capabilitiesand benefits).nist-csf.html2
Amazon Web ServicesRansomware Risk Management on AWS Using the NIST Cyber SecurityFramework (CSF)Table 1 — Preventative steps and the associated AWS servicesPreventative stepAWS serviceAWS service descriptionUse antivirus software at alltimes. Set your software toautomatically scan emails andstorage devices.AWSMarketplaceAWS Marketplace is a digital catalogwith thousands of software listingsfrom independent software vendorsthat makes it easy to find, test, buy,and deploy software that runs onAWS.Keep computers fully patched.Run scheduled checks to keepeverything up-to-date.AWSSystemsManagerPatchManagerAWS Systems Manager helps youselect and deploy operating systemand software patches automaticallyacross large groups of AmazonElastic Compute Cloud (AmazonEC2) or on-premises instances.Through patch baselines, you can setrules to auto-approve selectcategories of patches to be installed,such as operating system or highseverity patches, and you can specifya list of patches that override theserules and are automatically approvedor rejected.This version hasYou can also schedule maintenancewindows for your patches so that theybeenarchived.are only applied during preset times.Systems Manager helps ensure thatyour software is up-to-date and meetsyour compliance policies.For the latest version of this document, visit:Block access to ransomwareAmazonHelp protect your recursive DNSsites. Use security products orRoute 53queries within the Route 53 Resolver.services that block access toResolver DNS Create domain lists and build firewallknown ransomwaresites.Firewallrules that filter outbound DNS est/against these sf.html3
Amazon Web ServicesRansomware Risk Management on AWS Using the NIST Cyber SecurityFramework (CSF)Preventative stepAllow only authorized apps.Configure operating systems oruse third-party software to allowonly authorized applications oncomputers.AWS serviceAWS service descriptionAWS NetworkFirewallAWS Network Firewall is a highavailability, managed network firewallservice for your virtual private cloud(VPC). It enables you to easily deployand manage stateful inspection,intrusion prevention and detection,and web filtering to help protect yourvirtual networks on AWS. NetworkFirewall automatically scales withyour traffic, ensuring high availabilitywith no additional customerinvestment in security infrastructure.NetworkAccessControl ListsSimilar to a firewall, Network AccessControl Lists (NACLs) control traffic inand out of one or more subnets. Toadd an additional layer of security toyour Amazon VPC, you can set upNACLs with rules similar to yoursecurity groups.AWSSystemsManagerStateManagerThis version hasAWS Systems Manager providesconfiguration management, whichhelps you maintain consistentconfiguration of your Amazon EC2 oron-premises instances. With SystemsManager, you can controlbeenarchived.configurationdetails such as serverconfigurations, antivirus definitions,firewall settings, and more.You can define configuration policiesFor the latest version of thisdocument,visit:for yourservers throughthe AWSManagement Console or use existingscripts, PowerShell modules, orAnsible playbooks directly fromGitHub or Amazon Simple est/Service (Amazon S3) -csf.html4
Amazon Web ServicesRansomware Risk Management on AWS Using the NIST Cyber SecurityFramework (CSF)Preventative stepAWS serviceAWS service descriptionSystems Manager automaticallyapplies your configurations acrossyour instances at a time andfrequency that you define. You canquery Systems Manager at any timeto view the status of your instanceconfigurations, giving you on-demandvisibility into your compliance status.Restrict personally owneddevices on work networksCustomerresponsibilitySee the AWS Shared ResponsibilityModel for additional information oncustomer responsibility.Use standard user accountsversus accounts withadministrative privilegeswhenever possible.AWS Identityand AccessManagement(IAM)AWS Identity and AccessManagement (IAM) enables you tomanage access to AWS services andresources securely. Using IAM, youcan create and manage AWS usersand groups, and use permissions toallow and deny their access to AWSresources.Avoid using personal apps likeemail, chat, and social mediafrom work computers.CustomerresponsibilitySee the AWS Shared ResponsibilityModel for additional information oncustomer responsibility.Don’t open files or click on links CustomerSee the AWS Shared Responsibilityfrom unknown sources unlessresponsibilityModel for additional information onThisversion has beenarchived.you first run an antivirusscancustomerresponsibility.or look at links carefully.Make an incident recovery plan. AWS Security See the AWS Security IncidentDevelop and implementIncident of thisResponseGuide for anoverview ofFor theanlatest versiondocument,visit:incident recovery plan withResponsethe fundamentals.defined roles and strategies forGuidedecision making. This can bepart of a s/latest/operations .html5
Amazon Web ServicesRansomware Risk Management on AWS Using the NIST Cyber SecurityFramework (CSF)Preventative stepAWS serviceAWS service descriptionBackup and restore. Carefullyplan, implement, and test a databackup and restorationstrategy, and secure and isolatebackups of important data.Amazon EBSsnapshotsAmazon EBS provides the ability tocreate snapshots (backups) of anyEBS volume. A snapshot takes acopy of the EBS volume and places itin Amazon S3, where it is storedredundantly in multiple AvailabilityZones.AWS BackupAWS Backup enables you tocentralize and automate dataprotection across AWS services.AWS Backup offers a cost-effective,fully managed, policy-based servicethat further simplifies data protectionat scale.CloudEndureDisasterRecoveryCloudEndure Disaster Recoveryminimizes downtime and data loss byproviding fast, reliable recovery intoAWS. The solution continuouslyreplicates applications from physical,virtual, or cloud-based infrastructureto a low-cost staging area that isautomatically provisioned in anytarget AWS Region of your choice.ThisAWS CodeCommit is a fully-managedAWSsourcecontrol service that hostsversionhas beenarchived.CodeCommitsecure GitHub-based repositories.Keep your contacts. Maintain anup-to-date list of internal andFor the latestexternal contacts forransomware attacks, includinglaw enforcement.AWS SecurityIncidentversionofResponseGuideSee the AWS Security IncidentResponse Guide for an overview ofthisdocument, visit:the nistNIST PracticeGuide ch of the NIST 1800-11, 1800-25, and1800-26 Practice Guides include a detailed setnist-csf.htmlof goals designed to help organizations establish the ability to identify, protect, detect,respond, and recover from ransomware events.6
Amazon Web ServicesRansomware Risk Management on AWS Using the NIST Cyber SecurityFramework (CSF)The goals are to help organizations confidently:Identify and protect Identify systems, users, data, applications, and entities on the network Identify vulnerabilities in enterprise components and clients Baseline the integrity and activity of enterprise systems in preparation for anattack Create backups of enterprise data in advance of an attack Protect these backups and other potentially important data against alteration Manage enterprise health by assessing machine postureDetect and respond Detect malicious and suspicious activity generated on the network by users, orfrom applications that could indicate a data integrity event Mitigate and contain the effects of events that can cause a loss of data integrity Monitor the integrity of the enterprise for detection of events and after-the-factanalysis Utilize logging and reporting features to speed response time for data integrityevents Thiseventsversionbeenarchived.Analyze data integrityfor thehasscopeof theirimpact on the network,enterprise devices, and enterprise dataAnalyze data integrity events to inform and improve the enterprise’s defensesForattacksthe latest version of this document, visit:against futureRecover toredata to its last known good configuration Identify the correct backup version (free of malicious code and data for istnist-csf.html Identify altered data as well as the date and time of alteration Determine the identity/identities of those who altered data7
Amazon Web ServicesRansomware Risk Management on AWS Using the NIST Cyber SecurityFramework (CSF) Identify other events that coincide with data alteration Determine any impact of the data alterationTechnical capabilitiesTo achieve the above goals, the Practice Guides outline a set of technical capabilitiesthat should be established and provide a mapping between the generic application termand the security control(s) that the capability provides.AWS services can be mapped to theses technical capabilities. Performing this mappinghelps identify which services, features, and functionality can help organizations identify,protect, detect, respond, and from ransomware events.Following is a brief description of each technical capability, the associated NIST CSFcontrol(s), and a mapping of the relevant AWS service(s).BackupThe backup capability component establishes the ability to back up and restore eachcomponent within the enterprise. The configuration of this component needs to alignwith the organization’s recovery time objective (RTO) and recovery point objectives(RPO) for a given application or system.Table 2 — Backup capability and the associated AWS servicesCapabilityand .IP-10This version has been archived.AWSserviceFor theAmazonEBSSnapshotsAWS service of Storethis document,AmazonversionElastic BlockProvides backupvisit:Yes(Amazon EBS) provides the and restorationability to create snapshotscapabilities for(backups) of any EBSsystems andvolume.Asnapshottakesaimmutable test/copy of the EBS and places it in S3, where itcsf/ransomware-risk-management-on-aws-usingis stored redundantly innist-csf.htmlmultiple AvailabilityZones.8
Amazon Web ServicesRansomware Risk Management on AWS Using the NIST Cyber SecurityFramework (CSF)Capabilityand CSFmappingAWSserviceAWSGovCloud(US)available?AWS service descriptionFunctionAWS BackupAWS Backup enables youto centralize and automatedata protection across AWSservices. AWS Backupoffers a cost-effective, fullymanaged, policy-basedservice that furthersimplifies data protection atscale.Provides backupand restorationcapabilities forsystems, performsperiodic backups ofin-formation,provides udEndure DisasterRecovery minimizesdowntime and data loss byproviding fast, reliablerecovery into AWS. Thesolution continuouslyreplicates applications fromphysical, virtual, or cloudbased infrastructure to alow-cost staging area that isautomatically provisioned inany target AWS Region ofyour choice.Provides backupand restorationcapabilities forsystems, performsperiodic backups ofinformation, andprovides immutablestorage.YesThisAWSversionhas isbeenarchived.AWSCodeCommitaProvides backupYesCodeCommit fully-managed sourceand restorecontrol service that hostscapabilities forsecure GitHub-basedconfiguration files.repositories.For the latestversion of this document, visit:Corruption est/The CorruptionTesting component establishes the ability to identify, evaluate, sure the impact of a security event to files and components within the enterprise.This ingis essential to identify the last known good data for the data integritynist-csf.htmlrecovery process.9
Amazon Web ServicesRansomware Risk Management on AWS Using the NIST Cyber SecurityFramework (CSF)Table 3 — Corruption testing capability and the associated AWS servicesCapabilityand CSFmappingAWSserviceCorruptionTestingAWS service descriptionFunctionAWS ConfigrulesAWS Config rules are aconfigurable and extensibleset of AWS Lambdafunctions (for which sourcecode is available) thattrigger when anenvironment configurationchange is registered by theAWS Config service. IfAWS Config rules deem aconfiguration change to beundesirable, customers canact to remediate it.Providesnotifications forchanges toconfiguration, logs,detection, and reporting in the eventof changes to dataon a system;providesnotifications forchanges toconfiguration.AWSSystemsManagerStateManagerAWS Systems Managerprovides configurationmanagement, which helpsyou maintain consistentconfiguration of yourAmazon EC2 or onpremises )available?YesProvidesYesnotifications forchanges toconfiguration,provides logs,detection, and reporting in the eventof changes to dataWith Systems Manager,Thisyouversionhasbeenarchived.on a system, andcan controlprovidesconfiguration details suchnotifications foras server configurations,antivirus definitions, firewall changes tothe latestconfiguration. visit:settings,versionand more.of this document,You can defineconfiguration policies foryour servers through AWS Management tor use existing scripts,PowerShell modules, le playbooksdirectlynist-csf.htmlfrom GitHub or S3 buckets.10
Amazon Web ServicesRansomware Risk Management on AWS Using the NIST Cyber SecurityFramework (CSF)Capabilityand CSFmappingAWSserviceAWS service s Managerautomatically applies yourconfigurations across yourinstances at a time andfrequency that you define.You can query SystemsManager at any time toview the status of yourinstance configurations,giving you on-demandvisibility into yourcompliance status.DenylistingThe Denylisting component enables control of allowed communications and applicationswithin an enterprise.Table 4 — Denylisting capability and the associated AWS servicesCapabilityand CSFmappingAWSserviceThis version has been archived.AWS service descriptionFunctionAWSGovCloud(US)available?Amazon EC2 A security group acts as aProvides capability Yessecurityvirtual firewall that controlsto nd and outboundcommunicationvisit:totraffic to your networkallowed IPresources and Amazonaddresses.EC2 instance. provides security groups asone of the tools uring your ingand you need to configurenist-csf.htmlthem to meet your R.PT-411
Amazon Web ServicesRansomware Risk Management on AWS Using the NIST Cyber SecurityFramework (CSF)Capabilityand CSFmappingAWSserviceAWS service descriptionFunctionAmazonRoute 53ResolverDNS FirewallHelp protect your recursiveDNS queries within theRoute 53 Resolver. Createdomain lists and buildfirewall rules that filteroutbound DNS trafficagainst these rules.AWSNetworkFirewallAWS Network Firewall is ahigh availability, managednetwork firewall service foryour VPC. It enables you toeasily deploy and managestateful inspection,intrusion prevention anddetection, and web filteringto help protect your virtualnetworks on AWS.Network Firewallautomatically scales withyour traffic, ensuring highavailability with noadditional customerin securityThis investmentversionhas s controldetectsreconnaissanceactivity usingsignature-baseddetection.Yesarchived.AWS VPCendpointsA VPC endpoint enablesRestrict access toYesprivate connectionsspecific resourcesFor the latestversionofandthis document, visit:betweenyour VPCsupported AWS servicesand VPC endpoint servicespowered by ist-csf.html12
Amazon Web ServicesRansomware Risk Management on AWS Using the NIST Cyber SecurityFramework (CSF)Capabilityand CSFmappingAWSserviceAWS WAFAWS service descriptionFunctionAWS WAF is a webapplication firewall thathelps protect your webapplications from commonweb exploits that couldaffect applicationavailability, compromisesecurity, or consumeexcessive resources.Malicious sourcesscan and probeinternet-facingweb applicationsfor vulnerabilities.They send aseries of requeststhat generateHTTP 4xx errorcodes. You canuse this history tohelp identify andblock malicioussource IPaddresses.AWS WAF gives youcontrol over which traffic toallow or block to your webapplications by definingcustomizable web securityrules.AWSGovCloud(US)available?YesYou can use AWS WAF tocreate custom rules thatblock common attackpatterns, such as SQLinjection or cross-sitescripting, and rules that aredesigned for your specificapplication.This Forversionhas beenmore information,see archived.AWS WAF SecurityAutomations.For the latest version of this document, tml13
Amazon Web ServicesRansomware Risk Management on AWS Using the NIST Cyber SecurityFramework (CSF)Capabilityand CSFmappingAWSserviceAWS WAFSecurityAutomationsAWS service descriptionFunctionConfiguring AWS WAFrules can be challenging,especially for organizationsthat do not have dedicatedsecurity teams. To simplifythis process, AWS offersthe AWS WAF SecurityAutomations solution,which automaticallydeploys a single webaccess control list (webACL) with a set of AWSWAF rules that filtercommon web-basedattacks.This control is asolution thatleveragesautomation
ransomware risk management, and maps those technical capabilities to AWS services and implementation guidance. While this whitepaper is primarily focused on managing the risks associated with ransomware, the security controls and AWS services outlined are consistent with general security best practices. NISTIR 8374 ransomware profile
