NISTIR 8374 ransomware profile - Ransomware Risk Management on AWS Using the NIST Cyber Security Framework (CSF)
Basic preventative steps

This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.

NISTIR 8374 ransomware profile

NISTIR 8374: Cybersecurity Framework Profile for Ransomware Risk Management maps security objectives from the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 to security capabilities and measures that support preventing, responding to, and recovering from ransomware events.

Basic preventative steps

The security capabilities and measures outlined in the Profile provide a detailed approach to preventing and mitigating ransomware events. The Profile recommends that organizations take basic preventative steps to prevent against the ransomware threat. The following table illustrates these steps, and includes a mapping to AWS services that, when implemented, enable an entity to improve their security. Note that this is a non-exhaustive list (there are additional tools and services not listed here that have capabilities and benefits).

Table 1 — Preventative steps and the associated AWS services

Preventative step AWS service AWS service description
Use antivirus software at all times. Set your software to automatically scan emails and storage devices. AWS Marketplace AWS Marketplace is a digital catalog with thousands of software listings from independent software vendors that makes it easy to find, test, buy, and deploy software that runs on AWS.
Keep computers fully patched. Run scheduled checks to keep everything up-to-date. AWS Systems Manager Patch Manager

AWS Systems Manager helps you select and deploy operating system and software patches automatically across large groups of Amazon Elastic Compute Cloud (Amazon EC2) or on-premises instances.

Through patch baselines, you can set rules to auto-approve select categories of patches to be installed, such as operating system or high severity patches, and you can specify a list of patches that override these rules and are automatically approved or rejected.

You can also schedule maintenance windows for your patches so that they are only applied during preset times. Systems Manager helps ensure that your software is up-to-date and meets your compliance policies.

Block access to ransomware sites. Use security products or services that block access to known ransomware sites. Amazon Route 53 Resolver DNS Firewall Help protect your recursive DNS queries within the Route 53 Resolver. Create domain lists and build firewall rules that filter outbound DNS traffic against these rules.
AWS Network Firewall AWS Network Firewall is a high availability, managed network firewall service for your virtual private cloud (VPC). It enables you to easily deploy and manage stateful inspection, intrusion prevention and detection, and web filtering to help protect your virtual networks on AWS. Network Firewall automatically scales with your traffic, ensuring high availability with no additional customer investment in security infrastructure.
Network Access Control Lists Similar to a firewall, Network Access Control Lists (NACLs) control traffic in and out of one or more subnets. To add an additional layer of security to your Amazon VPC, you can set up NACLs with rules similar to your security groups.
Allow only authorized apps. Configure operating systems or use third-party software to allow only authorized applications on computers. AWS Systems Manager State Manager

AWS Systems Manager provides configuration management, which helps you maintain consistent configuration of your Amazon EC2 or on-premises instances. With Systems Manager, you can control configuration details such as server configurations, antivirus definitions, firewall settings, and more.

You can define configuration policies for your servers through the AWS Management Console or use existing scripts, PowerShell modules, or Ansible playbooks directly from GitHub or Amazon Simple Storage Service (Amazon S3) buckets.

Systems Manager automatically applies your configurations across your instances at a time and frequency that you define. You can query Systems Manager at any time to view the status of your instance configurations, giving you on-demand visibility into your compliance status.

Restrict personally owned devices on work networks Customer responsibility See the AWS Shared Responsibility Model for additional information on customer responsibility.
Use standard users versus accounts with administrative privileges whenever possible. AWS Identity and Access Management (IAM) AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
Avoid using personal apps like email, chat, and social media from work computers. Customer responsibility See the AWS Shared Responsibility Model for additional information on customer responsibility.
Don’t open files or click on links from unknown sources unless you first run an antivirus scan or look at links carefully. Customer responsibility See the AWS Shared Responsibility Model for additional information on customer responsibility.
Make an incident recovery plan. Develop and implement an incident recovery plan with defined roles and strategies for decision making. This can be part of a continuity of operations plan. AWS Security Incident Response Guide See the AWS Security Incident Response Guide for an overview of the fundamentals.
Backup and restore. Carefully plan, implement, and test a data backup and restoration strategy, and secure and isolate backups of important data. Amazon EBS snapshots Amazon EBS provides the ability to create snapshots (backups) of any EBS volume. A snapshot takes a copy of the EBS volume and places it in Amazon S3, where it is stored redundantly in multiple Availability Zones.
AWS Backup AWS Backup enables you to centralize and automate data protection across AWS services. AWS Backup offers a cost-effective, fully managed, policy-based service that further simplifies data protection at scale.
CloudEndure Disaster Recovery CloudEndure Disaster Recovery minimizes downtime and data loss by providing fast, reliable recovery into AWS. The solution continuously replicates applications from physical, virtual, or cloud-based infrastructure to a low-cost staging area that is automatically provisioned in any target AWS Region of your choice.
AWS CodeCommit AWS CodeCommit is a fully-managed source control service that hosts secure GitHub-based repositories.
Keep your contacts. Maintain an up-to-date list of internal and external contacts for ransomware attacks, including law enforcement. AWS Security Incident Response Guide See the AWS Security Incident Response Guide for an overview of the fundamentals.