I was on a call yesterday, where consultants from Accenture were reviewing the cybersecurity implications of the war in Ukraine. During the conversation one of the consultants brought up the NIST cybersecurity framework as a good starting point for implementing security. If, like me, you see the word “framework” and mentally translate that to “then a bunch of hard work happens” this article might help.

I will cover the NIST (National Institute of Standards and Technology) cybersecurity framework and suggest some activities to fill out each of its components. Bear in mind, though, that the best time to implement any cybersecurity framework is not when the attackers are headed toward the front door. So, I will also zero in on some “do now” ideas before I finish.

What is the NIST Cybersecurity Framework?

Let me start by describing the NIST cybersecurity framework. It is organized around five components, whose names you can easily understand.

• Identify
• Protect
• Detect
• Respond
• Recover

Within each of these components, we can “drill down” to specific activities we may want to take.

Identify

In this stage of the NIST cybersecurity framework, you want to understand your starting point. What information or assets are potentially at risk? As with all cybersecurity frameworks, you will be making choices and tradeoffs regarding what to protect and how well to protect it. Think about what systems, applications and data are necessary for the organization to function. Those are the elements most in need of protection.

Protect

With this stage of the NIST cybersecurity framework your focus is on protecting what is most important. Protection can take many forms. Here are some examples for you to consider.

• Encryption. Protect your data, in transit and at rest. See my post from last week about encryption considerations.
• Back up your data (and confirm that the restore function works!). Backup and restore continues to be the primary mitigation for ransomware attacks. Remember that the NotPetya attack was aimed at Ukraine (déjà vu) but spilled over into the rest of the cyber universe.
• Manage endpoints. Especially with work from home continuing, it is critical to make sure that endpoints are protected.
• Control access. I have said before that identity and access management is one of the first steps you want to take to improve your cybersecurity posture. Limit who can see and manipulate what data or apps, and for how long.
• Train your users. This is so important!

Detect

Detection is the trickiest of all the NIST cybersecurity framework elements. Until recently, detection meant digging through log files, looking for anomalies. This is not anyone’s idea of a fun time. Early detection tools tended to focus on pattern matching (do I see a file with the words “ransom” and “bitcoin”?) and were not comprehensive. Since then, we have seen newer tools that take machine learning and artificial intelligence further, examining and correlating actions and events from many inputs. Microsoft’s Threat Intelligence Center (granted, not your typical security organization) detected and created a response to Russia’s Wiper malware within a few hours of its appearance in the wild.

Turn on logging. Download log copies before they get over-written. Define some scenarios that you do not expect to see, such as login attempts to your Remote Desktop Protocol servers after business hours. The Cybersecurity & Infrastructure Security Agency has a file they update regularly containing example attacks and threats they have seen during the Russian invasion of Ukraine. Look and see if any of these are in your network. See if any of these weird events are happening. If they are…

Respond

Here is where you launch your incident response plan. Take the technical steps necessary to respond. Shut down networks or network segments. Lock all admin accounts. Change passwords. You know the drill.

Equally important, tell people what is happening and what you are doing about it. Get your Communications and HR people involved. Let staff, Board members and stakeholders know what is going on. Be brave and let your peers know what is happening. Trade the embarrassment for knowing that you might be helping a peer avoid the problem you are seeing right now.

Recover

In this last stage of the NIST cybersecurity framework, you can focus on restoring systems, data, and applications. Be sure you have eliminated any malware, ransomware, etc. before you do this.

Follow up with the groups you have been communicating with, to let them know that you are restoring service (with some idea of when that might occur). When you have caught your breath, gather some of the players and ask if there are any lessons to be learned, procedures to be changed and the like.

Thank everyone for their help and support. Remind them that you all could be going through this drill again.

Three Steps to Take Now

“This all sounds great,” you say, “but what do I do right now?”

I like that the NIST cybersecurity framework is easy to understand. But the time to create a cybersecurity plan is not when you are under attack. If you do not have a cybersecurity framework fully implemented, here are three steps you can take right now to protect the organization.

• Train your users. Run a phishing test. Create some training that ties to the cyber war happening between Russia and Ukraine. Remind folks about good browsing and security practices. If you have users who habitually fail your phishing tests, consider temporarily reducing their access rights. If that is not feasible, at least pay attention to their activity logs.
• Create an incident response plan. Not the shiny, perfect plan. Create the plan that presumes your organization will be attacked tomorrow. Who does what? How?
• Patch, and patch again. Patch your applications. Run browser updates. Patch your operating systems. Patch every day if you must.

Preparation Builds Confidence

I hope this current plague of attacks passes quickly, and that your organization is not affected. Get prepared, even if you just do the three things I have described. Knowing you are at least minimally prepared for an attack will help you manage events better.

You got this. Now, get implementing!