Detecting and Responding to Ransomware and Other Destructive Events
“Detecting and Responding to Ransomware and Other Destructive Events” focuses on detailed methods and potential tool sets that can detect, mitigate, and contain data integrity events in the components of an enterprise network. It also identifies tools and strategies to aid in a security team’s response to such an event.
The risks of data integrity attacks can be reduced using capabilities such as: integrity monitoring, event detection, vulnerability management, reporting capabilities, and mitigation and containment.
Integrity monitoring provides capabilities for comparing current system states against established baselines. The baseline is used for comparison against the system’s state during an attack.
Event detection provides capabilities for detecting ongoing events and can be composed of intrusion detection, malware detection, user anomaly detection, and others, depending on the established threat model of the organization.
Vulnerability is weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Vulnerability management provides a mechanism for analyzing various system and network components, for a better understanding of resolved and unresolved vulnerabilities in the enterprise.
Reporting provides the capability to report on all activities within the enterprise and within the reference architecture for analysis by a security team.
Mitigation and containment respond to data integrity events by containing and limiting the threat’s ability to affect the system.
Forensics/analytics provide the capability to probe/analyze logs and machines within the enterprise to learn from data integrity events.
