Extortionists know that the availability of backups often determines whether they can collect on their ransom demands. Those without sufficient backups are forced to choose between paying the ransom or suffering the loss of data. For this reason, business continuity, specifically backup systems, are prime targets for attackers wishing to inflict maximum damage and increase the likelihood of a payout.
Preventative controls that are implemented must be augmented with an effective recovery framework. These frameworks should address a fluid, rapidly-changing threat landscape through flexibility, integration, and agility of their own. When considering a cyber-resilient strategy, it should include three key components: isolation, orchestration, and rapid recovery.
Isolation: Physically separate your back-up data
The last decade has seen the decline of tape as a primary backup medium while disk and cloud-based replication systems supplanted the technology. Traditional tape systems suffered from relatively slow restore capability, especially for non-sequential data, but they had one attribute that is sometimes missing from disk and cloud backup replication, namely isolation. Replication without isolation often results in encryption of both primary and replica data-sets when ransomware strikes.
Isolation can be performed through air gaps or through logical mechanisms designed to protect backup sets from being overwritten. The air gaps approach physically and logically separates data from the rest of the network. One simple example of air gaps is to back up to a removable hard disk and then store the disk in a safe. More complicated scenarios are often used in the business world, and air gaps has been a standard procedure in many government installations. However, air gaps often relies upon a human element. In the hard drive example, someone must disconnect the drive when the backup completes and move it to a safe location. A backup set mistakenly left attached to systems would lack the protections afforded by air gaps. We humans are all too frequently proven unreliable at performing such tasks consistently without robust processes and accountability. This presents a potential point of failure in the system.
The second method of isolation relies on software to implement protections for the backup sets. Such systems prevent altering of backup sets once they are written according to system policy and the policy is highly restricted, audited, and controlled to prevent unauthorized changes. This form of isolation would prevent an administrator from removing or changing a previous backup set prior to backup retention period expiration.
Orchestration: Automate your quarantine controls to reduce the scope of impact
Ransomware and other destructive malware are designed to rapidly propagate and then swiftly encrypt valuable data. The speed of such attacks requires that companies implement monitoring and analytics across systems to quickly identify malicious behavior.
The speed of malware far exceeds that of human response, yet the initial response to such threats is often well understood. This makes automation the ideal method to address threats in real time. Incident response orchestration uses triggers from monitoring systems to automate the execution of predetermined workflows to quarantine the threat and reduce the scope of impact. For example, Dell EMC Cyber Recovery can be leveraged to analyze data to detect activity such as ransomware. As ransomware begins to encrypt a network share, monitoring and analytics would detect the encryption and kick off workflows to attempt to stop the ransomware and isolate the system for investigation. This prevents the ransomware from impacting other systems and does so without the need to wait for human intervention.
Rapid recovery: Invest in protective measures that will prevent future loss
Rapid recovery is the third key component of cyber resiliency. As mentioned earlier, IT systems are critical to business success, but in some cases, downtime of IT systems could result in loss of life, such as in healthcare and critical infrastructure. Every organization will suffer a downtime at some point and systems should be put in place to restore system or data availability according to the business need in such an event.
A benefit of rapid recovery solutions is that recovery and investigative steps can operate in parallel. In the example above, the system infected with ransomware was isolated from the network, but this prevents users and applications from accessing that data. Rapid recovery solutions may need to mount snapshots of the affected data and then remap resource pointers to the recovery location.
Implementing the framework
Not all data requires this level of protection, so the first step in implementing this level of protection is to identify the mission critical data sets. Investing in management and automation software, like Dell EMC Cyber Recovery, can be implemented on 10-15% of an organization’s disaster recovery scope. Companies then select critical data based on its direct and indirect use, including how the data impacts systems and processes across the enterprise.
Our economy and our lives are increasingly digital. As such, the systems and data that underpin our digital economy are essential to company success. However, cyber resiliency supports the business when other controls fail. Make your company cyber resilient now to prevent future disaster.