Extortionists know that the availability of backups often determines whether they can collect on their ransom demands. Those without sufficient backups are forced to choose between paying the ransom or suffering the loss of data. For this reason, business continuity, specifically backup systems, are prime targets for attackers wishing to inflict maximum damage and increase the likelihood of a payout.
Preventative controls that are implemented must be augmented with an effective recovery framework. These frameworks should address a fluid, rapidly-changing threat landscape through flexibility, integration, and agility of their own. When considering a cyber-resilient strategy, it should include three key components: isolation, orchestration, and rapid recovery.
Isolation: Physically Separate Your Back-Up Data
The last decade has seen the decline of tape as a primary backup medium while disk and cloud-based replication systems supplanted the technology. Traditional tape systems suffered from relatively slow restore capability, especially for non-sequential data, but they had one attribute that is sometimes missing from disk and cloud backup replication, namely isolation. Replication without isolation often results in encryption of both primary and replica data-sets when ransomware strikes.
Isolation can be performed through air gaps or through logical mechanisms designed to protect backup sets from being overwritten. The air gaps approach physically and logically separates data from the rest of the network. One simple example of air gaps is to back up to a removable hard disk and then store the disk in a safe. More complicated scenarios are often used in the business world, and air gaps has been a standard procedure in many government installations. However, air gaps often relies upon a human element. In the hard drive example, someone must disconnect the drive when the backup completes and move it to a safe location. A backup set mistakenly left attached to systems would lack the protections afforded by air gaps. We humans are all too frequently proven unreliable at performing such tasks consistently without robust processes and accountability. This presents a potential point of failure in the system.
The second method of isolation relies on software to implement protections for the backup sets. Such systems prevent altering of backup sets once they are written according to system policy and the policy is highly restricted, audited, and controlled to prevent unauthorized changes. This form of isolation would prevent an administrator from removing or changing a previous backup set prior to backup retention period expiration.
Orchestration: Automate Your Quarantine Controls to Reduce the Scope of Impact
Ransomware and other destructive malware are designed to rapidly propagate and then swiftly encrypt valuable data. The speed of such attacks requires that companies implement monitoring and analytics across systems to quickly identify malicious behavior.
The speed of malware far exceeds that of human response, yet the initial response to such threats is often well understood. This makes automation the ideal method to address threats in real time. Incident response orchestration uses triggers from monitoring systems to automate the execution of predetermined workflows to quarantine the threat and reduce the scope of impact. For example, Dell EMC Cyber Recovery can be leveraged to analyze data to detect activity such as ransomware. As ransomware begins to encrypt a network share, monitoring and analytics would detect the encryption and kick off workflows to attempt to stop the ransomware and isolate the system for investigation. This prevents the ransomware from impacting other systems and does so without the need to wait for human intervention.
Rapid Recovery: Invest in Protective Measures That Will Prevent Future Loss
Rapid recovery is the third key component of cyber resiliency. As mentioned earlier, IT systems are critical to business success, but in some cases, downtime of IT systems could result in loss of life, such as in healthcare and critical infrastructure. Every organization will suffer a downtime at some point and systems should be put in place to restore system or data availability according to the business need in such an event.
A benefit of rapid recovery solutions is that recovery and investigative steps can operate in parallel. In the example above, the system infected with ransomware was isolated from the network, but this prevents users and applications from accessing that data. Rapid recovery solutions may need to mount snapshots of the affected data and then remap resource pointers to the recovery location.
Implementing The Framework
Not all data requires this level of protection, so the first step in implementing this level of protection is to identify the mission critical data sets. Investing in management and automation software, like Dell EMC Cyber Recovery, can be implemented on 10-15% of an organization’s disaster recovery scope. Companies then select critical data based on its direct and indirect use, including how the data impacts systems and processes across the enterprise.
Our economy and our lives are increasingly digital. As such, the systems and data that underpin our digital economy are essential to company success. However, cyber resiliency supports the business when other controls fail. Make your company cyber resilient now to prevent future disaster.
The UK’s National Cyber Security Centre (NCSC), the FBI, and the US Department of Homeland Security have issued a joint alert warning of a global campaign. Ciaran Martin, head of the UK’s NCSC said the issuing of the alert marked a “significant moment” as the two powers had never before given joint advice on how to deal with attacks.
“Many of the techniques used by Russia exploit basic weaknesses in network systems,” said Martin. “There are millions of machines being globally targeted, trying to seize control over connectivity.”
The total is believed to include tens of thousands of home devices in the UK alone, which could be used “at scale” for wider operations. Security services have admitted they do not know the full scale of attacks by state-sponsored Russian hackers, who are using routers connecting people’s homes and offices to the internet to spy on the information going through them, harvesting passwords, data, and other information that could later be used in an attack.
How can you better prepare yourself?
Change your passwords. Ensure they’re new passwords that have never been used before, make sure they’re different for all of your accounts, and change them regularly.
Add multi-factor authentication (MFA). Companies like Google and Microsoft offer MFA as standard on their personal accounts. Make sure you turn them on, and strongly consider implementing MFA on your corporate network as well. Get in touch or speak to your Account Manager to find out more about the MFA solutions that we offer.
Be extra vigilant. Treat any unknown emails or phone calls with an extra layer of caution. Do not give out personal or business information to any untrusted sources, and if you’re unsure, always go directly to the source rather than responding to an email.
Raise the cyber-security profile within your organisation. Regularly discuss the topic of cyber-security in your team and company meetings and encourage all employees – especially your senior management team – to take the time to keep abreast of the latest industry news and headlines. The more you and your employees know about cyber security, the better.
To discuss an improved cybersecurity strategy for your business and what options are available to you, get in touch. We will be happy to complete an initial cybersecurity-focused assessment of your current IT infrastructure in order to protect against potential data loss and a rapidly changing threat landscape.
