Authored by: Sheena Chin, Managing Director, ASEAN, Cohesity
Over the past few years, one of the most important developments in the cyber-attack landscape has been the evolution of ransomware. In 2017, attackers took ransomware to new heights. The WannaCry cryptoworm spread across the globe affecting over 200,000 machines in 150 countries and causing billions of dollars of damages, grinding global businesses to a halt. Since then, crypto mining has taken over from ransomware as the go-to moneymaking scheme for cybercriminals and can directly compromise IT infrastructure.
Prior to the pandemic, late 2018, local healthcare provider's data assets were compromised in a number of high profile cases where patients' records and private data were compromised and published on public forums.
So when it comes to backups, how can organisations protect their chief business asset and recover from an attack?
As data storage and IT processes become outsourced and siloed, the points of vulnerability for a business increase. Moreover, backups have become a new prime target for cyber-criminals. There is a very good reason for this – any reasonably sophisticated ransomware attack will assume that its intended victim has a proper backup strategy in place and thus, will aim to find and destroy those files, to increase the efficacy of the attack. The threat is growing, and for most organisations, it is a matter of when not if.
While IT teams may not be able to make their organisations immune to ransomware attacks, the impact of an attack can be lowered by ensuring that you get your systems back online quickly. This reduces the enterprise impact of major outages, limits brand damage, and ensures employee productivity continues.
Cybersecurity and cyber terrorism are now part of many governments' state digital and security manifestos. Due to the potential detriment to brand and reputation, it is no longer solely the domain of the IT team, it has become a boardroom conversation topic.
What individuals and IT teams are doing to make attackers lives easy
As it stands, the threat is exacerbated by two things. Firstly, a phenomenon called Mass Data Fragmentation - the proliferation of massive volumes of non-mission-critical data used for backup, testing and, development, analytics, sitting across various locations, various infrastructure silos, and management systems. This kind of fragmentation is a headache for IT managers who must ensure all their backup data is accounted for, compliant with regulations, and safe, across multiple silos and sites. Secondly, many of the solutions used to protect and back up data that were designed more than 10 years ago have not kept up with today’s environment and as such, typically do provide an element of protection, but not all of it.
In the ransomware attacks, we have seen on back up data, cybercriminals get through perimeter protections and can access backup systems using administrators' passwords. Prevention is better than cure, and organisations should employ backup systems that look for daily change rates on logical data, stored data and, historical data to form process and understand patterns, perhaps with a view to using machine learning in the future. That way, deviations are immediately flagged and can be dealt with swiftly before they turn into a full-blown attack, allowing IT team to focus resources on more pressing matters.
Every C-suite should be challenging the IT Management department about their company’s backup strategy. If your organisation cannot restore a healthy backup and overcome an issue in under a few hours, ideally a few minutes, it is a real problem. Outdated data management systems are costing enterprises time, money, and potential business. Our insights show that businesses have anywhere between 2-5 data management applications, requiring a significant headcount to help make sense of the systems and provide business leaders with a single view which is neither particularly agile nor helpful.
A multi-point plan to counter ransomware
There are some best-practice processes that protect data against these situations. Backups must frequently be made; ideally, certain workloads should be backed up on an hourly basis and stored in a manner that is not exposed to ransomware.
Businesses can start by doing the basics right. WannaCry and other ransomware attacks would not have affected the organisations had they maintained their patches in a timely fashion. With respect to backup practices, several things would be considered 'the basics'.
Using different credentials to access backups; the username context used to access the backup storage should be used exclusively for that purpose.
Regularly analyse backup data for signs of ransomware. Have there been a lot of writes on disk? Has the CPU utilisation exceeded normal levels? And, what offline storage options are at your disposal?
One of the best defence against ransomware getting to organisations’ backup storage is to have offline storage. Previously, this meant tape, but having different authentication frameworks in use, storage snapshots of primary storage, replicated Virtual Machines when powered off and on different domains, and cloud backups not directly connected to backup infrastructure are all suitable options.
The more barriers there are between an infected system and its backups, the harder it will be for ransomware to get to it. For those already doing the basics and are looking for something more to protect their backup data, it is time to accept the fact that legacy backup solutions were not built for today’s increasingly complex IT climate.
Ransomware threats are constantly evolving and ever-changing beasts and any organisation must employ a combination of innovation, alongside the above best-practice processes to adequately mitigate risks.
It is not uncommon to see backup products touted for their ability to ‘detect’ a ransomware attack. This alone is not enough. Organisations also need to ensure that their solution has an immutable file system, with snapshots that are inaccessible to processes and software. This means that an attacker, at best, can delete a clone of the data – but never the true backup itself. An extra layer of protection is two-factor authentication for the ability to delete backup files – even if that someone is the systems administrator or log-in holder.
Defence measures notwithstanding intelligent monitoring also play a role in ensuring that infrastructure is built to handle attacks. A solution incorporating integrated analytics will allow a business to find which backups contain malware and prevent them from being restored along with the data. If an attack takes place even with these integrated precautions, real protection requires the power to restore massive amounts of data immediately – in minutes rather than hours of admin time.
Once your resiliency for protection has been considered, the next point of work is around recovery. Many businesses use criticality of data or workload to establish a recovery time objective, but you should also factor in the amount of time in which you need to recover a given data set.
Getting your house in order with using some of these backup infrastructure tips will help create a level of resiliency, but businesses must plan to be more vigilant, just as attackers plan to evolve their methods. What works today will not likely be enough in a month’s time.
Backups are critical in providing protection from catastrophic consequences and must have the highest standards of data protection assigned. With an integrated approach to backups, enabled by an immutable file system, businesses can rest assured that they can face even the most formidable of attacks.