By Derek Cowan, Director Of System Engineering, APJ at Cohesity.
Malicious actors’ intent to infiltrate systems to access, exfiltrate, and extort vital company data (usually production data) through ransomware, means they are constantly evolving their approach to counteract defensive measures taken by organisations. This creates a major challenge for Information Technology (IT) and Security Operations (SecOps) teams tasked with protecting their company’s IT infrastructure, hybrid environments, and precious data, as they in-turn must also evolve their own data protection strategies and implement the right technology to counter these evolving threats such as ransomware
According to the Australian Cyber Security Centre (ACSC), in its late 2021 report into the state of cyber security in Australia, “Consistent with global trends, ransomware remains one of the most disruptive threats to Australian organisations”. The ACSC also found that in the period from 1 July 2020 to 30 June 2021, “ransomware cybercrime reports increased by 15 per cent; nearly 500 ransomware cybercrime reports received; and there was average of more than one ransomware cybercrime report received every day.”
However, ransomware has not only increased in trickiness and frequency, but it has become more potent due as attackers increase their attackers’ inventiveness and innovation, with the objective of holding more companies to ransom, and at a greater scale. In 2021, Ransomware as a Service (RaaS) became a more frequent and widely seen form ransomware, as cybercrime organisations looked to improve the division of labour and empower cyber criminals without technical skills to participate in cyber-attacks, and even attack small and medium-sized companies more frequently. This makes sense given specific attacks on larger organisations may result in a bounty in the millions of dollars, yet they require a high degree of technology execution. Alternatively, an attack targeting a medium sized company using RaaS may breach a larger volume of companies, and even if the individual ransom amount is smaller, the overall damage cause may be substantially larger.
Cyber resilience is the concept of being able to continuously deliver business outcomes and operations despite adverse events, which is a vital capability or muscle for organisations to develop in the ransomware environment of today. However, a company can only be cyber resilient if they can recover data from a high-quality data backup. Backups are a foundational component to an overall cyber resiliency strategy and are crucial for companies in responding to ransomware. Having a secure, clean, immutable copy of your data can better equip your business to defend your data and refuse the ransom.
While many companies may already prioritise or regularly backup their data as a countermeasure to ransomware attacks, on its own this is becoming a less reassuring measure in the past. Backups and backup environments are being increasingly targeted by attackers because many companies rely on backups that are not being created or protected via best practices or capability rich data management and protection technology. This allows attackers to not only encrypt backed-up production data, but exfiltrate data for double extortion attempts or to expose it for other reasons, which is means we’re seeing an increasing evolution from what could be typically called Ransomware 1.0, to Ransomware 2.0 which is targeted at destroying backups first and then encrypting data, and Ransomware 3.0 where attackers are focused on encrypting or stealing data to expose it or extort its owner multiple times.
With ransomware evolving, increasing in potency, and even coming via an as a service method of attack, in Australia, companies are faced with an even harder question than before of what constitutes a high-quality data backup that they should aim to be able to recover from, especially if these very backups are being targeted? Key traits of a high-quality data backup include being secure, immutable by design not as an afterthought or layer on top, clean, available via a copy that has been stored under the ‘3-2-1’ rule, come from a recent or regularly specified point in time, are recoverable from a regularly test process, and are made through data management technology that can recover files at the individual level – whether that’s by geographic or data storage location. If data can be recovered from backups that are made under these best practices and technology, then companies can be more confident in their state of cyber resiliency.
Here’s three recommendations companies should consider to improve their data recoverability and cyber resilience:
1. Non-rewritable Backups A Must
Organisations should take steps to prevent their data from being encrypted under attack, protecting data with an immutable (immutable) backup that makes the written data read-only, and a write-once mechanism (WORM) that makes the written data unerasable or changeable, is recommended.
Immutable backups and their data cannot be modified, encrypted, or deleted, making them one of the purest ways to tackle ransomware as they ensure the original back job is kept inaccessible. This means that while ransomware may be able to delete files in a mounted or read-write backup, these files are not able to be mounted on an external system and the immutable snapshot will be unaffected. However, not all data management technology companies provide immutability that is built in from the core, some add it at the end of their design process, so organisations must consider this when choosing data management technology.
Companies can be more self-assured if they have employed security features such as role-based access control (RBAC), multi-factor authentication (MFA), and cryptographic frameworks. It is also advisable to back up from the in-house data center to the public cloud and create an “air gap” to block communication between the two.
2. Encryption is Key
Data that is backed up should always be encrypted either at rest or in transit over a network, with AES 256-bit encryption to secure data. For example, Cohesity customers benefit from encryption in flight, provided data is replicated to a Cohesity cluster, and is tiered or achieved to the cloud from the Cohesity platform. Next-gen data management platforms are beneficial too, as they allow IT teams to understand if the data that is ingested is changed, typically compressed or de-duplicated, as this is often a red flag that a malicious act is occurring. Changes to entropy or randomness of stored data may indicate outside encryption – a typical signature for ransomware. If this occurs, the next-gen data management technology will help detect it and notify all the key stakeholders in the IT and security teams via multi-channel alerts including mobile, email, and UI or API.
3. Invest in Accurate Backup & Early Detection Technology
Make sure data is backed up regularly and cleanly, not from infected backups. If a company is infected, it is important to notice the malicious activity early. Which is why the right next-gen data management technology will leverage AI and machine learning capabilities to help detect anomalies – as these are usually indicators of suspicious activity – and then alert the necessary IT and Security team members that they must investigate what is occurring. This is vital, as early detection will help reduce the blast radius of an attack, limit the overall attack surface, ensure that future backups do not backing up malicious files, and help in identifying a clean point amongst your existing backups.
Companies should be employing the 3-2-1 rule for data backups, whereby they have at least three copies of their data, stored on two types of media, with one backup copy kept offline or offsite, with isolated cloud data vaults like Cohesity FortKnox also offering similar capabilities. This simple data backup and recovery approach ensures that organisations will always have an available and usable backup of their data or systems. Offsite and offline backups not only limit the effects of ransomware, but when combined with the right data and infrastructure security solutions and employee awareness training, can help prevent ransomware.
Ransomware poses an incredible technology and security challenge for organisations, especially their CIO, CISO, and their respective teams. It’s no longer enough to focuses purely on traditional cyber defences such as network, perimeter, endpoint, and application security. Data protection and recoverability are vital to being able to resume business operations should a ransomware attack or other cyberattack be successful. The best way to build a solid foundation is via data management technology that allows for high-quality backups to be created and cyber resilience to be maintained.