By: Jim McGann, Vice President Marketing & Business Development, Index Engines
Intelligence needed for a quick and reliable recovery process
When ransomware started penetrating firewalls and attacking organizations’ data, analysts and hardware providers preached backup as the best way to recover. And many organizations have relied on this for their cyber resiliency strategy.
Now an alarming trend has developed with more sophisticated ransomware attacking and disabling backup to cripple organizations and drive ransom demands higher.
FBI alerts and top tier security publications have noticed.
- In September the FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned: Malicious actors have also added tactics, such as encrypting or deleting system backups—making restoration and recovery more difficult or infeasible for impacted organizations. https://us-cert.cisa.gov/ncas/alerts/aa21-243a
- Conti Ransomware Adds Ability to Compromise Backups, according to a report published in September, which details how Conti has honed its backup destruction to a fine art. After all, backups are a major obstacle to encouraging ransomware payment. (https://threatpost.com/conti-ransomware-backups/175114/ )
- FBI Alert on Hive Ransomware from August seeks processes related to backups, anti-virus/anti-spyware, and file copying and terminates them to facilitate file encryption. https://www.ic3.gov/Media/News/2021/210825.pdf
Many organizations have not.
“Organizations are overly confident that their backups have integrity and can be used to recover data when they are hit by a ransomware attack, Index Engines vice President Jim McGann said. “Cyber criminals do not want organizations to easily recover, so they have set their sights on backup; corrupting, encrypting or deleting them, to make a very challenging to execute a reliable and timely recovery. This allows them to ask for more extreme ransoms.”
Backups are not enough, according to experts at Index Engines, the makers behind CyberSense, which detects signs of data corruption and facilitates quick recovery from a ransomware attack. Backups can be compromised, as we are now seeing. Relying on backups to recover from a ransomware attack is no longer a viable strategy and it is important to validate the integrity of data in backups and the backups themselves to have confidence that a quick and reliable recovery process can be executed.
But backups are the right place to start, as long as it addresses the influx of sophisticated attacks that are already being seen and will continue become the “industry standard” for ransomware in the coming quarters.
Backups should provide the isolation needed from cyberattacks, immutability from destructive threats, and, most importantly, the intelligence to know if that data has already been compromised.
- Isolation. Cybercriminals cannot access, steal and corrupt data they do not know exists. Isolating backups of core infrastructure, critical files, and databases with an operational air gap offers an integral first step to keeping data out of reach.
- Immutability. Deploying advanced technology to lock down the protected data and ensure that no bad actors can tamper with it, corrupt it or destroy it is critical to ensuring reliable recovery. There have been many instances of cybercriminals or insider threats destroying backup catalogs and data sets to create an unrecoverable environment. Immutability will provide confidence that data is secure and protected from harm.
- Intelligence. It is off the network and tamper-proof. But, is the data good? Sophisticated attacks, attacks that hide deep inside the content, are becoming more commonplace and circumventing detection tools. Adding machine learning and full-content analytics to this secured data offers insight into how the data has changed and can alert to signs of corruption. Early detection provides the ability to recover quickly with confidence that data is clean. Leveraging intelligence can limit data loss to hours and specific files, not days, weeks and complete backups.
Companies need to get their business operational quickly, but this leaves organizations with few options, many of which aren’t ideal for business operations. Paying a ransom and getting encryption keys is a common path they seek, putting them on a list for another attack and putting their faith in cyber criminals the encryption keys will work. Or they spend days searching for good backups so they can restore clean data resulting in a major delay to return to a steady state.
This is where intelligence comes in. Being able to know what was compromised and when, allows for an intelligent return to business operation quickly.
Jim McGann, Vice President Marketing & Business Development, Index Engines
Jim McGann has extensive experience with the eDiscovery and Information Management in the Fortune 2000 sector. Before joining Index Engines in 2004, he worked for leading software firms, including Information Builders and the French based engineering software provider Dassault Systemes. He is a frequent writer and speaker on the topics of big data, backup tape remediation, electronic discovery and records management.