Malicious actors who want to infiltrate systems and access vital company data constantly evolve their approach to counteract defensive measures taken by organisations.
This creates a major challenge for information technology (IT) and security operations (SecOps) teams tasked with protecting their company’s IT infrastructure, hybrid environments and precious data.
They, in turn, must evolve their own data protection strategies and implement the right technology to counter such threats as ransomware.
According to the Australian Cyber Security Centre (ACSC) in its late 2021 report, “Consistent with global trends, ransomware remains one of the most disruptive threats to Australian organisations.”
The ACSC also found that in the 2020-21 financial year, “ransomware cybercrime reports increased by 15 per cent; nearly 500 ransomware cybercrime reports received; and there was average of more than one ransomware cybercrime report received every day”.
However, ransomware has not only increased in trickiness and frequency, it has also become more potent. Attackers strive for greater inventiveness and innovation with the objective of holding more companies to ransom, and at a greater scale.
In 2021, Ransomware as a Service (RaaS) became a more frequent and widely seen form of ransomware, as cyber-crime organisations looked to improve the division of labour and empower cyber criminals without technical skills to participate in cyber attacks.
Even small and medium-sized companies were attacked more frequently. This makes sense given specific attacks on larger organisations may result in a bounty in the millions of dollars, yet require a high degree of technology execution. Alternatively, an attack on mid-sized companies using RaaS may breach a larger volume of them and if the individual ransom amount is smaller, the overall damage may be substantially larger.
Cyber resilience is the concept of being able to continuously deliver business outcomes and operations despite adverse events, and it is a vital capability for organisations to develop. A company can only be cyber resilient if they can recover data from a high-quality backup. Such backups are a foundational component in an overall cyber-resiliency strategy and are crucial for companies in responding to ransomware. Having a secure, clean, immutable copy of your data can better equip your business to defend your data and refuse the ransom.
While many companies regularly back up their data as a countermeasure to ransomware attacks, this is becoming a less reassuring measure. Backups and backup environments are being increasingly targeted by attackers because many companies fail to adopt best practice or capability-rich data management and protection technology. This allows attackers to not only encrypt backed up production data, but exfiltrate data for double extortion attempts or to expose it for other reasons. This is an evolution from ransomware that aims to destroy backups first and then encrypt data, to one where attackers are focused on encrypting or stealing data to extort its owner multiple times.
With ransomware evolving and increasing in potency companies are faced with a harder question than ever about what constitutes a high-quality data backup. Key traits include being secure, immutable by design not as an afterthought or layer on top, clean, available via a copy that has been stored under the 3-2-1 rule, come from a recent or regularly specified point in time, are recoverable from a regularly tested process, and are made through data management technology that can recover files at the individual level – whether that’s by geographic or data storage location. If data can be recovered from backups that are made under these best practices and technology, then companies can be more confident in their state of cyber resiliency.
Here are three recommendations for improving data recoverability and cyber resilience:
- Non-rewritable backups – a must
Organisations should take steps to prevent their data from being encrypted under attack by protecting it with an immutable backup that makes the written data read-only, and a write-once mechanism (WORM) that makes the written data unerasable or unchangeable.
Immutable backups and their data cannot be modified, encrypted, or deleted, making them one of the purest ways to tackle ransomware. This means that while ransomware may be able to delete files in a mounted or read-write backup, these files are unable to be mounted on an external system and the immutable snapshot will be unaffected. Some data management technology companies provide immutability that is built in from the core, some add it at the end of their design process. Organisations must consider this when choosing data management technology.
Companies can be more self-assured if they have employed security features such as role-based access control (RBAC), multifactor authentication (MFA), and cryptographic frameworks. It is also advisable to back up from the in-house data centre to the public cloud and create an “air gap” to block communication between the two.
- Encryption is key
Data that is backed up should always be encrypted either at rest or in transit over a network with AES 256-bit encryption. Next-gen data management platforms are beneficial too, as they allow IT teams to understand if the data that is ingested is changed, typically compressed or deduplicated, as this is often a red flag that a malicious act is occurring.
Changes to entropy or randomness of stored data may indicate outside encryption – a typical signature for ransomware. If this occurs, next-gen data management technology will help detect it and notify all the key stakeholders in the IT and security teams via multichannel alerts.
- Invest in accurate backup and early detection technology
Make sure data is backed up regularly and cleanly, not from infected sources. If a company is infected, it is important to notice the malicious activity early. Next-gen data management technology leverages AI and machine learning to help detect anomalies – these are usually indicators of suspicious activity – and alert IT and security team members.
This is vital, as early detection will help reduce the blast radius of an attack, limit the overall attack surface, avoid backing up malicious files, and help in identifying a clean point among your existing backups.
Companies should be employing the 3-2-1 rule for data backups, whereby they have at least three copies of their data, stored on two types of media, with one backup copy kept offline or off-site.
This simple approach ensures that organisations will always have an available and usable copy of their data. Off-site and offline backups not only limit the effects of ransomware, but when combined with the right data and infrastructure security solutions and employee awareness training, can help prevent it.
Ransomware poses an incredible technology and security challenge for organisations. It’s no longer enough to focus purely on traditional cyber defences such as network, perimeter, end point and application security. Data protection and recoverability are vital to resuming business operations should a ransomware attack or other cyber attack be successful. The best way to build a solid foundation is via data management technology that allows for high-quality backups to be created and cyber resilience to be maintained.
Derek Cowan is director of system engineering, Asia-Pacific Japan, at Cohesity.