Protecting backups from ransomware [Q&A]
Cybercriminals know that backups are the last line of defense against ransomware, so it’s essential that they are properly protected.
In an ideal world they would be air-gapped but in the current era of hyperconnectivity that can prove somewhat impractical. We talked to Bret Piatt, CEO of CyberFortress, to discuss the need to protect backups and the strategies for doing so.
BN: It's well-accepted that backups are the last line of defense against ransomware, what techniques are cybercriminals using to attack the backups?
BP: They've gotten very sophisticated. Once they've penetrated a network, they wait for weeks, sometimes months before they begin to encrypt data. During that time they probe the network, often using AI, to locate backup files. For that reason, it's critical not to keep backups on the same domain or workgroup as the production network.
Additionally, they may use spear phishing attacks on admins to trick them into revealing their access credentials. Using AI, they can gather all the information they need from data sources across the Internet to make emails sound like they possibly come from a boss or some other authority figure within the administration. Plus, this allows them to scale their spear phishing efforts. So, unless the organization is using multi-factor authentication (MFA) -- preferably strong MFA -- they're just one good spear phishing attack away from having all their backups deleted, even if they're stored in a cloud repository.
BN: Does it make sense to create a true, physical air gap between backups and the production network?
BP: Not really. Certainly, organizations can store their backups on tape, which they then keep in a facility somewhere offsite, and that definitely provides maximum protection from ransomware. But -- unless you can recover quickly, it's almost as bad as having no backups at all. Recovery from tape is slow, especially if you have to truck them from an offsite location, and that's a problem.
A lot of large companies have faced this situation, where ransomware has encrypted all their data, and while they have backups, they hadn't properly prepared for a rapid recovery. They did the math and determined that, assuming the cybercriminals would actually provide the encryption key, it would cost less to pay ransom. Their rationale is that decrypting the data would be far faster than recovery, and the extra downtime would have a catastrophic impact on their business.
Colonial Pipeline is probably the most prominent example. The company almost certainly had backups, but they determined that it would be far more damaging to wait for a full recovery than to pay the multi-million dollar ransom. After that, the Southeastern US experienced a gas panic as a result -- and this became a national security issue.
Of course, paying ransom has additional downsides, even if it’s faster to get data back with the encryption key. Once cybercriminals know that you've paid ransom once, they put you down as a mark who is likely to do so again, and they already know how to penetrate your defenses. In fact, they may have ransomware hiding somewhere else in your network, ready to explode into a second attack. A recent study shows that four out of five businesses hit by ransomware who pay ransom get hit again, often by the same criminal gang that did it the first time.
BN: How can IT emulate a physical air gap to protect backups when they are stored in an offsite, cloud environment?
BP: It can be done. One way is to store backups in a read-only format so they are immutable and can't be encrypted. That has its own technical challenges, of course, not the least of which is storage space, but it's still worth looking into. Another technique is to implement 'soft delete' so that, if the backup files are deleted, a copy is thrown into a recycle bin in another domain.
The most practical means is to store backups in a separate domain and location that can only be accessed using strong MFA. Don't rely on passwords and email or text verification. It's too easy to get around. You really want some form of hardware like a dongle or biometric identification.
BN: What mistakes do organizations make that slow or prevent them from fully recovering following a ransomware attack?
BP: The biggest mistake is to neglect planning for recovery. It's surprising how many organizations think that, so long as they've got backups, they're protected. But that's not the case at all. Downtime is deadly, so it's got to be a top priority to recover fast. IT needs to prioritize the most critical workloads so they go back up first, and they need to have a plan to restore all the resources on which they depend. Getting that CRM application back online won't do much good if Active Directory is still down and no one can get into it.
Also, while it's definitely best practice to encrypt backups to protect the information they contain, the key needs to be stored outside of the primary domain in a safe service. Otherwise, when a ransomware attack encrypts your data, it will also encrypt the key you need to access your backups, leaving you high and dry.
BN: How often should organizations test their ability to recover and what form should those tests take?
BP: Ideally you'll do a full simulation at least once a year, with tabletop tests once a quarter. It's critical to test and rehearse regularly. When you're in the midst of recovering from an attack and the C-suite is breathing down your neck to recover everything ASAP, the team will need to know exactly what to do with confidence that systems will respond as expected. You don't want to be doing it for the first time when it really counts.
Image credit: baburkina/depositphotos.com