World Backup Day -- We need to change the name

It remains essential to make copies of the most important data, World Backup Day has rightly been calling for this for years. But today the biggest risk to our data isn’t the traditional business continuity and disaster recovery scenarios for which World Backup Day was originally envisioned to cater for. The biggest threat to data today is destructive cyber attacks in the form of ransomware and wipers.

Tackling these threats by simply making copies and recovering the data after an incident is not enough, instead we need a World Resilience Day, where cyber incidents are investigated, the threats mitigated and systems hardened before being recovered to prevent recurrence and further impact.

The backups in companies no longer keep their promise to deliver the noble goal of World Backup Day, as newspaper reports about successful cyber attacks prove every day. There are several reasons for this. These actors dwell in their victims' networks exploiting vulnerabilities, maintaining persistence, creating malicious accounts, gain administrator privileges and find and exfiltrate the organization’s sensitive data. In these destructive attacks, the adversary’s main aim is to prevent the organization from being able to recover by targeting and destroying the organization’s backups.

The cybersecurity risk in organizations has deteriorated further due to global geopolitical crises. Wiper attacks that aim to cause chaos and destruction to IT infrastructure have long been in the arsenal of nation-state threat actors such as Russia and Iran, and the recent pre-positioning of China’s Vault Typhoon group ahead of potential conflict in Taiwan is a further cause for concern. At the same time, the ransomware industry has scaled exponentially through the launching of Ransomware-as-a-Service platforms that allow “affiliates” who require no technical expertise to launch attacks. These Ransomware-as-a-Service platforms have also made the targeting of vulnerabilities in infrastructure, rather than the traditional mechanism of phishing, economically viable - weaponizing newly discovered holes in software within days of discovery and far faster than organizations can patch their systems. Security researchers fear that with the 1,1 billion US Dollars in sales in 2023, hackers will also buy zero-day vulnerabilities on the market that neither the software providers nor the security industry are aware of.

Their tactics have also improved. Victims of ransomware attacks are increasingly being hacked twice in quick succession. The FBI warns that data from the victim companies will be destroyed or exfiltrated in the follow-up attack, which is another reason recovering the accounts, vulnerabilities, persistence and other artifacts of the attacks is simply kicking the impact can down the road,

We have seen evidence of such tactics in that if the victims are unwilling to pay, they are reported to the authorities. The ransomware group AlphV says it has filed a complaint with the American Securities and Exchange Commission (SEC) because its victim, MeridianLink, did not report the successful attack that resulted in data loss. 

Zero point

Anyone who speaks to IT teams who have experienced a ransomware attack often hears this sentence: “We massively underestimated the consequences of the attack.” Because in the event of a successful cyber attack, all IT systems and everything that depends on them are encrypted and have failed - from the access server for physical access control to the VoIP systems to all IT services and tools. Employees cannot open doors to enter or leave buildings. And they can't call anyone because the VoIP systems are down. It is important for business and IT leaders to understand that this bottom-line scenario is realistic.

Then security tooling may also have been impacted, hampering your Security Operations Team ability to start response. Many security tools, including remote forensic imaging and End-point Detection & Response or “eXtended Detection & Response” (EDR/XDR) also rely on network connectivity to work - and the first thing organizations do in destructive cyber attack incident response is isolate networks and systems. All this time the clock is ticking and the organization can’t deliver its products and services.

And even if the backup files have not yet been corrupted, it is far from enough to simply reinstall them. Attack artifacts such as malicious accounts, persistence mechanisms, the vulnerabilities that were exploited, the gaps in protective and detective controls that allowed the original attack will remain and other artifacts will simply be brought back. Attackers will simply use the same successful attack and take down the newly reinstalled system within minutes. There are practical cases where IT has repeated this process dozens of times with the same result. Weeks have been wasted without making a single step forward. In order to prevent these realistic scenarios, IT managers must think further about the goals of World Backup Day and develop cyber resilience.

Cyber resilience across an isolated playing field

Companies must be able to store the most important data in protected repositories, they need to be able to rapidly create a secure isolated environment to investigate the incident and mitigate the threats without interference from the attacker. This concept is called Clean Room and is like an emergency response kit for cyber crises. It contains all the elementary tools and data sets that a company needs to continue emergency operations, it provides the core services to communicate internally and externally, respond to the incident and conduct response.

The cleanroom is, by definition, an isolated, highly secured area that is separate from the rest of the network. The underlying infrastructure should consist of immutable storage and follow zero trust principles. All data should be encrypted, both in transit and in storage. A data security and management platform delivers all of this and, thanks to its backup and disaster recovery services, constantly generates snapshots of all production data allowing forensics that can time travel across the entire incident timeline.

If a cyber incident causes initial damage in an emergency, the security teams in the cleanroom can work on several copies of the snapshots of affected systems in parallel and specifically search for weaknesses and traces of attack. It is helpful to be able to access external threat intelligence data for these analyses. Cyber Threat Intelligence companies such as Qualys, continually analyze the tools, techniques and procedures that adversaries are using in the attack stages all the way up to the theft, encryption or destruction of data. 

At the end of this analysis you will understand how the attack happened, armed with this knowledge, IT and Security Operations teams can then patch systems, bolster the rules and close the intrusion path from future attack. At the same time, you can remove all attack artifacts from the snapshots of the affected production systems. A production system is essentially hardened before it is transferred to the production environment.

This means that the original goal of World Backup Day has now been achieved, even in this age of modern cyber threats. In fact, as you can see from the above, with destructive cyber attacks backup can actually empower the cybersecurity incident response and add more value beyond traditional backup and recovery.

James Blake is Global Head of Cyber Resiliency GTM Strategy at Cohesity.