A backup is a crucial tool when it comes to recovering data after a ransomware cyber attack. As part of a more complete data management solution, it can even stop the threat in its tracks, before doing more damage.
In cybercrime, it is without context a ransomware attack which obtains the palm of the most worrying and penalizing cyber threat, being able to touch organizations of all profiles, as recently Essilor, the CHU of Rouen, Bouygues Construction or still the town hall of Marseille. You don’t have to be a big name to be attacked, everyone is a potential target. Under these conditions, data protection should be a fundamental element of any cybersecurity strategy as well as the implementation of a real backup policy allowing rapid recovery in the event of an attack. Because it is not a question here of making simple backups …
They know where your data is
Hackers are not stupid. They know that companies back up their data on a regular basis and that most of them consider it the best way to “protect” themselves against fraudulent data encryption. They also know that many organizations now store their backups online, often on public cloud platforms and, just as often, using synchronization services such as Dropbox, OneDrive and Google Drive. Likewise, many disaster recovery solutions rely on active / active replication to network data reversals to work. Ransomware is now systematically targeting all of these resources, as well as live data, making it more and more common for victims to discover that, when they need it most, their backups and recovery systems data is also encrypted and unusable.
One of the first reflexes to adopt to counter this threat is to review its safeguard policy. In France, organizations are invited to follow ANSSI recommendations, stressing in particular the need to make regular backups of its data to mitigate the risks. All of this is great, except that, as is the case with many ransomware tips, the assumption is that backup is a tool of last resort, which is only used for recovery after an attack, when it can actually be used to help prevent it.
Prevention is better than cure
In practice, the best approach is to always include backing up and protecting against malware as integral components of a comprehensive data management strategy. And not, as is often the case, locking them afterwards.
Likewise, it is essential to understand that the required data management solutions have varying capacities which, in some cases, will limit the scope of the backup / restore measures. This does not mean that you should not try – the stakes are high – and if the tools you have are not up to scratch, alternatives exist.
The question is, what functionality do you need, beyond just backing up and restoring. Unfortunately, there is no magic formula, but it is still interesting to think about three essential points:
1Can you analyze your backups?
Proactive vulnerability scanning is the first line of malware prevention. But live analysis of production systems and shared assets over an extended distributed infrastructure is not that simple. Backup analysis is less problematic because it can be performed without impacting system availability and, as backups are more often centralized, without having to manage analysis at multiple points on the network.
It is important to note, however, that it is not just a question of finding tools capable of analyzing backups to isolate those that are corrupted. We are talking about real alert systems to take preventive measures when malware and potential vulnerabilities are detected.
2Can you lock your backups?
Gone are the days when backups were recorded on tape and stored in off-site vaults. Prevention against ransomware requires finding the right balance between security, speed and ease of recovery. So, in addition to offline copies, companies are now taking snapshots, usually using automated replication tools.
Cybercriminals have perfected their methods and are now targeting backups, deleting or encrypting them. To counter this problem, your backups must be stored in an immutable (locked) state which cannot be changed or deleted. Although not all backup programs allow it, many do, and it can also be implemented via extended data management platforms.
3Can you do an easy, quick and large-scale restoration?
Recovery is a long and complex process, especially when an organization relies on a large hybrid infrastructure spanning multiple datasets on-premises and in the cloud. The tools that can be used on such a large infrastructure and that focus on both the Rapid Recovery Point (RPO) and Rapid Recovery Time (RTO) objectives are essential and should be prioritized because , without them, recovery can take days or more…
Of course, there are many other factors to consider and answers to find, especially with evolving and becoming more sophisticated cyber attacks. It has therefore become essential to regularly review its data management strategy. There is no single solution, but whatever the approach, it is essential to adopt good data management hygiene and multi-layered defense in order to isolate backups from production data.
You might also consider paying the ransom, but we all know that doesn’t solve the underlying problem; conversely, this would only encourage threat actors to launch new attacks.
By Frédéric Lemaire, Director France, Cohesity