In today’s world, protecting your organisation’s data from cyber threats is becoming a number one priority, not just at the I.T. level but at board level also.
Companies are looking for ways to improve their data security to guard against the rising number of ransomware attacks, whilst also protecting their data from insider threats, such as malicious intent from disgruntled employees. The financial penalties imposed by the GDPR have emphasised this massively.
A typical ransomware attack consists of five stages:
- Break-In stage – An employee clicks a malicious URL in an email and triggers the ransomware software install.
- Latch-On stage – Ransomware probes the network seeking vulnerable machines.
- Expand (encrypt) stage – Critical servers are infected and encrypted with ransomware.
- Shutdown stage – Your organisation is paralysed, forced to shut down key services and pay the ransom (the longer you wait, the more expensive it gets).
- Restore (decrypt) stage – Criminals provide decryption keys; decryption can take days. In some documented cases, they fail to provide the keys at all.
Protecting your organisation from the Break-In stage is all about education. Educating your users about security, phishing, malware and ransomware. You should have a process in place to provide regular security training to empower your users into becoming the front-line defence against cyberattacks. Your users should have the knowledge that allows them to recognise risks and know how to report potential threats.
A well-designed data protection solution can help you recover from the Expand stage quickly, minimising the impact and cost to the business of the attack, reducing the effect of the Shutdown stage and hopefully avoiding the Restore stage. But in order for this to work, you must secure your backup data!
Your backup server is a network application, and as such, cannot be completely isolated using an air gap approach, otherwise it would not be able to deliver backup services. What you can do to avoid the Latch-On stage is to minimise the network footprint of the backup server. For example, don’t expose the backup server to network shares or exports wherever possible, and try not to advertise the application’s services unless necessary. Another approach is to take the backup server out of the domain, or Active Directory (AD). If AD is attacked, and production data compromised, this prevents the credentials of the backup server being obtained and protects the integrity of your backup data.
To prevent the Expand stage and stop your backup server becoming infected you need to secure, or harden, the server itself. This can be done by implementing stronger security settings and disabling any services that are not required. Your firewall rules should be configured to only allow access to the backup server using specific ports, also stipulating the permitted direction of network traffic. Wherever possible, backup client-server communication sessions should be configured to use SSL encryption. Your choice of backup server operating system also impacts the potential security of backup data. As the majority of cyber and ransomware attacks tend to target Windows systems, more and more people are moving their backup servers over to Linux or UNIX based systems. If using Linux, we would also recommend enabling SELinux to provide additional security functionality.
We mentioned the term “air gap” earlier. In relation to data protection and in simple terminology, an air gap solution provides an isolated copy of your backup data that is not visible on your network. We are seeing an increase in the number companies starting to investigate how an air gap solution can potentially enhance their existing data protection solution. However, care should be taken to ensure that the air gap will deliver what it is required to, not only from a functional perspective but also on a commercial basis.
Implementing an air gap using dedicated hardware and software can be an expensive venture so explore how your current technology investments can be better utilised to provide air gap capabilities. Also take the cost of the recovery process into account. How long will the air gap solution take to recover my environment when compared with a traditional backup solution?
Tape storage provides the fundamental requirements for air gap; data is stored on offline media that is not mountable on to the network. To access the data, the tape cartridges must be mounted in drives following media requests from a backup application. If electronic vaulting is used to store backup data in a library that is physically located on a different site, or you create additional tape copies which are sent off-site, then even better. What you must do when you use tape to form an air gap solution, is to protect your tape volume catalogue or backup meta data. This data describes what backup data is stored on what tape cartridge and is crucial when it comes to recovering the data.
Object storage is an alternative to tape that can form part of an air gap solution, as ransomware does not currently know how to access backup data that is stored on object-based storage devices.
Another point to consider is the amount of data your air gap will store. If you store a copy of the last good backup to provide a recovery window of up to a 24 or 48-hour period, and you are hit by a cyber-attack, you need to understand that when you recover the affected systems you will most likely be recovering the cyber threat also. As it may have been resident in your network for a length of time greater than the air gap coverage period, so re-infection may occur. In this scenario, the air gap can provide you with some breathing space to try and disarm the threat before it runs again.
Your backup software application can also be used as a tool to help detect (not prevent) when you have been infected by a threat such as ransomware. Backup software vendors are now starting to introduce alerting into their products that perform trend analysis on backup data to highlight patterns that are outside of the norm. For example, when ransomware infects a system and encrypts data, an incremental backup of that system will back up the infected files as new data. This will result in an increase in the daily ingest of backup data for that system and also a reduction in the deduplication ratio of the backup data, as encrypted files will not be deduplicated or compressed. Both of these metrics can be used to alert the administrator of a potential issue.
A further type of threat we often have discussions about are those that come from within our own organisation. Dealing with these insider threats, or attacks, is a completely different matter. To combat this scenario, the answer is not just about technology, but a combination of policies and processes working in conjunction with security software.
In general, the disgruntled or dismissed employee that we mentioned at the start of this article, will not normally perform a malicious act while they are still on-premise as they could be easily apprehended. This type of attack often takes the form of a destructive macro or script, which is scheduled to run at some point after they have left your organisation.
Once again, an air gap solution may not provide the recovery capabilities to restore your systems to the safe, disinfected, state they were in prior to the attack. As the hack may have been resident in your infrastructure for a time period greater than that provided by the air gap solution. Therefore, you need to rely on a well-designed data protection solution, backed up with security policies and procedures, all working hand in hand with a Security Information & Event Management (SIEM) system.
Managing and monitoring human behaviour is the key. SIEM will provide you with a huge data repository that can be mined by AI to allow you to answer some of the important behavioural questions. How are people accessing my data? What are people doing with sensitive data? Which users are behaving abnormally and how?
Hopefully, this information will allow you to take action and go on the offensive!
If you’d like assistance with your data protection then feel free to get in touch via Celerity or call us on 01772 542450.