Ransomware is a top agenda item for executives and board of directors with organizations across the globe. Jim McGann presents five questions that every organization, whether a global enterprise or a micro-business, needs to have answers to with regards to this threat.
In the past, ransomware attacks were less common and easier to combat, however, today with the rise of bitcoin and ransomware as a service, attacks are more common than ever.
Additionally, cyber criminals used to rely on simple business email compromise attacks and send out thousands of infected emails hoping someone would innocently click. Today, these bad actors have become far more sophisticated, utilizing machine learning and hidden approaches that easily circumvent existing security applications.
As a result, organizations have realized the inevitable: it’s not if, but when the attack will occur. If your organization is relying on the status quo to continue your IT operations as is, you will soon be faced with a few tough questions from your executives - questions for which you will need to have a confident and intelligent answer.
Question 1: How will you know when you were attacked?
Bad actors are increasing their dwell time, the time from when they have successfully penetrated IT systems to when they are detected (or when they launch an attack) and using this time to inspect the environment to understand what security and data protection solutions are implemented. This allows them to maximize their impact. During this quiet period, they are often difficult to detect. We know that with the recent SolarWinds attack, cyber criminals were in the data center / centre for months before they were detected.
So, when your existing security products fail to detect an attack, how will you know you were attacked? This is where validating the data’s integrity comes in. Using analytics and machine learning to validate the integrity of core infrastructure, files, and databases you will know when corruption begins. When bad actors begin to encrypt your Active Directory, or mass delete important files, or corrupt key production databases, an alert needs to sound! These integrity changes are indicative of a cyber attack. Being able to quickly detect a suspicious change is the last line of defense / defence when all else has failed.
Question 2: Will you know what data attackers have corrupted?
In the past, cyber attacks were random. They did not have specific data in mind, the attacks randomly corrupted any data in its path. Times have changed. Cyber criminals want to cripple your organization, so they seek out critical resources to attack. Additionally, they want to steal sensitive data so they can ask for a larger ransom. Therefore, it is important to understand what specific content has been corrupted.
So, how will you know what files or databases have been corrupted? This is where data integrity becomes a critical component to your cyber resiliency strategy. Continually checking the integrity of data, day after day, will allow you to understand how it changes over time. As the integrity of the data is impacted, with changes that are indicative of a cyber attack, then you will know that suspicious activity has occurred. You need a complete report of all the files and databases that have undergone suspicious activity: what servers, what owners, what type. These are details you will need to diagnose the attack.
Question 3: After an attack how quickly can you recover?
The most significant challenge that organizations face after a cyber attack is getting the business back to a steady state as quickly as possible. Most organizations struggle with this task and can take weeks or months to get fully operational. The impact on the business is significant and costly.
The first thing that an organization does to recover is to look to the backups. Backups are designed to recover from a disaster; however, a cyber attack is far different. There are known ransomware, such as Conti and REvil, that will shut off your backups or corrupt your backup images. So, when you go to recover you may find that your recent backups are not viable.
Beyond corruption of the backup image, what about the content? Restoring the last backup may result in restoring corrupted files and malware. How do you know your backups are good?
Answering the question on how quickly a recovery can occur depends on knowing the last good backups, the backups with the data that has integrity. Again, by continually checking the integrity of data, you will know the last backup that has good data. This will take all the guess work out of finding the good backups and will turn the recovery time into a quick and less painful event.
Question 4: Will we have to pay a ransom to get our data back?
The simple answer here is no. If you know which backups are good, you can easily leverage your existing backup software to recover confidently. This gets your business operational without having to pay a ransom.
Paying a ransom unlocks your corrupted data and makes you a prime target for a second attack. Organizations that pay ransoms typically struggle to find a good version of their networking software, or databases, or key user documents. This is time consuming and complex, and they pay a ransom to avoid this process. Paying a ransom is not necessary if you have backups that have data with integrity.
Question 5: Are we confident that we will be protected in the future?
Cyber criminals continually change their approach. They become more sophisticated and look for advanced methods to hide their tracks. Today they may be corrupting data using simple approaches, such as appending file names with .locky or .encrypted. A simple metadata scan could uncover this corruption. However, will you be prepared if they go deeper and use less obvious forms of corruption?
Most of the approaches implemented by data protection or cyber security vendors just look at metadata. They do not have the capabilities to inspect inside files or databases. When a cyber criminal detects that these tools are utilized, they will hide their corruption inside to make detection more challenging. We know that there is existing malware that will corrupt the internal content of a file or database while keeping the metadata intact.
So, how can you be protected against future more advanced and sophisticated attacks? Using full content-based analytics that inspects inside content to look for hidden attacks will ensure these attacks are detected. Without comprehensive content-based analytics, you will be exposed in the future and your data resiliency strategy will be compromised.
Data Integrity is the Answer
All the questions lead back to one common denominator. The only way to secure a quick detection and reliable recovery from a cyber attack is to ensure that your data has integrity. Deploy a process that checks for signs of corruption deep into the file content and monitors how data changes. This empowers companies to reliably detect and recover from an attack without disrupting the live environment.
Knowing when an attack occurs and being able to quickly restore clean data is why data integrity is key to recovering from any cyber attack. This is critical since downtime and ransoms can easily bankrupt an organization.
By integrating machine learning and forensics into your cyber protection strategy to check for malicious activity, you will have the confidence that when an attack occurs, backups can be restored, operational steady state can be achieved, and cyber criminals’ threats will be thwarted.
Invest in your data’s integrity. And have the answers to avoid the next ransomware attack.
The author
Jim McGann is Vice President Marketing & Business Development, Index Engines. Jim has extensive experience with eDiscovery and information management in the Fortune 2000 sector. Before joining Index Engines in 2004, he worked for leading software firms, including Information Builders and the French based engineering software provider Dassault Systemes. He is a frequent writer and speaker on the topics of big data, backup tape remediation, electronic discovery and records management.
