Analysts and hardware providers are preaching backup as the best way to recover from ransomware and it is the primary approach that many organizations are relying on for their cyber resiliency strategy. But backups are being targeted and need their own protective strategies says Index Engines.
Backups are not enough, according to Index Engines. Backups can be compromised, as we are now seeing. Relying on standard backups to recover from a ransomware attack is no longer a viable strategy and it is important to validate the integrity of data in backups and the backups themselves to have confidence that a quick and reliable recovery process can be executed.
“Organizations are overly confident that their backups have integrity and can be used to recover data when they are hit by a ransomware attack, Index Engines vice president Jim McGann said. “Cyber criminals do not want organizations to easily recover, so they have set their sights on backup; corrupting, encrypting, or deleting them, to make it very challenging to execute a reliable and timely recovery. This allows attackers to ask for more extreme ransoms.”
Backups are still the right place to start, as long as strategies address the influx of sophisticated attacks that are already being seen; and will continue to become the ‘industry standard’ for ransomware in the coming quarters.
Backups should provide the isolation needed from cyber attacks, immutability from destructive threats, and, most importantly, the intelligence to know if that data has already been compromised. This includes:
- Isolation. Cybercriminals cannot access, steal and corrupt data they do not know exists. Isolating backups of core infrastructure, critical files, and databases with an operational air gap offers an integral first step to keeping data out of reach.
- Immutability. Deploying advanced technology to lock down the protected data and ensure that no bad actors can tamper with it, corrupt it or destroy it is critical to ensuring reliable recovery. There have been many instances of cybercriminals or insider threats destroying backup catalogs and data sets to create an unrecoverable environment. Immutability will provide confidence that data is secure and protected from harm.
- Intelligence. It is off the network and tamper-proof. But, is the data good? Sophisticated attacks, attacks that hide deep inside the content, are becoming more commonplace and circumventing detection tools. Adding machine learning and full-content analytics to this secured data offers insight into how the data has changed and can alert to signs of corruption. Early detection provides the ability to recover quickly with confidence that data is clean. Leveraging intelligence can limit data loss to hours and specific files, not days, weeks, and complete backups.
“Companies need to get their business operational quickly,” McGann explained, “but this leaves organizations with few options, many of which aren’t ideal for business operations. Paying a ransom and getting encryption keys is a common path they seek, putting them on a list for another attack and putting their faith in cyber criminals the encryption keys will work. Or they spend days searching for good backups so they can restore clean data resulting in a major delay to return to a steady state.”
“This is where intelligence comes in. Being able to know what was compromised and when, allows for an intelligent return to business operation quickly.”