Mitigate Ransomware by Moving from Legacy Backup to Modern Data Protection

It's a story repeated all too often. Repeated, in fact, every 11 seconds across the world. The late-night escalation call, the spike in disk IO, the denied logins, and ultimately some form of communication asking for payment. These attacks infiltrate businesses through multiple vectors from email compromise to adversary-in-the-middle phishing attacks, payroll redirection attacks, and traditional website vulnerabilities. But after the dust settles, these attacks all have one thing in common: the goal is extortion. This attempt to extort enterprises comes in two predominant forms:

‍

While preventing this type of attack is an aspiration of any organization, a plan to respond and recover from an incident should be part of every company's strategy. Any response plan will require some key pieces of information so intelligent decisions can be made.

1. Where is sensitive data stored? When the attackers infiltrated, did they access sensitive customer information stored in a PowerPoint, or just an employee's cat pictures?
2. Who can access which data? If any Tom, Dick, or Harry could access everything how do we know which data the compromised accounts have access to and how damaging would the release of that data be?
3. Do we have a safe copy of our data? Are we sure we have a backup that wasn't encrypted? Can we ensure we aren't restoring data that has been infected?
4. Were our policies being followed so we can be confident in the answers of all these questions?

Here we will focus on 4 pillars of a modern data protection platform:

‍

‍

Authentication and Identity Management

Once upon a time, people needed a different username and password to log in to each system they used or managed, creating a lot of management overhead, and a lot of information for a user to remember. To combat that complexity, people started using the same usernames and passwords on all the different systems that they accessed, at least until they got out of sync due to different expirations or other issues. Then someone came along and said, "Hey, as long as we are using the same usernames and passwords, why not federate them and create Single Sign On capabilities, so we have one point of management and users only need one set of credentials." Perfection was finally achieved! That is, until it was realized that if an account was compromised, the bad actor had access to EVERYTHING, and the risk was exponentially worse if that user was also an administrator. Now, with criminal organizations operating a multi-billion-dollar industry exploiting this weakness, rethinking our approach to the security of authentication and identity management is critical, especially when it comes to protecting an organization's data.

‍

Zero Trust - This is the first, possibly most important aspect to shore up, and can be summed up simply: Production and Backup environments should not be in the same authentication domain. Production domains with end users are the most likely to be initially compromised, and if an attacker gains access to an account and elevates privilege they have the keys to the kingdom. If backup is part of that kingdom, the attacker can give themselves access to that with minimal effort and there is no limit to the damage they can cause. Isolate credentials in backup environments so that they are only used for that environment, particularly for administrative level users that have policy altering or data destruction capabilities. If centralized password databases are kept, take extra precautions to ensure they are only accessible by duly authorized entities, and consider air-gapped storage for the most critical credentials.

Infrastructure Security - Second only to leaving the default passwords on your storage arrays, having the administrative interfaces of your primary and backup infrastructure participate in the production authentication domain is a recipe for disaster if a hostile actor gets in. Many storage platforms do not have robust authentication capabilities and even those that do can be subject to an array of denial-of-service attacks such as an over-provisioning or changing retention policies from a motivated admin level user. Perhaps someday, all platforms will integrate a "two-man rule" protocol for potentially data destructive actions, but until then isolating access is the best stopgap. Ensuring security of administration is critical, but all points of attack including KVM, CLI, and API calls need to be thoughtfully secured as well. Bottom line, your data will only be as secure as the platform it resides on.

Infrastructure Dependencies - Ensuring your software, devices, and appliances are secure is important, but there is usually adjacent infrastructure that can be vulnerable to attack and can cause downstream impacts. Obviously, a compromised identity provider is a key vulnerability, so steps should be made to lock that down. However, something like a time server (NTP) can be another critical vulnerability if retention policies and data aging are tied to an expiration date. Some platforms can defend against NTP poisoning attacks, but others may not, so thought needs to go into both the security of the time service and the policies that may drive automated aging. How might those systems be affected if the time was set forward say 20 years?

Multifactor Authentication - MFA/2FA has been around for decades to protect defense, banking, finance, and other critical services. It provides a secondary method of identity validation that will deny access even if a username/password combination is known. This will prevent most casual attacks and generally requires a man in the middle style attack to circumvent, usually by SMS or Email push notifications. Cyber insurance companies are starting to require MFA, so support for MFA is expanding, therefore all systems, if able, should require it to login.

Role Based Access Control - RBAC is a fancy way of saying give people only what they need based on their requirements. The days of giving everyone more access than they need is behind us. If a user needs restoration capabilities only, they shouldn't have access to create, delete, or modify policies. Only specific admins in locked down accounts should have such access. Everyone else gets a personal valet key.

Data Security Layer

Protecting backup data properly includes a few generally easy to follow guidelines and revolves around making sure the data that is backed up is not only secured, but that there are multiple copies in multiple locations.

Data Encryption - There are multiple points at which data and data transfers can be and SHOULD be encrypted. Data in flight utilizing data encryption such as SMB packet signing, HTTPS with valid certificate chains and others, can prevent man in the middle attacks and data leaks which can include information like usernames and passwords allowing access to important backup data.

Air Gapped Backup Copy - Multiple definitions of air gapping exist, from a physical copy such as tape that is located in a different location than the source of the original data, all the way to a logically segregated network copy with minimal access. This is a terrific way to have a copy of backup data that is not accessible to bad actors in the event services are compromised.

Immutability - There are several ways to achieve immutability. It makes sure that any data written cannot be altered or deleted before a set retention date is reached. It is a crucial step in preventing your backup data from being purged or altered in the event of a data breach.

• Immutable backups are supported by most major backup applications. It is a method of preventing the written backup data from being altered until the backup vendor determines the retention period has been reached and great at preventing data purging should the environment be compromised.
• WORM or Write Once Read Many is another method to achieve immutability via your storage platform. This is great not only to protect from ransomware but is often utilized in user-based storage and can prevent accidental deletion of important data.
• Immutable snapshots are another form of data protection that takes place on your storage area snapshots. These can often be orchestrated via a data protection platform, but do not have to be. Snapshots natively cannot be altered, but immutable snapshots prevent the deletion of the snapshot until a certain retention period has been reached.

Recovery Focused Data Protection - Protecting your backup data is a great start, but having the ability to recover that data in the event of a breach is vital to keep your company afloat. Most major backup vendors support a method of live mounting your data to make it immediately accessible and useable should the need arise. Options such as snapshotting your databases can instantly reverse any changes that were made, should that data be compromised via bad actors or accidentally via a privileged user. Ensuring your data is quickly accessible will ensure that if something does happen, administrators can act quickly to restore functionality.

Compliance

The most fundamental role of any data protection solution is to protect corporate data and important system and application configurations. Let's take a look at how modern data protection solutions can put data protection on autopilot, give us flexible visibility tailored to engineers, auditors, and C-level, and allow us to track changes in our data protection environment to ensure configuration changes don't compromise the security of our data.

1. Auto Discovery and Protection: The modern panacea for many organizations is to run workloads and store critical data across many different environments; on-premises data centers, public clouds, and SaaS services like M365. Run workloads and store data where it makes sense and move those workloads as conditions change; true hybrid cloud. To achieve this level of flexibility, organizations need a modern data protection solution that is equally flexible without having to stitch together multiple products or solutions. Data protection solutions must be able to auto-discover when new workloads are brought online, automatically assign them to policies and start protecting those workloads without user intervention to ensure policy compliance. Whether those workloads are mailboxes or OneDrive folders in M365, databases, PVCs running in the public cloud, or VMs on-prem.
2. Protection Compliance Reporting: Data protection engineers have a difficult job. Ensuring hundreds, if not thousands of workloads such as databases, application servers, file sets, and SaaS applications are protected and meeting corporate policies on a daily basis. Understanding the data protection status of workloads can be difficult when data protection is fragmented across multiple technologies. Modern data protection solutions that can manage workloads across modern hybrid clouds provide a secondary if not equally important capability in providing centralized visibility. Reporting should be flexible and tunable to the intended audience giving individuals quick access to the information they are interested in an easily consumable format. Options like graphical dashboards for executives, customizable audit reports for compliance officers, and exception reporting for IT engineers provide customized views that cater to what people care about. They also ensure that IT engineers who don't want to spend their day paging through backup reports just to find the jobs that failed are able to quickly determine whether SLAs are being met.
3. User Activity Monitoring: Understanding what users are doing in your environment is important to any security strategy. As the last line of defense, understanding what users are doing in your data protection environment is critical. All user actions must be logged, easily audited, and alerts should be generated when abnormal activity occurs, especially important actions such as modifying backup policies, and adding and removing data sources. Users should only be able to see and act upon objects pertinent to their job role. Operations that are destructive in nature, like changing retention or deleting, must be blocked without multiple approvals.

Data Intelligence

Recovering from a ransomware attack isn't just about getting applications back online quickly. In the heat of the moment, this is probably the first thing that crosses an administrator's or IT leader's mind. However, understanding how and what data was impacted can be just as critical to the recovery effort and reporting requirements that result from a data breach. Here are three data intelligence features every organization should have: 

1. Sensitive Data Discovery: The lack of visibility of sensitive data across an organization can lead to inadvertent data exposure and a rise in incident response costs. Proactively monitoring where sensitive data resides and who has access to it is a step toward reducing the risk of exfiltration from an internal or external threat.
2. Anomaly Detection: Quickly determining when a data breach has occurred, and the blast area of an event, is key to understanding what has been compromised. A solution that utilizes machine learning to identify anomalies or unusual behavior can provide organizations with intel to reduce the time to identify and report affected files and applications.
3. Threat Hunting: The typical iterative recovery process to find the last known good recovery point could take hours, days, or even weeks and could pose a real threat of data re-encryption. Discovering indicators of compromise and automatically quarantining bad recovery points by utilizing patterns, hashes, and rules can drastically reduce recovery time and re-infection risk.

Implementing, maintaining, and continuously improving upon your data protection platform is a journey. Like all great journeys your chances of success are greatly improved with a seasoned guide walking with you step by step as you modernize your data protection. Call your AE Business Solutions team today and get ready to embark!