Effective cyber resiliency requires taking a fresh approach to data protection. It's no longer safe to assume that your backups, once written, will remain untouched and ready to restore at a moment's notice.
Ransomware and other similar threats now prioritise secondary systems and backup data as a way of crippling an organisation's ability to respond to attacks. Only when these protection systems have been compromised will the intruders start attacking live business systems.
Attackers know that an organisation will likely pay up once their incident response plan is in tatters and their backups are useless. 67% of organisations aren't confident that they could recover all business-critical data in the event of a destructive cyber attack 1. How secure are you?
Let's begin by looking at why traditional data protection tools are insufficient in the current climate.
Challenges posed by the cyber threat
- The evolution of ransomware
When discussing data protection, we traditionally speak about business requirements like RPO and RTO (recovery point objective and recovery time objective). These requirements have almost always been formulated based on assumptions around particular types of disasters (floods, fire, etc.) and certainty regarding data integrity. However, these assumptions only work because the threat isn't actively trying to destroy your data (although we understand that our fellow Australian system admins may believe otherwise after the last few years).
In these “traditional" disaster scenarios, your RPO is achievable because your backup data is intact. Your RTO is also realistic because the data and environment are trusted (as trustworthy as they can be).
Consider the ransomware scenario: your backup data is compromised (or might be compromised), and your environment is no longer trusted. This raises several problems. How do you meet your RPO/RTO targets if you don't know what to restore? How do you recover your backup sets within an acceptable timeframe if you still need to determine whether they're intact and valid? What impact could a forensic examination or criminal investigation process have on your restoration strategy?
- The growing threat of dwell time
Once an attacker gains privileged access to your environment, what is their next step? In simple terms, dwell time refers to the length of time an attacker spends in your network undetected.
How they spend that time depends on both the attacker and the target. In general, most attackers will prepare the organisation to be easily attacked. They will identify key accounts to compromise, map out business-critical data for later encryption, and, most importantly, search for your secondary systems and backup data.
Once they find what they're looking for, they'll work silently, deleting, crippling, and corrupting your data protection system. All of these actions will be carried out before the attacker encrypts a single byte of production data.
- The need for speed is more apparent than ever
Another factor to consider is your response speed. How quickly can you detect an attack? Once you've identified the threat, how effectively can you respond? It's important to acknowledge that there can be a significant discrepancy between these two metrics.
Setting an incident response plan in motion can take time, and it's only possible to do so once you've determined whether a response is actually necessary. False positive alerts only exacerbate the problem and create uncertainty and doubt. Even in ideal circumstances, a rapid response may not be enough.
Ask yourself honestly: could your organisation effectively respond to a ransomware attack in under 15 minutes? If, like many others, you have your doubts; it's vital to acknowledge two things. First, detection is only part of the solution. Second, you need to plan for the time that prevention and detection aren't enough. As the saying goes: hope for the best; plan for the worst.
If those two statements weren't illuminating enough, let's look at how some existing backup solutions match up against the challenge of ransomware. As we progress, it's vital to remember that when it comes to your organisation's critical data, nearly isn't good enough, and the solution you choose needs to work flawlessly.
In an ideal world, we would stop ransomware at the perimeter by blocking it with anti-virus or another prevention technique. Restoring your data from a backup should be your last resort. However, if you find yourself with no other choice, you want to have total confidence that your recovery system will work.
Common solutions to the cyber threat and their pitfalls
Now that we understand some of the new challenges posed by the cyber threat, let's look at some traditional backup solutions and call out any issues that are likely to arise. To keep things brief, we'll primarily consider the following:
- Plain old backups
- Immutable backups
- Intrusion Detection Technology (IDS)
- Plain old backups are only good for plain old threats
The basic backup system typically combines a source system backup agent, a backup server handling orchestration and data management, and one or more backup targets, generally equipped with a data copy or replication process to enable off-site protection. Most organisations will have this kind of solution in place, and those that don't probably should.
A simple backup system is cost-effective and does a great job protecting against basic threats like natural disasters, equipment failures, and accidental deletion. For best practice adherence, apply the 3:2:1 rule. Maintain at least three copies of your production data, on at least two different media types, with at least one copy maintained off-site.
For many years the plain old backup served as the beginning and end of an organisation's backup strategy. It was a great solution for its time, but times have changed. Let's look at ways in which the basic backup solution falls short.
When responding to a ransomware attack with a straightforward backup solution, the obvious first step is to recover the affected data from the backup. Easy, right? Well, probably not. Attackers know that organisations immediately turn to their backups to restore encrypted data. Before they attack your production applications, they will try and eliminate your backups.
They could delete backup sets from online media, corrupt your backup index database, or encrypt your backup server. Thorough hackers will likely do all three. If there's an opportunity to prevent you from restoring your data, you can be guaranteed they'll take it.
Even if you get lucky and the attackers cannot kill off your backups, your basic backup system doesn't offer any assurance that your backup data is clean, nor does it do anything to protect that data from a determined attacker. To keep your organisation completely protected, you need something more.
- Immutable Backups are a complement, not a solution
Immutable backups are data sets that can't be (easily) altered or deleted. Liken immutability to carve your data in stone. Short of someone pulverising the stone, your data is there for good. This is an important analogy – it tells us that the stone can be destroyed, no matter how resilient. The same can be said for immutable backups. No matter how permanent the solution may seem, there is always some way to erase it. As with any risk management strategy, it's just a matter of finding the solution that offers enough protection against the risk you're facing.
Immutable backups, or immutable storage, are a good solution to prevent data from being altered or deleted. However, immutable storage typically works not as a standalone solution but as a replacement, additional or backup target in conjunction with a straightforward backup system. While there are other situations in which immutable backups can be used, for the purpose of this article, we'll consider them as a backup target. So, will combining your plain old backup with an immutable storage data set finally give you the ransomware protection your organisation needs? In short, no.
- Intrusion Detection Technology (IDS) – a critical piece in the puzzle
We know what you're thinking: detection isn't a backup solution, so why is it included here? Well, many organisations are turning to intrusion detection technology to help them identify network attackers. This is done in an attempt to prevent, or at least contain and isolate, ransomware attacks.
The techniques vary but usually involve log analytics and network traffic monitoring to spot unusual or malicious behaviour. (Note: While calling this solution IDS, understand that we use the term to cover all automated malicious activity monitoring).
IDS, as a concept, solution, and product set, has been around for a long time, but with the concerning rise of cybercrime, recent investment in technology has led to impressive new developments. Today IDS forms a critical piece of the cyber-security puzzle.
All organisations need an IDS/IPS solution as a part of their backup strategy. With that said, is IDS the panacea for cyber resilience? Again, no, and let's talk about why.
While IDS solutions are very good at detecting malicious activity, they're not foolproof. As IDS detection capabilities improve, so do the attackers' evasion techniques. IDS systems tend to work in real-time, monitoring the state of network traffic immediately as it happens and tracking the change rate of data over short periods.
Some advanced systems can 'learn' what normal user activity looks like, but it's still challenging for these systems to differentiate between legitimate and malicious behaviour. Many rely on threshold metrics and metadata analysis, and it's this area that attackers are now exploiting. Low and slow attacks, using partial file encryption and 'metadata-invisible' changes to production data sets, are designed to avoid detection by remaining below alert thresholds. Only an in-depth analysis of the data itself would reveal the attack. Unfortunately, this is typically only performed in a post-attack scenario.
Unfortunately, there is one other even more complex issue with IDS. As an operational system, an IDS solution is just as vulnerable to attack as anything else on the network. Air-gapping these systems doesn't make sense, as they need to be available to sysadmins and ITSec teams to be valuable to the organisation. If it's on the network, you must also assume that attackers can find it. It's also vital to remember that IDS isn't a backup solution, and it will not help you get your data back; it will just tell you that you've been attacked.
So, what IS the solution?
If you've made it this far, thanks for sticking with us. Now we're going to suggest what’s, in our experience, the best option for cyber security in 2023.
To have the best chance of protecting your business from attackers, you must combine all three of the above solutions while adding extra adhesive to make everything gel.
To get started, take your plain old backup sets, replicate them to a logically or physically air-gapped environment with immutable storage, and add deep data analysis on top of that backup data. That's it, and that's your vault. It sounds simple enough, but as always, when it comes to data protection, the little details count.
There are some important things to consider when implementing this kind of solution. When it comes to maintaining the security of your vault, the people and process elements are just as important as the technology. Ideally, your operational staff would have no access to the vault, but this will depend on your organisation's size and risk tolerance. Understanding the resources and capacity required in your vault is also vital.
With its secure, vault-based analytics and full-content analysis features, our team typically recommends Dell Technologies Cyber Recovery solutions, the market leader in Data Protection Appliances and Software.
From an implementation point of view, maintaining your existing backup solution may seem like the perfect choice. If it's working for you and fit for purpose, it can be challenging to see why it could be time for a change. But remember, it's better to plan now than regret it later.
An isolated vault can be a pain to maintain, but that's nothing compared to the pain of recovering your organisation without access to your data.
If you'd like to discuss cyber resilience in more depth or your options for implementing a turn-key Dell Technologies solution, get in touch here!
Ben McCulloch and the Infront team
1Data Protection Risk Landscape, Vanson Bourne, 2021