Cyber attacks require the right backup and disaster recovery strategy

© Adobe: canjoena

Enterprises face a constant threat of cyber attacks. Undiscovered security gaps and new types of attacks are constantly opening up new attack vectors that knock your own IT security down a notch. Breaches are only a matter of time and nearly impossible to prevent in the long run. Ransomware attacks stand out for their damage potential and can cripple entire supply chains in addition to individual organizations. Companies need to anticipate this and put policies and procedures in place ahead of time to ensure timely restoration of IT operations. With proactive backup and disaster recovery strategies, the necessary tools can be put in place to minimize damage.

The constant threat of cyber attacks is already causing considerable damage to the German economy. In a survey conducted by Bitkom, 9 out of 10 companies stated that they had already fallen victim to cyber attacks. Bitkom estimates the damage caused to the German economy at over 220 billion euros for 2021 – more than twice as much as in the previous years 2018/2019 [1].

Ransomware attacks have proven to be particularly lucrative for criminals. The BKA states in its Bundeslagebericht Cybersecurity that this type of attack has the greatest damage potential. In the process, this attack pattern has already established itself as a new business area for criminals, where hackers can obtain ransomware-as-a-service as a cloud service on the Darknet [2].

Ransomware attacks are trending and constantly evolving. In its status report on IT security in Germany, the BSI expresses concern about this trend and observes a significant increase in blackmail [3]. In surveys conducted independently by Bitkom and Hornetsecurity, one in five companies said they had already been the victim of a ransomware attack [4]. It can be assumed that this percentage will increase significantly in the future. The damage caused by ransomware is varied: from loss of image, to loss of revenue, to complete shutdown of operations. They can also extend beyond the boundaries of their own organization. In this way, attackers try to create a good starting position for ransomware. In order to minimize the risk of blackmail, it is extremely important to be well prepared for such attacks.

Why backup alone won’t protect against ransomware

Regular backups are definitely one of the basic building blocks to recover compromised IT. However, this is not enough if attackers can capture sensitive data or even compromise the backup itself. In connection with ransomware, ENISA observed a clear trend towards double extortion (Double Extortion) up to multiple extortions (multiple extortion). These are hush-money extortions that occur in combination with ransomware [5].

In double blackmail, criminals aim to obtain hush money payments by threatening to publish captured data. Thus, on the one hand, attackers can generate additional revenue besides the pure ransom payment and, on the other hand, attack companies that have at least partially secured themselves with backups [6].

Mediamarkt-Saturn was recently the victim of a ransomware attack. Despite detection and initiation of mitigation as well as recovery measures, hackers have siphoned off potentially sensitive data. According to media reports, the attackers threatened to make this data public and demanded a hush money of $240 million [7].

CheckPoint has identified the extension of hush ransomware to the victim’s customers and partners as the next evolutionary stage (Triple Extortion) [8]. Thus, attacks on business partners can have direct consequences on the attacker’s own company. For example, the supermarket chain Coop and other customers became indirect victims of a ransomware attack because the common supplier for remote maintenance solutions Kaseya was crippled by attackers [9]. Similar incidents have recently been reported in the healthcare industry [10].

These examples illustrate that backups alone do not protect against ransomware – with potentially fatal consequences. Accordingly, organizations need to prepare for this and establish infrastructure recovery strategies in the event of a disaster.

The right backup strategy

There is no need to reinvent the wheel to protect against ransomware attacks. Several well-known concepts and procedures have proven to be helpful in protecting against ransomware attacks.

The proven 3-2-1 rule

The 3-2-1 rule is considered best practice in data protection. The rule states that three copies must be kept at all times, on at least two different media and at least one other location. The three copies should be stored independently on three different systems such as NAS, SAN, tape or in the cloud. To prevent corruptions, no constant synchronizations should be made between copies, but they should be written or read independently of each other.

The use of different types of media can create additional hurdles for ransomware attacks. Real protection can be provided by WORM devices such as tape libraries, which write backups to tapes and store them offline. However, audit-proof storage systems, VLTs or object storage in the cloud can nowadays also be easily integrated into modern backup solutions.

Keeping data at an additional location is also an important measure. This is made clear by the case of the French cloud service provider OVH, whose customers lost all their data in a fire involving several data centers at one location [11]. BSI recommends a minimum distance of at least 200 kilometers to minimize impact on geo-redundant data centers during local events [12].

If implemented correctly, this rule proves to be extremely effective. Also to recover from ransomware attacks. Accordingly, various leading backup software vendors promote this rule [13]. In practice, this rule is often dismissed as an ideal and full implementation of the rule is dismissed as a Rolls-Royce solution. This assessment can have fatal consequences, so a differentiated view is definitely necessary.

Targeted separation of responsibilities

User accounts with extensive privileges can have incredible damage potential if compromised. Concepts for separating and limiting authorizations, i.e. restricting the ability of a rogue user to act, have proven effective in practice.

Responsibilities over backup should be separated from production as much as possible. Different media should be managed by different groups of people or at least by means of different access information so that one user ID cannot compromise several or all media at the same time. For example, individual CHAP access for each exported iSCSI volume on a storage system.

Effective authorization management

As a rule, personalized accounts should be used for individuals and the assignment of authorizations should be logged. It should be traceable at all times who holds and exercises which authorizations. Directory services, such as Active Directory, can be used to centrally manage accounts, groups and policies and disable them in case of emergency. This can make it more difficult for hackers to gain access to critical permissions.

Critical authorizations that go beyond regular activities should be protected with additional procedures. Separate administrator accounts or privilege management systems can be used to secure permissions through additional factors.

When using special backup software, access to file systems should only be possible indirectly for individuals. Modern solutions can deploy custom technical user IDs to read and write backups in the background while users perform operations on the front end.

Securing root accounts

Non-personalized root accounts should only be used in exceptional cases and should be specially secured. Usage should always be linked to a reason and logins should be monitored. In the cloud environment, it has always been best practice not to use the root account operationally after the initial creation of the enterprise account and to secure it with MFA, alarms and other precautions. This can make unauthorized access more difficult and easier to detect from the outset.

Passwords should only be known to selected groups of people and should be rotated regularly, especially if responsibilities change. For this purpose, passwords can be stored in encrypted form and managed for teams in centralized password management systems. But offline copies on paper and USB can also be useful. These are also available in the event of loss of digital originals and can be stored securely in a safe.

Encapsulation of the backup infrastructure

To avoid uncontrolled access, companies can use common concepts to encapsulate the backup infrastructure. A first starting point is the use of own physical systems dedicated for backup. These can be servers, storage, switches or cables. However, cloud services that are managed via separate accounts can also be considered for this purpose.

Another starting point is to logically separate the backup infrastructure by using separate network segments, such as separate V(x)LANs, IP subnets and DNS zones. To secure the segments, companies can secure accesses with MFA procedures. In addition, they can use firewalls to filter network traffic to meet the. Modern firewalls offer a variety of options for this, such as the use of identity-based or group-based filters or classic filter rules specifying sources, targets, ports and protocols. Appropriate encapsulation procedures should also be used to isolate different storage media from each other.

The right disaster recovery plan

The backup strategy alone is not sufficient to effectively and efficiently counter a broad ransomware attack. Due to the damage potential and the associated scope, it is an overarching organizational task to recognize attacks and initiate measures in an organized manner. Accordingly, it is recommended to include ransomware attacks as additional potential loss events in the overall business continuity management and to provide specific disaster recovery plans.

Establishing a disaster recovery plan is a proven approach to improving an organization’s ability to respond to any emergency situations that may arise. The aim of this is to restore the IT of a company after the occurrence of an "emergency", like a ransomware attack, to be restored as quickly as possible. For this purpose, targets are specified, schedules defined and disaster scenarios rehearsed.

Specification of targets

By specifying metrics such as the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO) Binding targets can be established and the performance of a plan made measurable. In doing so, the specifications should be based on the business requirements of an organization in order to minimize potential damage to business operations.

The RTO specifies a timeframe acceptable to the organization in which data and systems must be recovered. Short RTOs are often chosen for critical systems, which can range from minutes to a few hours. For test and development systems, RTOs usually range between several hours or even days.

The RPO specifies the data loss acceptable to the organization. This refers to the period between a damage event and the last backup. For critical transactional databases where data sets change frequently, RPOs can be as short as a few minutes. For data that rarely changes, RPO targets often range from several hours to even months.

In addition, it is common to use the RPO to define the number of backups so that multiple backup points are available to go back even further in time. Especially when damage is detected late, it can be useful to have older data assets that have not yet been manipulated by ransomware, for example.
Demanding RTOs and RPOs have a direct impact on the required backup infrastructure and can be very costly. Costs and benefits must be weighed up accordingly.

Definition of flowcharts

When a disaster occurs – such as a ransomware attack – it is critical to initiate countermeasures as effectively and efficiently as possible. It is crucial that every move is made and implemented in the right order. Delays can lead to higher damages due to an attack itself or to additional effort in the recovery process.

For this purpose, flow charts are useful, which show who performs which action and when. This can take the form of spreadsheets, flowcharts or even postings. It is crucial that a potential delegate is able to clearly understand and implement the instructions for action. Especially in the case of ransomware attacks, it makes sense to have appropriate plans literally ready in the drawer.

Processes for automating procedures can be particularly useful in this context. The interpretation of written or pictorial instructions for action is omitted, so that the susceptibility to error decreases. At the same time, procedures can be expedited and worked through consistently, even with multiple runs. Corresponding products are available for on-premise deployments, but also as a cloud service.

Regular training

To ensure that the specified RTOs and RPOs can be achieved and that the flowcharts actually work, drills should take place. The employees responsible in the event of an emergency should be trained repeatedly at regular intervals. This allows companies to ensure that their employees are aware of current schedules and filing locations.

There should also be regular disaster recovery simulations, where real-life disasters are recreated and managed. This allows the quality of defined plans to be checked in terms of meeting targets and – if necessary – readjusted. At the same time, routines can be rehearsed and trust can be established with executing employees as well as managers or other stakeholders.

Have all the tools at hand

Cyber attacks, especially ransomware, are on trend. The next attack is a matter of time and requires companies to have all the necessary tools in place today to avoid jumping from the frying pan into the fire in the event of an emergency. Concepts and approaches that are already known can provide assistance and help to minimize the damage following an attack. However, companies must not hope that the chalice will pass them by, but must set the right course now for their future security.

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: