Organizations need to better manage backup data to ensure effective ransomware incident response
- Published: Friday, 01 October 2021 08:34
Government agencies such as the US Federal Bureau of Investigation (FBI), the United Kingdom’s National Cyber Security Centre (NCSC), and US Cybersecurity and Infrastructure Security Agency (CISA) continue to issue warnings on ransomware as attacks increase.
Regardless of the vulnerabilities, addressing data backup systems is fundamental to reducing the risk of downtime due to ransomware and other cyber attacks, according to experts at Index Engines.
Regular, comprehensive, verified backups are not only key to rapid and reliable recovery, they are also key to identifying that an attack has occurred and knowing the impact. Real-time security software is no longer adequate says Index Engines – modern ransomware is sophisticated, and can circumvent basic scans and integrity checks. Highly destructive Ragnar Locker and WastedLocker, to name two, both encrypt data; while others including Conti can shut down backup software entirely.
“Perpetrators of attacks are no longer individual cybercriminals or disgruntled employees, they’ve become high-tech organizations offering Cyberattack-as-a-Service (CAaaS), complete with big budgets and help desks,” said Jim McGann, vice president of Index Engines. “Sadly many enterprises are not prepared to go into battle because the very systems that are supposed to keep them safe, backedup and secure, are not as effective as they need to be.”
To provide the proper defense / defence, data backup and protection products need to perform the following added functions:
- Scan: search backups for signs of attack/compromised data in content (both unstructured files and databases as well as core infrastructure) such as encryption, ransomware, mass deletion, and slow corruption.
- Alert: immediately notify administrators when signs indicate an attack may have occurred.
- Diagnose the attack: understand the who, what, where and when of the attack to support recovery.
- Identify the last good backup: find the last known uncorrupted version so operations return to normal with minimal downtime.
Index Engines further advises organizations that the following tools and practices may be insufficient in the current era of cyber attack, in which criminals are aware of how to cover their tracks:
- Metadata analysis: as ransomware has become far more advanced, solely examining file metadata for signs of attack is no longer reliable and can be circumvented.
- Trusting backups: without first validating its integrity. Slow attacks can slowly corrupt data, resulting in companies restoring data that still contains ransomware.
- Trusting security: attacks can hide inside virtual machines and cached copies of data to circumvent traditional security software, among other methods.
“Rising ransomware is putting pressure on enterprises to have a true cyber recovery plan and not depend on their disaster recovery plan,” said McGann. “This includes full analytics, forensic reporting and diagnostics, validating the integrity of the data. Backup needs to be as sophisticated as the cyber criminals and the attack vectors.”