Until recently the standard advice was to turn to your backups to initiate a response to a ransomware attack. However, as attackers have adapted their techniques to target backups is this approach still feasible? Peter Groucutt describes three ways of protecting backups to ensure that they can be used effectively after a ransomware attack.
It’s often said that there are only two ways to recover from a ransomware attack, pay the ransom or recover data from backups. If a ransomware attack is to be successful, cybercriminals will need to compromise a victim’s backups, leaving them with no alternative but to pay.
There are however a number of ways to protect backups and stop them from being encrypted along with production data.
Immutable storage is the simplest way to protect backup data. Data is stored in a Write Once Read Many (WORM) state and cannot be deleted for a pre-specified period. Policies are set in backup software or at storage level and it means backups can’t be changed or encrypted.
The only downside is that it will increase how much data is stored. Once the pre-specified period is defined then organizations are committed to that policy.
One of the criticisms of immutable storage is that it is slower. It’s not the immutability that really makes the storage slower, it’s more a case of how it is used in practice. Immutability increases how much data is stored, so it is often pushed off onto the slower, archive tiers of storage.
For example, in the case of S3 vs Glacier storage on AWS or Hot vs Archive Blob storage on Microsoft Azure, the issue is not just that the storage performance is slower, it’s that the archive storage is technically ‘offline’. This could mean waiting up to 12 hours to even get access to the archive data before a recovery can begin.
The answer is to find the right balance between cost, performance, and risk. Ransomware is driving an increase in the number of recovery points needed to reduce recovery point objectives (RPO) which also increases backup storage. It’s wise to keep recent backups on higher-performance storage while only using archive tiers for older backups kept for governance risk and compliance purposes.
Utilising an ‘air-gap’
Another method of protection is the ‘air-gap’. Adding an ‘air-gap’ means separating backups from production data so there is no way for an attack to spread from one to the other.
Traditionally, that means keeping a copy of data physically separate, often on tape. If an organization doesn’t want to keep its backups on tape (as many don’t), it’s also possible to create a logical ‘air-gap’, and there are several ways to do that.
For example, backups should sit outside the domain of the organization they are protecting. This means that if the production environment is breached then attackers don’t immediately have access to backups.
You can also keep storage accounts separate. Using a backup service provider improves security and increases separation.
Using third parties changes your risk profile. Every additional supplier introduces an increased chance of supply-chain attacks, but it adds diversity and separation.
To protect backups, it’s important to prevent unauthorised access to backup software. Restricting access, strong passwords, and MFA all reduce the chance of attackers accessing backups.
In a successful ransomware attack, the production environment will have been compromised. It is therefore possible that key-loggers may have been used to gain access to other systems, like backups accounts. Implementing procedures like multi-factor authentication (MFA) for Backup Administrator accounts helps keep them ring-fenced at all times.
It also helps to protect against a subtle technique attackers use on backups. Rather than deleting backups or doing something that might alert an organization to their presence, attackers simply change backup policies. For example, where an organization originally kept 30 backups of its data, attackers can reduce it to just one. These changes are much harder to detect, and attackers then simply wait for any older backups to expire before launching the attack.
Using backups to detect attacks
Backup vendors are now adding innovative features to detect and help prevent attacks.
The first way this is done is through monitoring backups. Daily, incremental backups are usually consistent in size. A sudden, very large incremental backup indicates that a lot of data has changed and should be investigated as a potential ransomware attack. The problem with this kind of alert is that organizations will only be notified after their data has been encrypted.
On the other hand, the benefit of these alerts is that it will identify when the ransomware attack occurred, to help quickly find the most recent, clean backup, prior to the infection for recovery.
It’s also important to monitor production storage as it helps you detect much earlier that data has been encrypted. One method is to utilise and closely monitor honeypot files and provide alerts if ransomware encrypts those files.
Another method is to monitor the entire storage environment for spikes in I/O activity, as this will indicate any major changes to data. While this is more intensive, it means that infections can be detected more quickly. In the event of an attack, faster detection and identification translate into reduced damage and accelerated recovery.
Peter Groucutt is Managing Director at Databarracks.