While cyber incidents continue to grow in numbers, perhaps even more distressing is that these incidents are growing in sophistication.
The latest report from the Australian Cyber Security Centre (ACSC) points out that an average of 164 cybercrime incidents are received per day. Cyber adversaries have realised to carry out a successful ransomware campaign, they must target and eliminate all data copies in an organisation’s IT environment.
The ACSC highlights this growing concern: “The ACSC has observed sophisticated cybercriminals conducting significant victim research on networks they have compromised prior to deploying ransomware. Cybercriminals will locate and target backups which have not been isolated from the network or internet, maximising the impact of their ransomware, and increasing the likelihood of victims paying ransoms to them.”
For many organisations, this means their regular backup strategy may not be effective in recovering from a cyber-attack. To address the heightened level of sophistication, backup strategies must evolve to ensure they can fulfil their intended role even when they become the target of the cyber-attack.
Unfortunately, the data shows many organisations are simply not prepared and remain vulnerable. In a Dell Technologies study, 69 per cent of organisations globally expressed that they lacked confidence in terms of reliably recovering all business-critical data in the event of a cyber-attack.
To build a cyber-resilient backup strategy, organisations must focus on two overarching essentials – fortifying backup environments against cyber-attacks and leveraging technologies that focus on speed of recovery.
Dell Technologies has spent decades perfecting our backup solutions to recover from the myriad of data loss incidents that plague our customers environments. We’ve learnt a few simple and effective steps that businesses can adopt to better protect themselves from regular incidents and cyber-attacks. The list below outlines eleven essential steps organisations can implement to fortify backup environments while delivering speed of recovery in this age of cyber-attacks.
If you have not moved away from tape backups now is the time
Tape backup systems were originally designed to address disaster recovery scenarios using offsite media. The probability of encountering a disaster have always been very low. This being the case, very little attention is ever paid to speed of recovery when it comes to tape.
Unfortunately, times have changed, and most organisations may experience a cyber-attack well before they experience a disaster. Therefore, speed of recovery should not be ignored. Many organisations have turned to disk-based backup solutions. These were introduced over a decade ago to overcome tapes many limitations. If you haven’t already done so, now is the time to switch from tape to disk-based solutions. These will provide faster recovery and greater recovery assurances.
Backup everything you need to recover the business to independently managed systems
Backup all application data supporting important business processes, including management services and data stored in the public cloud. This data should be backed up to separate environments that are independent of the source systems and cloud environment under protection. Furthermore, the backup environment should be managed by a separate team to enforce clear separation of duties between primary and backup systems.
Data retention can defend against latent cyber-attacks
Keep backup copies for at least 60 days or longer to ensure there is scope to recover from latent cyber-attacks. The aim of a latent attack is to wait for clean backup copies to expire before executing the final phase of the attack. By retaining copies for longer, we force the adversaries to increase their dwell time which makes it harder on them to remain in the network without being noticed.
Be smart about where and how your passwords are stored
Maintain proper password management hygiene. Don’t store the passwords of backup systems in the same password vault as the systems they protect. Even better don’t store passwords of backup systems online. Similarly, when it comes to rotating passwords, the frequency by which they are rotated should be shorter than the shortest backup retention. Adopting this policy can help thwart the final phase of an adversary’s latent attack.
Augment passwords with multi-step or multi-factor authentication
Implement multi-step and/or multi-factor authentication to administrative functions in the backup environment. This will prevent insiders from overriding policy and wiping backup systems. Access to privileged destructive commands should require an additional security officer role that prevents a single individual from executing mass data destruction commands.
Principal of least privilege is your friend
It goes without saying, always follow the principle of least privilege when it comes to securing the backup environment. This will make it harder for adversaries to compromise the control software and systems.
Audit and analyse to catch them in the act
Ensure all actions carried out on the backup systems are auditable and logs sent to a central Security Information and Event Management system (SIEM). The SIEM should provide inspection, correlation and anomalous behaviour detection on access attempts, backup operations and configuration changes, to help identify unusual behaviour that does not resemble normal day-to-day or seasonal activities.
What was old is new again – Immutable data
If the backup system can enforce immutability of backup copies, turn this feature on. Immutable backups ensure the data cannot be deleted before it is due to expire, as defined by retention policies. Different systems support different levels of immutability. Consider using a system that supports the highest level of immutability in compliance mode, which prevents even the administrators from reversing a setting or deleting data before it expires.
Verify immutability features cannot be easily circumvented
Ensure backup systems immutability feature cannot be circumvented by changing the system clock. Sophisticated attackers can exploit NTP servers to bring clocks forward. This can overcome a backup systems immutability feature. Backup systems should provide defences that prevent the system clock from drifting too far too soon.
Just because you have a backup doesn’t mean it’s any good
The presence of a backup does not assure recovery. Backups may be incomplete or have been compromised since creation. Test and validate backup data, frequently, using a systematic approach. If ransomware infiltrates an environment, it is very likely encrypted data has been backed up and is now in the backup system. By testing regularly and proactively, issues can be identified and resolved ahead of time. What we want to avoid is finding out our backups are no good during an incident. This is yet another reason why tape-backup is never a good choice. The human cost associated with restore and validation testing from tape simply doesn’t scale and provides a false sense of recoverability.
Put some air between your production and backup data with an air-gapped cyber vault
Implement a cyber recovery vault for the organisations most business-critical data. This may only represent a fraction of the data and provides the last line of defence with additional controls and inspection, to further counter the threat of cyber-attacks. A cyber recovery vault supports the creation of independent, isolated, immutable, and verifiable copies of the backup copies (aka backup of the backup). Metaphorically speaking, surrounding the vault is a moat that makes it extremely difficult for adversaries to recognise the vault even exists. Controls that implement an air-gap ensures the vault remains disconnected from prying eyes most of the time. The vault leverages software and automated processes that positively verify the validity of the vaulted copies, so they can be used to recover from an attack, without fear of re-infection, or waiting for data to be cleaned – post-attack. This process is performed pro-actively to ensure an organisations posture is always in the ready to recover state. Importantly, the vault does not take the place or replace the backup environment. The vault provides an added layer of protection so as not to disrupt regular backup operations and recovery scenarios.
Cyber resilience is not about taking piecemeal measures to detect and hopefully prevent cyber-attacks, ransomware, and other intrusions. It is about having a comprehensive strategy and robust processes in place to ensure the data and applications are secure which ultimately will lead to an increased confidence in their ability to cope with any eventuality. The eleven steps outlined in this article can help organisations achieve a cyber-resilient backup strategy that allows them to rely on backups to fulfil their intended purpose, including in the face of sophisticated cyber-attacks.