Ransomware will be the most likely Disaster Recovery event

Why are these attacks happening? Who are the people or organizations behind it? Has the COVID pandemic played a part? And how can you be prepared fo recovery? Now notice I did not mention ransomware prevention. That is a completely different can of worms. Ransomware prevention includes a different discussion around technology and social engineering, and perhaps we’ll address that at a later date. So, let’s begin.

Why ransomware? Ransomware will be the most likely Disaster Recovery event your business will be exposed to in 2020. Due to the current geopolitical rhetoric and the COVID pandemic, a frightening trend quickly emerging around ransomware. Not only has there been a tremendous uptick in ransomware attacks, the threat actors are getting really sophisticated and savvy in how they are breaching your network and locking down your data. So, who are these people? Ransomware attacks have become the next criminal enterprise, and it’s not only some kid in their basement. While it could be the young kid with a new toolkit trying to hack into your system, more often than not it’s actually a business. Think rogue nation states with hundreds of threat actors looking for any vulnerability they can find. A new business model for organized crime, or rogue governments and corporations taking out the competition. And they are not just encrypting your data. They get in and patiently wait while they find your most sensitive data, lock it up and destroy your backups, leaving you with little option but to pay an untraceable crypto based ransom to an unknown entity.

And if you don’t have a crypto account, that takes days to set up, or you have to engage your insurance company, you have cyber insurance, right? This sets off an entire series of events with attorneys and forensics getting involved. So that leads us to the why. Money. The cost of cyber insurance is on the rise due to ransomware and the attackers know it. They know how much money they can extract and paralyze your business to ensure their demands are met. Now, though money is a driving force, ransomware attacks also occur to eliminate competition and at an even higher level, play out as digital warfare.

And how has COVID played a part? The workforce became distributed, dispersed, and we now have tens of thousands of new VPN sources. Employees are forced to use the unprotected home computer, therefore creating hundreds of vulnerabilities in a business network. There are steps that you can take to both help prevent an attack and recover your data when it is breached and or encrypted. So, next I’ll be discussing with our CTO, Brian Rice, the challenges, tactics, and safeguards to be put in place, both on-prem and in the Cloud to ensure business livelihood.

So, Brian, what’s really changed in ransomware? What are hackers doing today that maybe we haven’t seen in the past to enable or to ensure their demands are being met?

Brian Rice: The sophistication around the community has grown tremendously. So, given the information you provided earlier around who the actors are and how they’re playing out as the complexity has come in, from the sophistication of tool sets, the actors that are involved, the financial backing that they’re getting to custom develop these tool sets. And that’s creating an environment where they’re being more sophisticated in their actions in terms of how their vulnerabilities are being delivered. So, they are going after well-defined applications, well known attributes that are out there that are announced daily, and they’re using those to build the holes and the attack vectors for them to get in and lie and wait. So, in the process of lying and waiting, they’re monitoring systems, they’re monitoring credentials, they’re looking for the pieces that they want that make the targets easier and more expansive in terms of their attacks. So, they can get it and lock the core systems, lock the core applications and close down as much avenue for recovery as possible.

Kate Bissenger: How long are they lying in wait? Would somebody be aware if somebody’s in there for a few minutes, hours or a week? What’s that timeframe sometimes?

Brian: It could be any of those. Without sophisticated tool sets that analyze your protection mechanisms that would’ve been able to analyze that and notice those variations, you may never know. They could be days, they can certainly be months, depending on their environments.

Kate: Can you give us a scenario where a customer of ours was attacked by a ransomware? What did they do to recover their data? Or what was in their DR plan that allowed them to recover their data?

Brian: Sure. Part of that was the dramatic expansion of the workforce going from on-premise in a corporate setting to their home settings. So, as part of that, the attack vectors have grown by the tens of thousands as we alluded to as part of your introduction. So, that vector is enormous and the businesses weren’t ready for that, the corporations weren’t ready for that. So, when mom went home and dad went home to log in and to get into the company, they didn’t have a computer typically. So, they’re using whatever they had. So, you set up a VPN on that and all of a sudden, if that’s a lie and wait scenario where there was a Trojan piece of ransomware sitting in that machine, all of a sudden it’s introduced to the entire environment and they have a new vector to access. So, there was no plan to handle that large influx of home PC’s in the environment.

So, the attack surfaces were astronomically larger for corporations to try to monitor, nearly impossible. So, as part of that, that goes back to the original thing of those Trojans and the people there were lying in wait, so they had a new opportunity, exposed a new hole and they took advantage of that as part of the process, part of the COVID pandemic, it was part of that. In doing that, they could have easily gotten access to admin credentials, if you had an admin at home that was using a PC that they didn’t know necessarily was exposed. So, all of a sudden you have admin credentials, once you have those credentials, now all of a sudden you are looking at locking core systems. The ability to lock core systems, they had the ability to destroy backups locally, backups in any DR plan that they had, they were just deleting the information. In some cases that led to cloud services, if they had, just on premise, protection with no Cloud components to that, then they were exposed of the fact that they just had everything from print and they exposed all of that in one shot.

Kate: So, when we approach a customer, what’s the main thing that we talk about when we’re helping them set their DR plan? Or what should businesses talk to their cloud providers about setting up their DR plan for any type of recovery, especially in this instance, ransomware recovery? Is there one main thing you discuss first?

Brian: Typically, you’re looking at the ability to control your credentials. Like I alluded to before, if somebody exposes an admin level credential, that credential could typically be used multiple places, and then they’re going to look for all of those places to where that credential will work. So, if they find one place and they can expand that throughout the environment, they’re going to do that, they’re going to lock up everything that can get to those credentials. Those credentials could be on-prem systems, they could be off-prem, they could be all 365 environments, whatever it may be, those credentials are exposed. So, the key around that is to make sure you have variation in credentials, you have complex, long credentials. We recommend pass-phrases versus passwords nowadays, just to have sentences that you remember, to keep those credentials variable. And then we use additional tools sets around that as well.

Kate: I know different passwords are meant for different systems, how do admins, or how should people manage all of that? I’m sure there’s a way to do that.

Brian: Typically, you have password management systems which, typically, take a set of passwords, it will encrypt those, and you can share those among your admins levels in the environment. So, that comes from a common system. It’s a common SharePoint. You can have people come and go and you can change passwords all dynamically on the fly. Your admins can use different passwords that they may not even know for access to different systems.

Kate: With managing the credentials, obviously there’s going to be more to somebody’s DR plan, what would be the next steps? It sounds like we want it to be robust.

Brian: Absolutely, absolutely. A number of options come to mind, but probably the first and foremost, it’s a newer capability in a lot of systems, is immutable data protection.

Kate: What is immutable data protection?

Brian: That literally is the capability to lock your backups, your DR protected systems, things like that from being able to be deleted by anyone, including admins and potentially even the vendor couldn’t delete those backups.

Kate: With managing the credentials, obviously there’s going to be more to a DR plan than that, sounds like we want it to be robust. What would be the next thing you would discuss or next steps you would talk with the customer for a DR plan?

Brian: Typically, it’s all about immutable data. So, there’s new protection systems and a number of environments where you can lock your data. You can set your images to be locked and non-expirable for a period of time. So, the immutable storage is, or the immutable protection, is just that, is that nobody can delete those prior to the expiration.

Kate: Can you expand a little bit more? I’ve never heard of immutable storage, maybe tell us a little bit more about how they’re utilized or what admins or people do with them?

Brian: The key around those are really just setting what your expiration timeframe looks like, and you do have to be reasonable with those because once you lock them, typically, nobody can delete them. So, not even a vendor of the products, typically, they try to even eliminate themselves from that loop. So, you want to be careful about your time lengths that you’re looking at for immutability. But they also protect you and all of your data from any other hacker, because if nobody can delete it, then nobody, typically, can delete it. So, there’s that basic premise around there. Again, so you do want to be careful of your time lengths. The other good part about immutability is that you can use it on-prem as well as you can reach to the Cloud. So, you can take that same steps both locally as well as cloud-based.

Kate: And do people use that as a backup? Can people backup that data when it is in immutable storage, or is it there and always will be there and you can’t recover from it?

Brian: You can always recover from it. The key is that the data cannot be deleted. So, that data is there no matter what. So, if you need recoverability, you can absolutely do that.

Kate: Okay. So, we’re taking these steps with our customers, we’re getting them a more robust DR plan. As a cloud provider, what does Net3 do? How do we design SLA’s for our customers?

Brian: We utilize Actifio on one of those key benefit factors there that they provide. We can build the SLA’s around any customer requirements, whether it’s on-prem services or through our cloud delivery service. And we have the ability to literally just say yes, in a single box that says, yes, we want this data to be protected and immutable. And we can do that in any number of steps within the process. The application in the system provides that capability. So, we can do that on premise, we can do that in the Cloud, we can do that in S3 storage, for example, and they’re on vault environment, and we can control that SLA throughout the entire environment.

Kate: Is it pretty easy to do?

Brian: Very easy, very easy. It’s literally checking a box.

Kate: So, once we’ve satisfied immutable storage, SLA’s, what do we look for next? Or what do we do next?

Brian: It’s really just best security practices. And they’re all about the ability to minimize that attack surface as much as you can. The COVID pandemic and a lot of corporations had large exposures there and they’ve done a huge amount of work to minimize those surfaces going forward. Areas around white listing, IP white listing, as well as geo-fencing your environments are important.

Kate: What’s geo-fencing?

Brian: Geo-fencing is the ability to take and control the actual sources of IP addresses on the internet. So, you can set up an environment and minimize what countries, what areas, what locations those IPS can come from, and who’s allowed to talk to you.

Kate: And what other areas do you recommend other than the white listing and geo-fencing or best practices?
Is there anything else that you recommend people do?

Brian: Absolutely. Probably one of the biggest, most important things that a lot of people are missing today are true full DR testing, the cradle to grave, understanding the process, understanding what all happens, and setting your scale in terms of high priority DR to low priority DR. And the key around that is doing that test, having complete, accurate runbooks to execute those tests and to even have those on paper, document them on paper, because if you have them in digital form and you’re attacked and all of that, it’s locked, you can’t get to it.

Kate: How many tests should people be running? I’m sure being in technology, things are changing at a rapid
pace. What do you recommend as far as timeframe? How many times people should test per year?

Brian: I would typically say two times per year. And that’s given that things are all standard and not a lot changes typically, but it’s still two times a year. And enough things change in those time windows that something will have to be updated in your runbook. The other piece would really be, if you have a major change, structural change to your business environment, a new system or an outdated system, retired system, whatever that may be, that’s another time to really reevaluate your DR.

Kate: And obviously, if you’re making a change to your plan, if you’re working with a cloud provider, you need to notify them of that change, and perhaps they’re helping you make that change. So, everybody is aware of what that change is or what that current DR plan looks like.

Brian: Absolutely, absolutely. These are very difficult things to do in a vacuum. So, you do want to notify and have your providers, all your providers, as part of the team.

Kate: So, if we’re talking about runbooks and DR plans, is there any other layer of protection that customers need?

Brian: I think you hit right on the point, really it is a layering of protection. How do you effectively layer that protection from both your on-premise services and an arm’s length to the Cloud? So, the key is really having a simple tool, being able to control all those environments and being able to set SLA’s that meet across all of those environments, meets the criteria for those environments. Yet if your components have great pieces, you can do all of the same processes on-prem that you can do in the Cloud, and you can even change technologies. So, with the on vault, you can go to S3 style storage in a completely different environment with a similar SLA’s, and control that cradle to grave to the process.

Kate: So what should customers look for in a backup disaster recovery software from the vendor that maybe sets it apart from somebody else?

Brian: It really is just that ease of use, it’s that cohesive environment that you can use on-prem, you can use in the Cloud, you can use any multiple sets of targets that you can control. There’s also integrations that certain vendors have, and Actifio does great in terms of that separation of credentials. So, if you target your on-prem systems, anything ever happened to that and you target a remote system in that same fashion back to the Cloud, is they use secure key credential exchanges, which isn’t a username password, it’s a certificate. It is a complex AES encrypted code that works between only their systems. So, it’s very difficult to breach that next layer of protection.

Kate: So, in looking at everything that we have discussed, from credentials to security key exchanges, we really want customers to have a very thorough and robust recovery plan. Is there anything additional that you would like to add, tidbits, helpful hints, to help people out there from a ransomware attack?

Brian: Absolutely. And it’s really just to follow your best security plans. Have a plan, execute it, know that it works, know that you have options in terms of pushing data off-prem. If they lock all your data on-prem and they somehow even access your low level storage environment, they could lock everything that you have. The services and the actors are getting more sophisticated, the tool sets will be better every day. So, it’s going to be a constant battle, but having those layers of protection, having that separation of duty, separation of credentials, all of those types of things protect you in the longterm.

Kate: Thank you.

Brian: Great. Thank you.

Kate Bissenger is the marketing director of Net3 Technology. Net3 is a cloud services firm out of Greenville, South Carolina that provides backup, disaster recovery, business continuity and production services across the United States.


Webinar: How to Protect & Recover your Critical Data from Ransomware Attacks

Recent Posts