Protecting Your Backups: The First Step to Recovering from Ransomware
Table of Contents
by: Lari Huttunen
In cybersecurity, much of our effort focuses on helping organizations fend off ransomware by reducing their external attack surface. But what happens when, despite all the best defenses, attackers still break through and unleash havoc? In this write-up, I dive into that very scenario – when layered defenses fail, and ransomware operators succeed in doing their worst.
When I say doing their worst, I mean that ransomware operator playbook 101 states that once they gain initial access, they have two main objectives:
- Go after your IAM to be able to move laterally, persist and eventually cause as much of primary damage as possible through file encryption.
- Go after your backups to ensure that you cannot recover from the ransomware attack, hence you will be more likely to pay up once they hold your crown jewels for ransom.
Compliance Isn’t Just a Checkbox: The Practical Benefits of Getting it Right #
Everyone who knows me knows that I’m not a huge fan of compliance-based security. To me, the most important reason for doing something needs to come out of a need to address an actual issue. If you’re doing something just to comply and gain a certification, then you’re most likely off the mark a bit.
If we take a moment to examine one of the main information security management systems, ISMS ISO 27001, and its guidance on ensuring continuity and the ability to recover data when disaster strikes, we learn the following:
- You will need to have a policy ensure that critical data and systems are backed up sufficiently.
- You will need to test restoring data from the backups, to see that they actually work and can be used to rebuild a system or a service even from scratch.
- You will need to retain the backups for a well-defined period of time to meet your business needs.
- You will need to protect your backups from unauthorized access, corruption, loss or physical damage.
Too often, I see organizations focusing on just the first constraint and placing their disaster recovery on a hope that backing up data is enough.
Once, ages ago, I was asked to help a fairly large organization recover data after a physical calamity had hit their main file server. It turned out that they had paid a nice sum of money for a tape robot which had been inserting the cleaning tape every day into the drive instead of actually backing up anything.
If we step into the realm of business continuity management, another management system, BCMS ISO 22301, focuses more on the business continuity aspect of ensuring that data is protected and recoverable during and after disruptions. The main emphasis is on ensuring that critical data can be restored to support ongoing operations and minimize downtime in the event of a large scale incident. Even if both standards focus on the continuity aspect of data recovery, I like ISO 22301 focus on ensuring that data is recoverable even if you get hit by ransomware.
Ensuring Data Recovery in the Face of Ransomware #
Even if you have followed the first three steps of ISO 27001 above and ensured you can restore data even if ransomware hits all your active file systems and databases, how prepared are you to recover if the attackers target your backups?
Traditionally, the tape backup strategies prepare you for an all-out emergency through periodic offsite backups. This, however, has one major flaw related to time. Unless you have a really lax business need related to your MAO (Maximum Acceptable Outage) you will most likely end up going back in time quite a bit, if the only thing you have left to recover from is your quarterly offsite backup.
Even a month may be too long, should you be able to get that kind of an offsite backup policy through your bean counters.
How then, can you protect your backups?
I might be a bit old-fashioned in saying this, but I still believe that true backups exist only on tape. However, what I want to focus on here is how to ensure your data backups remain immutable, even if an adversary manages to get hold of your backup encryption and access keys.
Immutable Object Storage to the Rescue #
One modern way of ensuring that your backed up data is immutable, is to use Immutable Object Storage as the primary backup medium and create offsite tape backups out of those if your business requirements dictate that you must be able to recover even if you lose access to your primary backup medium.
The cool thing about these blob storages is that they deduplicate your data and make it possible to enforce a WORM (Write Once, Read Many) policy on them. This means that even if the attacker would be able to corrupt the backups going forward, they cannot bypass the past versioning of that data nor delete the entire objects themselves.
Getting the storage policies correct and protecting the storage accounts are of course crucial in this game and do not remove the need to have offsite backups independent of your (offsite) immutable object storage. They do, however, raise the bar for the attacker quite a bit.
All major Cloud Providers have their own version of an immutable blob storage for archival purposes:
- Amazon has a service called Amazon S3 Glacier.
- Google has Google Cloud Storage Archive Class.
- Microsoft Azure has the Azure Blob Storage Archive Tier.
So in a sense, even if I’m promoting the idea of a real tape backup, the above services can tick all the recovery boxes at a significantly lower cost and accessability. In fact, these kind of solutions play a crucial role in minimizing your disaster recovery plan’s Recovery Point Objective (RPO) and Recovery Time Objective (RTO), even in the event of an all out ransomware attack.
Safeguarding Your Data from the Inside Out #
Let’s face it, nowadays creating classic offsite tape backups often enough is not just feasible. It’s not the fault of the backup medium, rather than:
- the threat has evolved
- and data volumes have increased significantly.
The premise of this write-up was that adversaries have completely compromised your confidentiality, integrity, and availability, gaining full access to your data, holding it for ransom, or even publishing it online.
What’s exposed may never be fully erased from the internet, but the key is that you can still get back to business – because you have secured your ability to restore and recover.