Securing backups: defending your defence
Over the past year, ransomware attacks have continued to hurt society, disrupting organisations, governments and individuals.
In May 2021, the Colonial Pipeline ransomware attack halted the largest US gasoline pipeline for several days through an exploited password. In November, millions of Australians came within minutes of losing power to their homes because of a ransomware attack on a Queensland power station.
Meanwhile, ransomware attacks on Australian organisations increased 15% in the past financial year, contributing to a significant portion of the 67,500 cybercrime reports received by the ACSC.
Ultimately, ransomware isn’t slowing down. Attacks are becoming more complex and prevalent. They are getting smarter, with a wider variety of specialised, targeted threats emerging.
Two-pronged ransomware attacks are an increasingly popular approach hackers are taking. First observed in 2018, attackers will go after an organisation’s backups before encrypting systems, causing a business’s last line of defence to be stripped before its presence is even known.
This strategy is becoming more common and highlights the need for businesses to update and reconsider their business continuity and disaster recovery (BCDR) plans. Companies should take a multistep approach to accommodate for backup software’s risks, given they require a high level of access to files, systems, virtual machines, databases and other aspects of a computing environment.
The first priority is to minimise the risk of hackers gaining access to backup systems, both on premise and in the cloud. Multifactor authentication (MFA) should be mandatory, not only for access to the backup portal, but also for activity that could potentially see backup data manipulated or deleted.
Connect the pieces of the puzzle to cover all endpoints
There’s a variety of interconnected factors to consider when securing backups. It is vital for businesses to assess every endpoint and application’s vulnerability, as any one of them can provide a passageway for hackers to exploit a business’s most valuable data.
Organisations need to ensure connections cannot be directly linked to a backup appliance. They should heavily restrict local backup appliance remote access on the LAN and implement layers of protection to prevent malicious access. Remote monitoring and management (RMM) solutions used to manage backups are potentially vulnerable, so require tightened security. Also, appliances should be separated from backups stored in the cloud with independent authentication mechanisms. The cloud and local browser can be accessed in seconds, so admin credentials for the appliance should never be stored in those locations.
File extensions such as .bak make backup files easy targets because they are easily located. To ensure backups remain safe, they should remain in a read-only state. If encrypting, follow best practices of storing the encryption key on a separate and physically secured device. In addition, businesses should proactively scan backups for ransomware or vulnerabilities.
Eat. Sleep. Back up. Repeat.
Businesses should create multiple copies of backups in separate secure locations, and limit the ability to modify the data or its storage. This is crucial for situations in which a threat actor has managed to encrypt your data. Transitioning from cyber protection to cyber resilience requires businesses to take an assumed-breach approach to cybersecurity and be ready for anything.
Current backup solutions provide several point-in-time recovery points, as well as the ability to replicate backups to cloud. In addition, backups can be protected from intentional or accidental deletion by a delayed delete time window. Testing should include a full restoration and should occur regularly. Businesses should also perform bare metal restorations as it would occur in a real disaster situation. Finally, businesses should confirm that network connectivity can be re-established, key services (ie, Active Directory) are properly working and applications can communicate with each other, and document everything in a recovery plan.
Organisations need to ensure their backup systems are regularly updated and tested to avoid danger and corruption. Businesses should adopt an assumed-breach model, bring themselves into line with the Essential Eight framework, and work towards a cybersecurity posture that looks past protection and to resilience.
A new report released by Rapid7 investigates the double extortion trend pioneered by the Maze...
With cyber attacks expected to increase over the financial new year period, Chris Gibbs of Akamai...
The transition to hybrid or fully remote work has delivered new aspects in the security equation...