Forward thinking about cybersecurity and ransomware starts with backup

Cybercrime has reached unprecedented levels over the years with attacks on industry and infrastructure making headlines.
Government agencies, such as the U.S. Federal Bureau of Investigation (FBI), the United Kingdom’s National Cyber Security Centre (NCSC), and U.S. Cybersecurity and Infrastructure Security Agency (CISA) continue to issue warnings on cybersecurity almost daily. Yet, even as risks and awareness increase, data backup practices are stuck in 2005.

In a sense, this is fine. Regular, comprehensive, verified backups are a gold standard in data protection. If it’s reliable, trusted, and proven — if it’s worked well all these years — why change?

Well, the answer is simple: Ransomware and other cyberattacks are putting added scrutiny on backup systems. Backup practices are not only key to recovery, they’re also key to identifying when an attack has occurred, assessing the impact, and mitigating downtime — or, at least, they should be.

Many organizations aren’t looking at their backups as their first line of defense — instead, they put their faith in real-time security software that scans and identifies malware, viruses, and other threats. But, modern ransomware is sophisticated and can circumvent basic scans and integrity checks. Keep in mind, attackers are no longer individual cybercriminals or disgruntled employees — they’ve become high-tech organizations with big budgets and help desks offering cyberattack-as-a-service (CAaaS). Backup needs to be as sophisticated as the cyber criminals and the attack vectors.

So let’s take a look at backup and recovery in a time of cybercrime.

Strategic approaches include validating data integrity, forensic reporting and diagnostics, and full analytics. The following functions are essential.

Scan — Cyber protection requires that backups be searched for signs of attack and compromised data, including content (both unstructured files and databases) and core infrastructure. Signs include encrypted data and ransomware as well as mass deletion and slow corruption.

Alert — Administrators should be immediately notified when signs indicate an attack, suspicious behavior, or cyber corruption.

Diagnose — Administrators need to understand the who, what, where, and when of the attack. Post-attack reports and diagnostic details will assist recovery.

Identify the last good backup — The system must find the last known uncorrupted version, so operations return to normal with minimal downtime. Modern data analytics can validate the integrity of all files and databases on the initial scan.

Regardless of the vulnerabilities, the rise in ransomware is putting pressure on enterprises to have a real cyber recovery plan and not depend on their disaster recovery systems. Here are a few outdated practices that are woefully insufficient in the current era of cyberattacks.

Metadata analysis — As ransomware has become far more advanced, solely examining file metadata for signs of attack is no longer reliable. Metadata scanning and analysis can be easily circumvented, not to mention sophisticated corruption also hides inside files and databases.

Two-part scans — Some security products do an initial scan and then send flagged content to the cloud for further analysis. However, sensitive information should not be transmitted to the cloud.

Trusting backups — Always validate backup integrity first. Some strains, like Conti, can shut down backup software entirely. Slow attacks can corrupt data over a long period of time, resulting in companies restoring data that still contains ransomware. Use machine learning analysis to compare data changes over time.

Trusting security — Attacks can circumvent security software by hiding inside virtual machines and cached copies of data, among other methods. The highly destructive Ragnar Locker and WastedLocker evaded traditional security products that scanned disks.

Sadly, many enterprises are not prepared to go into battle because the very systems that are supposed to keep them safe, backed up, and secure are not as effective as they need to be. Surviving a cyberattack today with backup practices from the past is unlikely. Following these suggestions can speed up recovery time and decrease downtime.