Managing a Breach Blog – March 2020

Managing a breach | Let’s talk about recovery

When the National Cyber Security Centre advises on combatting the increasing cyber threat, they are saying that organisations should focus on When, Not If [a Cyber breach]1 occurs. This is a call to plan for recovery.  

A breach, or cyber attack as it is more commonly known in the press, often reveals itself in one of a number of ways, typically,

  1. An attempt at invoice fraud, typically through a Business Email Compromise.
  2. The theft of critical data. 
  3. Evolved ransomware infection, encrypting files across your network, public cloud networks- like Microsoft Azure - and across your supply chain. Denying your users’ access to the data they need to perform their day to day work is a key part of the process for them.

With cyber insurance claims related to ransomware up 37% in the latter period of 20192, and compromised IT support providers being responsible for 24% of this increase2, I would like to provide some guidance on what you can do to minimise your downtime and improve your Organisational Resilience ahead of an evolved ransomware attack.

Ransomware is a generic term for a family of malware that infects files, typically Windows, but more recently Office365 files, and encrypts the files so the information contained cannot be accessed. In around 90% of cases ransomware gets onto a network through an unsuspecting user clicking on a link in a phishing email. Once the data has been encrypted, a ransom message appears asking for payment in Bitcoin for the release of the decryption keys. 

In the early days of ransomware, this threat could be combatted by restoring the previous day’s backup, and the unencrypted files would appear back in the network. Since 2017 ransomware has become much more sophisticated as hackers realised that if the data could not be recovered, it is much more likely the ransom will be paid. This is evolved ransomware.

The first instances of evolved ransomware loaded their malware onto a network and then discovered where on the network the companies backup files were being stored. They then deleted these backup files just prior to encrypting the user data. With over 40 different backup file types listed and targeted through evolved ransomware, for many backup software vendors and service providers this remains a problem today, as their daily backup files remain vulnerable to deletion by ransomware. Backup providers then advised customers to store copies offsite, air-gapped through to the cloud or to a different physical location.

Hackers responded, and developed new strains that rather than detonate, and encrypt immediately, the ransomware starts infecting files throughout the network without the users being able to detect the infection. Over time, as files become infected, and each daily backup runs, the older, clean backups are cycled out, and all of company’s backups become infected, irrespective of where they are stored.

According to Ponemon Institute and IBM Security3, the average time between a cyber breach and the company becoming aware they have a breach is 191 days. During this time ransomware will have infected over six months of backups. For many companies their backup retention cycle is shorter.

When this form of ransomware is detonated, usually just prior to a bank holiday, the user files become encrypted. To get back up and running, the backups are restored and encrypted data is pushed back into the network creating an Attack Loop of ransomware that re-encrypts clean files.

So what can you do to minimise the impact and optimise the recovery?

  1. Create a simple Business Impact Analysis. Identify your critical data, where it is stored on the network and define  the Recovery Time Objective (how long you can operate without this data) and the Recovery Point Objective (how far back you can go and still have the data be useful) for each set of the critical data.
  2. Differentiate between the recovery of complete systems, with operating systems, applications and the data. Your data is unique, and is irreplaceable. All else can be reinstalled from scratch if it was really necessary, and is often faster than being in an Attack Loop of restoring infected virtual machine images.
  3. Adopt a data backup plan that creates local and offsite backup copies, uses a different infrastructure to the operational systems in use, and provides integrated measures against the evolved ransomware threat.
  4. To successfully combat evolved ransomware your backup service must: 
    1. Scan data as it is backed up, and as it is restored, alerting you, while quarantining and cleaning data as needed.
    2. Completely obscure the backup files so ransomware cannot identify, locate and delete the backup files during an attack.
    3. Prevent the mass deletion of all backup files locally, and offsite, from an automated source or program, like evolved ransomware.
  5. Enable the creation of an IT Disaster Recovery Plan that includes the regular testing of data restores.

Any backup service or software solution that does not provide the three key capabilities in point 4a-4c is exposing your organisation to an ever more sophisticated Cyber vulnerability, which shows no signs of slowing down its charge any time soon.

One final note of caution, if your recovery plan is to pay the ransom, the hackers only send the decryption keys over in around 30% of cases, after a payment is made. Once the data is decrypted, there will almost certainly be hacking code remaining on your network, which is a vulnerability that can be exploited at a future date

1https://www.theguardian.com/technology/2018/jan/22/cyber-attack-on-uk-matter-of-when-not-if-says-security-chief-ciaran-martin

2Beazley Breach Insights Report 2019

3https://www.ibm.com/downloads/cas/AEJYBPWA

 

For more information please contact:

Mark Saville

Data2Vault

0333 344 2380

Image

Mark Saville, MD and founder of the company. Led the MBO of Asigra MSP Smartways along with Catapult Venture Capital. Has worked with Asigra technology since September 2007, and through the due diligence work carried out with the MBO VC’s gained a strong commercial insight into the MSP-side of an Asigra business. 

Has held senior executive positions within start-ups and high growth businesses; including Business Union Distribution (email and file archiving), Peapod Distribution (information security and data protection including Legato) and The Wollongong Group (multi-platform IP). Extensive experience of developing channels, enterprise sales, business management and vendor relationships. Spent two years as Sales & Marketing Director at Smartways, growing the Asigra capacity from 6 to 22Tb by developing Reseller channels and building a direct marketing approach for lead generation.