Ransomware & zero-day threats: Backup evolving

ransomware and zero-day threats, digital hygiene

Jeremy Wyatt, Operations Director at FCS, explains how backup is evolving to aid recovery from ransomware and zero-day threats

Backup is evolving to aid recovery from ransomware and zero-day threats. Companies are turning to a new method of assuming that there are already breaches, rather than merely reacting to attacks after they are found. Backup solutions have evolved to ensure companies can restore a clean version of their data.

There have been several recent examples of huge wide-ranging exploits leading to potential hacks, as well as the ongoing and evolving threat from ransomware:

SolarWinds Hackers launched a broad and indiscriminate effort to compromise the network management software used by both government and the private sector. 9 federal agencies and about 100 private sector companies were compromised. Roughly 18,000 entities downloaded the malicious update. So, the scale of potential access far exceeded the number of known compromises.

Log4j is another example of where systems have vulnerabilities that companies were simply unaware of. Log4j didn’t necessarily mean a company was hacked, but it allowed hackers to easily exploit this widely used logging component.

Polkit vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009. The polkit vulnerability was a memory corruption vulnerability that allows an unprivileged logged-in user to gain full root access on a Linux system in its default configuration.

Ransomware has continued to evolve. The latest ransomware versions do not detonate right away. They first spread to as many systems as they can by utilising the permissions of the compromised systems, including backup repositories. Then they wait a week, a month or longer before they detonate. Backup systems see ransomware as just another file to be protected, unwittingly backing it up with legitimate data during the timeframe the ransomware is sitting idle before detonating. When the ransomware finally detonates, the backup administrator goes to their most recent backup and recovers the data. But wait. As soon as it has been recovered, it detonates again. They then go to an older backup, repeat the recovery, and ransomware detonates again. This is known as a ransomware attack-loop.

Software companies quickly release patches for exploits, but what about attack-loops. Companies are investing further in cyber security solutions trying to detect these exploits before being compromised and building more effective defences. The rise in MFA has helped add a layer of security to users, but what defences are there for the zero-day attack and attack-loops?

Backup evolved

Secure data backup & data recovery

To ensure that you never restore malware back into your cleansed, patched or new environment, backup solutions have evolved to scan the data during the backup and restore process. Integrating with leading anti-malware solutions to deliver an automated recovery process to check and clean infected backup data, ensuring that backup data recovered into production is free of cyberthreats. This helps eliminate re-infections, nullifying the attack-loop and providing additional confidence that a threat has been properly neutralised and no longer exists within your environment.

This powerful capability is useful for:

  • Detecting “sleeping” malware in backup data and invoking anti-virus remediation to disinfect data before it lands back into the production environment.
  • Verifying backups from locations with less IT control, such as remote and branch offices (ROBO), before restoring them into the primary data.
  • Scanning backup data with additional anti-virus solutions to better detect rare or zero-day malware.

Resilient backups: Air-Gapped and immutable

Cybercriminals now routinely attempt to encrypt or delete an organisation’s backups as part of any attack. Success for the adversary is critical here because without backups, the victim must pay handsomely to recover their data.

Resilient backups are simply backups that cannot be destroyed by an adversary — even one who has acquired administrative credentials. At the simplest level, robust resiliency can be achieved by backup to removable drives or to tapes which are then removed from the tape library. Having offline, air-gapped backups is step one.

Immutability is just the start

Some seek to implement immutability via a double or triple immutability approach.

This can include leveraging the Backup Hardened Repositories for on-premises, first-level backups, then leveraging the immutability capability in S3 Object Lock for cloud or on-premises object storage, and/or automatically writing backups to WORM (write one, read many) physical tape media.

While immutability, whether implemented as a single, double or triple immutable approach is very helpful in remediating cyberthreats, it is only the beginning of a comprehensive protection practice.

Encryption end-to-end is needed to fend off data exfiltration

Today, one of the fastest rising cyberthreats is data leakage and data exfiltration, whereby a ransom must be paid to avoid sensitive data from being shared on the dark web.

Proper authentication and ‘digital hygiene’ regarding least privilege access, are needed to remediate against data injection. Data also needs to be protected against being altered such that records and entries that appear valid have not been maliciously changed to be invalid.

Other digital hygiene best practices include:

  • Unique passwords for every login source. This way, you can ensure that if one password or machine gets breached, the stolen password won’t give hackers access to other accounts.
  • A password manager. A robust password manager can help manage all your login information, making it easier to create and use strong, unique passwords.
  • Multi-Factor Authentication (MFA). You can configure MFA for additional security of your accounts, which will require continual secondary validation at every login.
  • Remove unused devices, applications and non-essential programmes and utilities from all servers.
  • Patch management — make sure all software, hardware and firmware in use are running up-to-date software levels that have shored up any known vulnerabilities.

Offline copies of data are needed to combat insider threats, including the destruction of data. Insider threats are a rising concern, with some analyst firms stating that most cyberthreats over the next three years could come from employees of the business.

Comprehensive ransomware remediation: Implement a complete ransomware remediation strategy to help you fulfil all ransomware remediation functions identify, protect, detect, respond and recover.

FCS offer services from consultation, managed service, third line support to license only. Please feel free to get in touch for a no-obligation chat.

*Please note: This is a commercial profile

© 2019. This work is licensed under CC-BY-NC-ND.

Contributor Profile

Operations Director
Phone: 0333 666 9991
Website: Visit Website


Please enter your comment!
Please enter your name here