[BreachExchange] Three ransomware backup best practices to implement

Audrey McNeil audrey at riskbasedsecurity.com
Wed Nov 22 20:02:26 EST 2017


http://searchdatabackup.techtarget.com/tip/Threeransomware-backup-best-
practices-to-implement

Data backups are not invincible to threats, and ransomware is no exception
to that rule. Backups may help to reverse the damage done by an attack, but
that's not their only use.

Backups are often thought of as being a defense mechanism against
ransomware. If not properly implemented, the backups themselves can become
infected, thereby rendering your backups useless. To prevent this from
happening, it's vital to have a ransomware backup strategy in place.

Most organizations today use backups that are based on changed block
tracking. If a storage block is modified, then the block is backed up. If a
ransomware infection occurs, then the encryption process caused by the
ransomware will be treated as a routine file modification and the newly
modified file will be backed up.

By following a few best practices guidelines, you can help to keep
ransomware out of your backups.

Backups aren't your first line of defense

The cardinal ransomware backup rule is that you should never treat your
backups as a first line of defense. While it is true that your backups can
help you to reverse the damage that has been caused by ransomware, it is
far better to take measures to prevent ransomware infections from occurring
in the first place rather than counting on your backups after an infection
has already occurred.

At the very least, this means running antimalware software throughout your
organization and keeping that software updated. Even antimalware software,
however, is not perfect. There have been numerous cases over the years of
infections occurring even though the system was being protected by
antimalware software. That being the case, you might consider using process
whitelisting, which forbids any unauthorized process from running on
protected systems.

Review your version retention policies

A review of your version retention policies is another important aspect of
a ransomware backup strategy. After all, your backups are going to be
largely ineffective against ransomware if you do not have a way of
reverting files back to their unencrypted state.

On the surface, making sure that multiple file versions are being retained
probably sounds ridiculous. After all, pretty much any modern backup
product will enable you to restore an older version of a file. Even so, it
is worth considering the number of file versions retained and the length of
time for which those versions are retained. The reason for this is that you
may not know right away that an infection has occurred.

Suppose, for a moment, that a user accidentally triggers a ransomware
infection while working from a corporate desktop. Depending on how the
ransomware is designed, the infection will probably start out by encrypting
files residing directly on the infected device, but will probably then
begin encrypting files within mapped network drives. Depending on the
volume of data that a user has access to, the encryption process could take
a while to complete.

The interesting thing about this situation is that the user may not know
right away that the infection has occurred. Think about it from a malware
author's standpoint: If the ransomware were to tell the user about the
infection before or during the encryption process, then the user may be
able to take some sort of action to limit the impact of the infection. If,
on the other hand, the ransomware does not tell the user about the
infection until after it encrypts everything, then the damage is already
done.

It is also possible that even more time could elapse before the IT
department finds out about the infection. Imagine what might happen, for
instance, if the user tried to cover up the fact that they infected the
system. IT might not realize that an infection occurred until others
started reporting problems.

The point is that you may not always know about ransomware infections right
away, so backup retention policies that only save previous file versions
for a matter of hours or days may be ineffective. Ideally, a ransomware
backup strategy should include as many recovery points as possible in order
to maximize the chances of being able to recover from an infection.

Be sure to use a stopgap

If you are performing disk-based backups and ransomware somehow manages to
encrypt your entire backup target, then you will lose your ability to
recover from the ransomware attack. One way of defending against such a
situation is to put in place a stopgap mechanism. In other words, you need
a backup that the ransomware cannot touch. The only 100% reliable way of
achieving this is to have a backup that remains completely disconnected
from the system.

Tape-based backups can be an excellent stopgap against ransomware attacks
because ransomware cannot infect a tape that is not inserted into a tape
drive. Obviously, tape-based backups do not offer the advantages of a
disk-based backup, but there is no reason why you have to abandon
disk-based backups in favor of tape. Instead, you can implement a
disk-to-disk-to-tape backup architecture that will periodically copy the
contents of your disk-based backup target to a tape that can be safely
stored offline.

When an attack occurs, the ransomware could potentially encrypt the
contents of your backup storage array. Even if that doesn't happen, you
will almost certainly end up backing up infected files. As such, it is
critically important to keep ransomware off of your systems, and to have a
ransomware backup plan in place to recover your data if an attack does
occur.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171122/c0b1ed9e/attachment.html>


More information about the BreachExchange mailing list