Thursday, June 3, 2021

Survive Ransomware Attack using backups

 

A 3-2-1 Backup strategy for Business critical data to sustain Ransomware attacks:

 

Three (3) copies of the data (could be recent) which is stored across two (2) different storage mediums/locations and one (1) cloud storage provider (encrypted data).

 

If one of the data backups becomes encrypted from a ransomware attack, we will have the ability to recover from a different source, provided a backup is present across different locations.

 

Ransomware threats can target any local backup on the network which include such as local shadow copies or other network-attached storages, as a result any network resources a user has access to will become encrypted. To prevent this we should follow strict air-gap policies, such as:

·         taking media offline as quickly as possible by physically disconnecting after backup operation

·         maintaining up-to-date malware detection tools are essential

·         system patching

 

Using air-gapped, off-site media is best practice, as said below we can use immutable storage like write once read many (WORM) media such as optical disks, flash storage or tape configured as WORM. AWS/Azure and few cloud providers offer WORM-format cloud storage. We also need to be prepared for:

·         the time to restore systems

·         prioritize systems for recovery

·         clean networks for recovery purposes

·         The frequency of backups also matters.

o   How often does the data change?

o   How much does this impact business if the backup data is not current?

 

And finally securing the end point:

·         network policies and protection using antivirus, antispyware/antimalware, firewall etc.

·         limit execution of unapproved programs on workstations

·         limit the write capabilities of end users so that, even if they download and run a ransomware application, it is unable to encrypt files beyond the user’s specific files

·         file reputation scoring systems (Symantec)