“Backups” will not save you from a Ransomware Incident

(Last Updated On: September 5, 2021)

“What do you mean the backups don’t work? I thought you said backups would save us from a Ransomware incident?”

Good backups are the #1 recommendation you will see in all “Ransomware Defence” guides. We have a problem in the industry. These “ransomware guides” are written by people who have never lived through a major ransomware recovery operation. Many are people who think they know how to perform a complete database restoration but have never lived through it. They have not experienced having a miscreant “write erase” on every router/switch. Yet, they post are leading the “ransomware preparation” advice blog-a-sphere leading organizations to buy new “backup solutions.” This is a problem. It is a problem that is leading organizations to put their efforts on the wrong wall.

Don’t get stuck building a “ransomware backup defense” solution and then find you put the ladder on the wrong wall, waisted money, and find the system did not work under crisis.

Focus Your Ransomware “Backup” Preparation on the Right Wall

Today “backup” advice for ransomware preparation is misleading. “Good backups” is a recommendation that leads organizations into a false sense of “security.” What should be recommended?

  • Restoration and recovery processes for every device in the system. Your “valuable data” is not the only system under threat.
  • Testing the restoration/recovery regularly. Backups are useless unless there is a validated, tested, and functional restoration and recovery process that works under duress.
  • Mapping the interdependencies with the organization and how those interdependence impact restoration of the business. Do not assume everything is working as expected during a crisis. If the data restoration requires elements E & F to function, and they are not, then you have a problem. Know all these interlinked system dependencies as part of the larger restoration & recovery process.

Note: “Backups” are part of the restoration and recovery process. Backups alone will not save you if ransomware miscreants lock up your systems. The system needs to be restored and recovered with all the other elements recovered and functional. Building a restoration and recovery plan goes beyond an objective of “is my data recoverable” to the more critical “can my business operations recover from a ransomware incident?”

Let us look at a classic example. A network team uses new tools to store their configurations software for all their router/switching “in the cloud.” It is “backed up and assumed safe. But there is an attack. The ransomware miscreants have gone through every network device and uploaded malware software, then triggered a write erase and reboot. How will that network organization pull down their “backups” when the network is down and the Internet is not reachable?

With this in mind, here are some guidelines that would help build out a functional restoration, recovery, and backup architecture for your organization:

Think Full System Recovery – Not just “backing up the data.” Full system recovery and restoration require data and configuration. While today’s Ransomware miscreants are encrypting data, future crimes could lock other critical elements in your business. 

Set up the Backup & Recovery Automation – then Monitor for Variations. Yes, automated backup software has been targeted for attacks. Yes, the backed-up data has been attacked. Don’t let that stop you from leveraging backup automation.  But, the reality is that “automation” is the only way organizations can scale. Systems are too complicated and dynamic. The number of configurations and data that need to be backed up requires automation.

Build a “Backup and Recovery Defence Plan.” Expect the miscreants to go after your backup, restoration, and recovery system. Build a threat model on how they would violate and compromise those systems. Remember the principles from 7 Habits of Highly Effective Cyber-Criminals. Forcing the miscreants to work harder often deters them to move on to easier targets (although if they are already in your network targeting your backup systems, your ‘problem’ will remain.)

Use Zero Trust Throughout the Restoration, Recovery, and Backup Architectures. Zero Trust is an Authentication, Authorization, & Access (AAA) security architecture, based on a strict identity verification process. The framework dictates that only authenticated and authorized users and devices can access applications and data. At the same time, strict zero-trust authentication protects those applications and users from advanced threats on the Internet. The principles behind zero trust go all the way back to the late 1980’s Rainbow Series. The Rainbow Series (sometimes known as the Rainbow Books) is a series of computer security standards and guidelines published by the United States government in the 1980s and 1990s. They were originally published by the U.S. Department of Defense Computer Security Center, and then by the National Computer Security Center. Many of the “new security techniques are resuscitation from principle crafted decades in the past, with new terms and new “marketecture.” One of the key AAA resiliency principles from the Rainbow Books is layered access. If AAA method #1 does not work (i.e. Zero Trust), then you fall back to AAA method #2, and if that fails then you move to the “emergency AAA” that is locked up in a safe in a sealed envelope. 

Two Backup Paths – Don’t Depend on One Backup, Restoration, and Recovery. Ransomware miscreants will get creative in the chaos they impost to “incentivize payment.” It is logical for them to seek out the “backups” and target them along with the devices, data, or solution they are holding hostage. Having two types of backups make life more difficult for these miscreants. There is an additional expense, so it is logical to have two path backups on selective systems. The 3-2-1 approach is ideal, but not feasible for some systems in your network (The 3-2-1 backup principle keeps at least three separate versions of data on two different storage types with at least one offsite). Some systems are easy. For example, a personal computer can have the company backup, the operating system back up like Apple iCloud) and a local hard drive @ home that gets disconnected from the network. 

Establish a “Rhythm of Resiliency Action” for Everyone in the Company. Once a quarter rotates through all employees to participate in the great backup. Back up their phones, their computers, their home computers, and any other devices they work with. At the same time, have them check and update their software and end-point protection/anti-malware software. While they do this, ask for employee feedback on systems around them they may not get back up. This quarterly “habit” would be seen in the same light as quarterly fire drills. It pulls everyone in the company to be part of “Business Continuity” that includes Ransomware Resiliency. 

Use the 3-2-1 backup rule. The 3-2-1 backup principle keeps at least three separate versions of data on two different storage types with at least one offsite. The approach is to have versions of configuration and data to allow a fallback during restoration and recovery. Three versions are a core element that is used a lot during upgrades. Many times testing will not uncover unforeseen interdependencies until the system goes live. The “three versions” allow an organization to quickly fall back the last working configuration or software. So, note that preparing for a Ransomware Attack is core to operational resiliency. 

Determines Configurations that Data that require the immutability flag. An immutable backup operates like any data backup but includes the options to lock the backup to any changes. Immutable flags are part of many cloud backup and backup software. It is the ideal protection against data corruption, whether malicious or accidental. Whole networks have some down because a configuration backup included a carriage return that then locked up the configuration during a recovery. 

Include a “Regain Trust in my Backups” during/after a Ransomware Incident. Remember, The “ransom” threat is the “monetization” used by miscreants after they have been inside your network. Their intrusion, persistence, lateral movement, and miscreant nonsense are now getting backed up into your live backups. Include “regain trust” as part of the overall Ransomware recovery. 

Backups do NOT Protect from Data Exfiltration. Think? If a criminal is going to encrypt and threaten with a ransom, it will make sense for them to “test the encryption.” That means they exfiltrate the data to their systems for those tests. Always assume the ransom includes data exfiltrated. That exfiltrated data would then be traded, sold, or leaked. 

Expect DDoS During the Restoration and Recovery. Causing chaos, anxiety, and stress to entice the ransom payment is to be expected. Expect a DDoS Attack in the middle of the ransomware incident. The DDoS can be used to cause more chaos or used as an additional threat. The key is to have “restoration and recovery while under a DDoS attack” as part of your restoration and recovery plan. Use the core principles/techniques from the DDoS Attack Preparation Workbook to prepare and minimize the impact of DDoS while you are in restoration and recovery mode.

Segmented as part of your Restoration & Recovery Operations. Triage recovery to what is most critical is a 101 principle during a recovery operation. There is no point in recovering operations on the factory floor when the operations, safety, and security part are still down. Listen to the team. Do a tabletop exercise where everything is down from a natural disaster or security incident. Then think “A must be restored before B would work.” “B must happen before C & D can start their recovery,” Continue this until you have an outline of a segmented recovery and restoration plan. Then add a security element to the plan. “As we recover D, we find out that E and F parts of the system have suspected malware as part of the ransomware.” “We’ll isolate and work around E & F to get other parts of the system working.”

How do we justify the Cost?

Sit back and think of the “actualized restoration and recovery” requirements for everything in the network. That same body of work will be needed if there is a natural disaster (more likely with global climate chaos). The restoration/recovery will be required when things break, allow the teams to use their “playbook” to get systems back online when elements fail. In essence, what is necessary for Ransomware Resiliency is a core element to systems resiliency and business continuity.

This is too much! Where do we start?

Start simple. Start with what you have today. A fully functional restoration and recovery solution for your organization will need to meet your business continuity requirements. There is no “cookie-cutter” approach. But, start doing something. Don’t wait for some consultant or vendor to deliver a solution. Pull your existing team together, trust that team, and craft everything that can be done today. Then have that same team list out their wish list and priority list for what needs to be better.

Those two lists – “what can be done today” & “what the team thinks needs to be done next” – establish the foundation. You then go have “meaningful backup, restoration, and recovery” conversations with all your vendors. Use the approach from Meaningful Security Conversations with your Vendors as a conversation road map.

Are you looking for more practical, low-cost security Advice?

If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at bgreene@senki.org. The materials and guides posted on www.senki.org here are designed to help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit and Meaningful Security Conversations with your Vendors. Each is no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights. You can sign up to the mailing list for updates here: Stay Connected with Senki’s Updates.