- Nick Cavalancia, Techvangelism
The increase in cyberattacks over the last couple of years is staggering. With this rise in attack frequency and the overall cost of prevention and remediation so high, it's reasonable to assume a cyberattack is a much more probable cause of taking down your organization than any natural disaster. It's therefore imperative to secure your data and protect backups from ransomware and other security risks.
Most enterprises focus on putting protection and detection products in place. But even prominent security vendors will tell you they don't stop everything, so you should assume a percentage of attacks will be successful. It's why we still see cyberattacks in the news every single week.
It's important to look at the tactics used by cybercriminals to determine what you can do to stop or respond to attacks in the fastest and most cost-effective manner. We need to add one more role to the list of concerned IT and security pros: the backup administrator.
If that's you, you may be asking, "Why?" Perhaps the better question is, "What do backups have to do with cybersecurity?"
Backups are the one surefire way to return an organization to a known good state. They can counteract file encryption, data deletion, data manipulation, directory services changes, permissions changes and more. Your backup and security strategies need to be aligned to ensure you can protect backups from ransomware and other security risks and quickly recover.
Bad guys want to maintain control of the attack situation -- either operating in stealth or by taking control of systems -- and don't want you to recover any part of your environment that may take said control away. This means your backups, now more than ever, have become a cybertarget.
Backups at risk?
Backups are quickly becoming the new hot attack vector. Take away an organization's ability to recover, and the bad guys retain control of their attack. We've seen it in a wide range of breaches over the last few years, including ransomware, lateral movement and data destruction attacks.
Cybercriminals are well aware that backups are one of your organization's primary responses to a ransomware attack. Malware has been developed to specifically include the ability to search for backup storage, identify backup files and delete any means by which an organization could recover. These scripts and executables are programmed to find specific file types, take advantage of backup application APIs and to use any other means to access backups and delete them.
Cyberattacks involving lateral movement -- jumping from machine to machine using compromised credentials -- aim to establish persistence on compromised endpoints and within directory services. Endpoint persistence ensures malware used to infiltrate the endpoint will remain even after being removed.
Attackers seek persistence within your network by creating multiple fake accounts that are granted membership to groups with access to servers, file shares, databases, applications and even the directory itself. The only way to revert these kinds of changes is to either manually undo every logged change, or use backups to return every manipulated part of the environment to a preattack state.
In attacks focused on data destruction, like that of the obliteration of the VFEmail platform, backups must be included as one of the intended targets by cybercriminals to be effective. Otherwise, the attack becomes little more than a nuisance.
How backups are deleted
Understanding how malware deletes backups may help you implement countermeasures to protect backups from ransomware. These three ransomware examples demonstrate the efforts put into place by malefactors to ensure your backups can't recover from an attack.
Zenis disables the Volume Shadow Copy service, deletes shadow volume copies, disables startup repair and terminates the Windows Backup process.
SamSam looks for more than 40 specific file types -- e.g, Acronis TIB and Windows Backup BKF files -- after enumerating all the drives the victim computer is connected to and then deletes any files matching the criteria.
CryptoWall deletes Hyper-V virtual machine restore points using API calls.
Hackers have developed code to automatically use accounts with elevated directory access to create numerous user accounts they can access in the future. These same hackers see the value deleting backups brings to ransomware attacks. So it's not a stretch of the imagination for hackers to come to the realization that bringing these two threat actions together to ensure persistence on your network -- even after initial detection -- will only help their efforts.
So what steps should you take to protect backups from ransomware and other threats and also make the most of your backups as a response tool should attacks succeed?
Six ways to reduce the backup threat surface
The overarching goals of the following recommendations revolve around having the right backups to recover from and ensuring they are available regardless of how sophisticated the attack. The first four recommendations involve backups, backup strategy and backup software. The last two address those parts of the environment that attackers use to add backups to the deletion menu.
You should address all six to implement a viable barrier around your backup infrastructure.
1. Protect what the attacker seeks. Cybercriminals are only after a few parts of the network -- valuable data, the directory and endpoints -- so protecting them is key. The number of actual data sets you should protect is much larger, but when you boil down what's most important, it's these three data sets.
2. Have backups on and off site. Since backups are becoming an even greater target, it makes sense to obey the "3-2-1 backup rule." Today, the off-site component most often means cloud-based storage. Having copies off site means that, even if local copies are deleted, there's a means by which an organization can recover itself to a known good state.
3. Secure your backup software. The bad guys are reverse engineering instances of major backup software looking for ways to hack it to delete backups, regardless of where they reside. Even backup software is susceptible to attack and may not be 100% free of vulnerabilities. Logically isolating the system responsible for hosting backup software so that it cannot be accessed via remote desktop protocols, APIs, file shares and so on helps to eliminate the possibility of malware gaining control of your backups.
4. Detect malware in backups. There are a number of backup products that scan for unauthorized executables and detect if ransomware has encrypted mass amounts of data on an endpoint or server. Taking advantage of these features to protect backups from ransomware adds another layer to your security strategy, but it may add some latency to the backup and recovery process. Ask your vendor and backup admin about the impact these kinds of add-on scans may have on your backup and restore windows.
5. Implement least privilege. In every ransomware case, permission to access and delete backups is necessary for success. The kill chain that leads attackers to an account with said permissions begins with having local admin access to the initially infected endpoint. Separating privileged accounts -- such as the local administrator -- from regular user accounts is a reasonable starting point to protect backups from ransomware. You should also implement network segmentation, privileged access management, least privilege and so on to make it difficult for the bad guys to gain control over an endpoint and access to elevated credentials.
6. Use behavior analysis. At the end of the day, malefactors need to perform a malicious action on a given system to succeed. In many cases, they "live off the land," using native tools like PowerShell to accomplish their evil deeds. But by having some form of endpoint protection in place to monitor process behavior -- e.g., PowerShell disabling the Volume Shadow Copy Service -- you're more apt to spot malicious activity before real damage can be done.
These recommendations enable organizations to protect backups from ransomware and other threats. To have clean backups to respond to a cyberattack, maintain copies even when on-premises backups have been deleted, and take steps to minimize the potential that backups will be affected in the first place.
Eliminate the backup security risk
As part of any attack, assume cybercriminals want to do two things: make changes to your environment and limit your ability to do anything about it. In many cases, they achieve the latter by simply deleting backups. But it's important to expand your thinking about backups to include any and all forms of malware, as backups can be used to roll back the environment to a known good state regardless of the form an attack takes.
As the good guys develop ways to better use backups -- as in the case of scanning backups for malware before backup and recovery -- the bad guys will continue to come up with creative countermeasures to take backups out of the picture. By doing so, they increase their chances of success, so you'll have no recourse but to pay a ransom or rebuild the affected parts of your network from scratch.
Regardless of the type of cyberattack, it's imperative to include your backup strategy in your overall security conversation. Attackers are coming for your backups. Take action now to better protect backups from ransomware and other cyberattacks before they succeed.