December 19, 2022

Article
3 min

Are Your Backup Files as Reliable as You Think They Are?

Recovering from ransomware or an insider attack can be slower and more complicated than many organizations realize.

Michael Stempf

Cyberattacks are inevitable; it’s not a matter of if, but when. With this understanding, organizations should prioritize secure, high-quality backup and recovery processes. What we often see instead, however, is that organizations focus most of their efforts on prevention. When they look at recovery, it’s usually with an emphasis on disaster recovery, not cyber recovery.

The problem is that failing to establish reliable secured backups runs the risk of having no backups to recover from at all. That’s the last thing anyone wants during a recovery attempt. The average “dwell time” that an attacker spends undetected on a target network is 207 days, according to IBM’s Cost of a Data Breach Report 2022. That gives cybercriminals plenty of time to infiltrate and compromise the backup resources that organizations are counting on for recovery.

In working with many organizations in the wake of cyberattacks, CDW has seen some myths that tend to hamper recovery efforts, and we’ve identified best practices that dramatically improve the security and integrity of backup files.

Understand the Vulnerabilities of Immutable Storage

One of the biggest misconceptions is that immutable storage is sufficient to enable a full recovery after an attack. Some IT professionals believe that no one can hack this type of storage, and no one can modify it. That’s partially true: Today, immutability means that data can’t be modified outside of the data protection solution that wrote it. However, it is still susceptible to deletion from the data protection solution. 

Time jumping — the act of spoofing the time source for a data protection solution, causing the data protection solution to prematurely delete its backup data — has become one of the primary ways that attackers hack a backup product. The next most common form of attack is gaining access to Active Directory and getting a “golden ticket”: the ability to log on to anything in a target environment. With this level of access, an attacker can log in to an organization’s backup product and change the retention rules, delete backups or even restrict backups from being accessed, to list a few examples. Immutable storage doesn’t prevent that from happening, so all that data could be lost.

We recommend the use of indelible storage, which ensures that data cannot be changed from the inside. We also recommend the use of authenticated Network Time Protocol (NTP) or a monotonic clock, which defends against time jumps by verifying a server's authenticity before any changes are made locally. 

Monitor Changes to Active Directory Files

Another common myth is that organizations should use Active Directory as a data protection solution. But if a cybercriminal has been hacking an organization’s Active Directory for 207 days, that’s plenty of time to create user accounts with elevated passwords. If you restore Active Directory from a backup, all of that elevated access is still there because there’s no way to differentiate legitimate accounts from unauthorized ones. 

One defense against this tactic is Active Directory anomaly detection, which looks for changes and flags them in real time. This can alert an organization to an attack months before ransomware is activated. It also shortens recovery time by identifying potential issues in Active Directory.

Make It as Difficult as Possible to Compromise Backups

Proper backup strategies can significantly improve recovery capabilities, but many organizations are not yet using them. On average, companies that paid the ransom in 2021 recovered 61 percent of their data, and only 4 percent got all of their data back, according to the Sophos The State of Ransomware 2022 report. Additionally, 68 percent of companies that paid the ransom were attacked again within a month, and the attackers demanded a higher ransom, according to “Ransomware: The True Cost to Business,” a report by Cybereason.

Air gapping, whether logical or physical, can be a critical approach to protecting data. This tactic maintains a copy of an organization’s data that cannot be accessed via its network, keeping it away from cybercriminals who may gain unauthorized access to the network. If the network is breached and data is compromised, the organization can use this copy of its data to recover.

Multifactor authentication also is essential, not because it is infallible on its own, but because it adds one more layer to discourage attackers. The more obstacles cybercriminals have to get past, the more likely it is that they will look for an easier target. 

We also recommend using local accounts for privileged access, role-based security and command approval, which requires secondary approval for significant changes, even when an administrator requests them.

The bottom line is that data protection needs to be treated as a Tier 0 application for any organization. Many security procedures recommended today are adequate to keep out the junior varsity cybercriminals, but they aren’t enough to stop state-sponsored cyberattackers or insiders who want to cause damage. When an attack happens, the only way to move forward effectively is to have the capability to recover, with confidence that backup files are safe and trustworthy.

Story by Michael Stempf