The Verizon Data Breach Incident Report (VDBIR) indicates that a lack of ransomware protection across all sizes of enterprise is increasing the damage from these type of attacks. But while many frameworks exist to provide organisations with procedures for dealing with a ransomware breach, what can organisations do to protect themselves from attacks or improve their cyber resilience to such attacks?
Stopping an Attack
The best way to respond to a ransomware attack is to avoid making yourself vulnerable to one in the first place. This is the Stop phase.
Most ransomware attacks begin with a user within the targeted organisation interacting with a compromised communication that has a downloader hidden within its structure (attachment or link) containing malware. The user is an unwilling contributor to the attack, so everything the organisation can do to remove this dependency is vital to the Stop phase. This can be achieved by taking what Omnisperience calls a User Isolation Protection (UIP) approach. (see Omnisperience Green Paper User Isolation Protection)
A UIP approach advocates enabling seamless digital engagement while proactively and unobtrusively securing the user and their data from cyber abuse. So how does such an approach help stop ransomware attacks?
Companies should first apply a UIP approach to the Access Layer – transforming it into an Access Isolation Layer that foils attacks before they can begin by protecting the user throughout their day-to-day activities.
Unlike traditional password and PIN identity and authentication solutions, utilising more advanced multi-factor and non-invasive solutions not only secures the user at the entry point (ie the device, system or application) but also throughout the flow of their daily tasks.
But cyber-criminals don’t give up easily and have multiple tactics in their kit bag. If they are prevented from directly stealing user credentials or downloading malware via a user’s initial engagement, they will move to targeting the digital platforms themselves. Users therefore need to be assured that the platforms they intend to engage upon are legitimate, and enable them to complete their tasks securely because they are free from malware that will misappropriate their data, redirect them to compromised websites or use access credentials to subsequently steal data or even money.
This is what we term the Execute Isolation Layer. The technologies used to deliver this include: secure browsing and realtime bot mitigation. Secure browsing provides users with a guaranteed safe engagement by transforming the required web pages and content into a unique format. Bot mitigation helps companies understand bot behaviours (what they are doing) and enables them to remove bots from website content.
Restarting your business
The ‘Access’ and ‘Execute’ isolation layers help prevent any new ransomware attacks. But what if you discover you have already been breached? Equally important is restoring your operations following or during an attack. This is the Start phase.
As soon as you discover criminals have locked access to your systems and data, you need to start initiating your procedures to get yourself out of this predicament and maintain business operations.
Much business value is held within a business’s data, which is why cyber-criminals target your data to cripple your business. So the first question to consider is: what could you have done during normal operations to secure and enable faster recovery of the data in the event of a ransomware attack?
To provide resilience against a ransomware attack, the performance of your data storage technology is critical. It needs to be able to operate at the same (if not higher) performance as your operational systems. This means that not only does the physical architecture need to be fast, but the interfaces that move the recoverable data to the system access location need to be highly elastic. Tape backups or HDD won’t cut it. You need to review whether ‘all-flash’ or SSD storage systems meet the recovery time objectives (RTO) you need.
Inevitably, the backups or copies of your data – even if they’re stored in near realtime – may be missing some of the latest data. This means that an appreciation of the recovery point objective (RPO) will need to be factored into any data recovery operation. Your operational data storage architecture also needs to have the capability to perform realtime synchronous or asynchronous snapshots or copies of the data and its metadata.
A key functional priority within these snapshots is the ability to create immutable/read-only versions of the data. These types of snapshots mitigate the attack’s initial capability to encrypt the data to stop the organisation from accessing it. They also stop the criminal from using a ‘Jigsaw’ threat during the attack – whereby the cybercriminal starts deleting files systematically and intermittently until the ransom is paid.
Cybercriminals utilise a range of tactics including short-term attacks that are targeted at immediate gain, to those playing the long-game and deploying malware weeks or months before an attack. This requires organisations to utilise threat-hunting technology to pinpoint any dormant malware before it can be woken up. In addition, storage analysts should evaluate how often they create snapshots and how long they retain these so they can decide upon the most efficient RPO for their organisation.
Omnisperience continues to identify the critical elements that organisations should audit to ensure they mitigate as many known cyber-attacks as possible. Ransomware attacks are not the most common cyberthreat organisations face today – coming a long way behind phishing, credential hacking, data loss and DDoS – but they can be devastating when they do occur. As more criminals become motivated by financial gain, the risk from ransomware will continue to rise. Organisations would therefore be well advised to audit their ability to stop ransomware attacks before they take hold, utilise a UIP approach, and analyse their ability to restart normal operations if their business is targeted.