In part one of this series, I outlined some harsh truths of cybersecurity in 2022 and the first three of the top six steps you should take to ensure resiliency against today’s most pervasive threat—ransomware. Here, I’ll cover the remaining three:
But first, let’s take a quick step back.
It used to be that ransomware would get into a system, start encrypting and downloading as much as it could, and then escape before it was detected. But ransomware and the cybercriminals behind it have now evolved.
Mimicking the art of “casing the joint,” they get in, do cyber-reconnaissance, lurk until the optimal time to inflict maximum impact, and then they strike. This practice of remaining undetected for a period of time is often referred to as dormant ransomware, and it is now a regular occurrence.
Bad actors are highly motivated to cause as much destruction as possible to make more money and maximize their efforts — just as with any business, it’s all about ROI. Some reports suggest that ransomware sometimes lays dormant for up to 18 months. The bad actors know that optimal destruction depends on multiple factors, such as timing and scope. They want you to have no other choice but to pay the ransom.
In short, the old days of a breach and attack happening at the same time are long gone. This added complexity means that cybercriminals often know your systems better than even you do. Therefore, the chance that they launch a series of events designed to disrupt and disable critical systems to net larger payouts is rising drastically.
So, what should you do today to combat this new dormant ransomware and cyber-recon strategy? In the first part of this series, I discussed:
- Get Full Infrastructure Awareness
- Automate Alerts for Anomalous Behavior
- Limit Access & Reduce Your Attack Surface
Without further ado, here are the remaining three of the top six steps to ensure ransomware resiliency.
Make Resiliency & Rapid Recovery Your Goal
With the mindset that bad actors are already in your system, resiliency and rapid recovery should become the ultimate goal. We are talking about so much more than just a restore point, a single backup copy or making multiple copies. You must architect an optimized and simplified recovery experience that will help you get back up and running quickly, even at scale.
Truly optimizing for the recovery experience requires careful planning, orchestration, recovery options, cross-functional alignment and training, storage deduplication efficiencies, and global visibility and oversight. Having solutions that provide recovery from anywhere to anywhere, and flexibility and choice in the event of an attack or disaster, is critical.
Why? Well, cyberattacks are never one size fits all. Sometimes everything is impacted and you may need to recover an entire data center in the cloud and on demand. On the other hand, maybe not all your environment is impacted, just a portion; having solutions in place that allow you to grab individual databases and files to recover back quickly into production can be vital. In the case where entire servers become encrypted, you may need to quickly recover those entire servers elsewhere. Or maybe you just need to recover a large amount of virtual machines back to production.
Important reminder: Not all tools provide this level of flexibility. It is important to think through all of the scenarios and choose the right solution. And remember, multiple disparate backup solutions create a complicated recovery experience, especially when multiple systems are compromised. Simplify and streamline by reducing the number and variety of point products and vendors across your organization.
Use Immutable & Indelible Storage to Keep Backups Safe
I recommend the 3-2-1+1 methodology of data backup. That means at least three copies of your data on at least two distinct mediums with at least one offsite or segregated — and, have at least one of those copies on immutable and indelible storage.You can implement technology to help you easily and automatically execute a 3-2-1+1 methodology that ensures no single point of failure, by configuring lifecycle policies that send data over to a secondary or even tertiary domain. Look for technology that can send your data unidirectionally to a secure second location that can have different credentials configured and limited network capabilities, ensuring proper segmentation of your data protection environment. Even better are tools that can also send a copy of de-duplicated immutably stored data to the cloud.
Important reminder: Immutable and indelible storage helps ensure that your data cannot be changed, encrypted or deleted for a determined length of time, or at all. At first, make immutable storage your second copy, but once you get comfortable with your retention policies, make it your primary copy.
Rehearse Your Recovery
Cybercriminals hope that your organization is like most — not optimized for recovery. They want maximum damage and downtime to ensure they get paid. If you are ready and have rehearsed your recovery, you are a huge step ahead.
To get to rapid recovery, you must have a cybersecurity response plan for your entire environment that includes testing early and often. Yes, regular rehearsals of your recovery help to limit downtime and disruptions and reduce the impact of an attack. Look for technology that makes it easy and efficient to execute non-disruptive tests leveraging non-production resources such as fenced networks and sandbox environments.
Also, rehearse recovering everything, and not just a subset of your applications, including things like your domain, authentication, system time and other infrastructure services, as you will likely be recovering most or all of your production environment in the event of an actual attack.
Important reminder: Regular rehearsal and validation are vital for success because when you are in crisis mode, things just need to work.
In closing, one final harsh truth: It will get worse. Cybercriminals are sophisticated, well-funded and here to stay. Ransomware-as-a-service vendors exist in large numbers and have successfully transitioned to a highly profitable business model with the charter of successfully crippling organizations at their most vulnerable times to maximize ransoms. These businesses provide turnkey code, have advanced support networks with helplines, and provide tools for encryption, communicating with victims and facilitating ransom collection.
In addition to the dormant ransomware trend, we have already seen a vast influx of zero-day attacks in 2022. Along with patching and updating software regularly, it is also important to prioritize educating your employees across your entire organization. Zero-day attacks often capitalize on human error.
The good news is that you can be one step ahead of cybercriminals with the proactive steps outlined in this two-part series, diligence and some creative thinking.
Sonya Duffin is a ransomware and data protection expert at Veritas Technologies.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.