Defense Against Ransomware

Last Defense Planning for Ransomware Attacks

Ransomware gangs target an organization's data to encrypt, rendering it unavailable and attempting to restore it. The threat is evolving, and recent tactics include theft of an organization's data accompanied by threats to release it to competitors or the public in an attempt to up the stakes and force a company to comply with the blackmail. Attacks are increasing in number and cost per incident. According to IBM, a single successful ransomware attack can cost up to $60 Million [1], and demands are frequently in the tens of millions of dollars [2]. Trends have shifted to attacks against large corporations that can afford substantial settlements. Still, attention may go back to more minor victims if they manage to wrangle in their cyber-security en masse. No matter what size of your organization, now is the time to develop a strong threat response.

A thorough approach to Ransomware prevention, detection, and response includes preventing initial access, having strong access controls on network endpoints, developing early detection capabilities for identifying active malware, and mitigating the worst-case scenario by developing and maintaining effective backup strategies. First, let us briefly examine the stages of a ransomware attack and then focus on the last line of defense to prevent the worst-case scenario - adequate backups.

Stages Of a Ransomware Attack

The initial steps of launching a Ransomware cyber-attack are identical to other types of Malware attacks but distinguish themselves in the latter stages. The critical steps to a successful Ransomware attack pattern go something like this:

• Gaining initial access - A variety of methods can be used to gain access to a corporate network, such as credential theft, email phishing attacks that include malicious files or links, attacking public-facing services or ports such as websites, database servers, remote desktop access, VPN, as well as a host of other vectors.
• Importing C&C malware into the network - After initial exploitation, attackers import advanced tools mapping the internal attack surface and locating high-value data targets. This process may happen for weeks or months while the malware avoids detection and seeks to pivot to high-value assets.
• Gaining access to high-value assets - Credential sniffing, privilege escalation attacks, and exploiting known vulnerabilities in applications and misconfigurations are some methods attackers use to access high-value assets.
• Data Exfiltration and Encryption - Stealing data allows Ransomware attackers to threaten victims with the public release of sensitive data, and encryption prevents victims from accessing their data.

Prevention

Because the initial steps of launching a Ransomware cyber-attack are identical to other types of cyber-attack, strong best practices for reducing the attack surface should be applied to all endpoints. Some industry-leading organizations, including NIST and CISA, have published detailed advisories for preventing initial access and enabling early detection of Ransomware attacks [2][3][4]. However, the latter stages of a Ransomware attack are distinct from other types of cyber-attack and deserve special attention. Restoring from back-ups is a last-line of defense that can determine a Ransomware attack's ultimate success in forcing an organization to pay to regain access.

Last Line of Defence - Backups

Having reliable push-button recovery from stored backups can enable recovery of critical systems and files and potentially avoid millions of dollars of ransom payout. However, industry advisories specifically aimed at Ransomware backup strategy are numerous and provide a mountain of information regarding backup best practices, planning, implementation, and technical options [5][6][7][8][9]. At the same time, additional industry best-practice advisories should also be consulted when building a robust backup strategy [10][11][12][13]. Therefore, let us envision backups as a last line of defense by extracting the most critical elements from those industry advisories.

Identify And Label Most Critical Data Assets

Data comes in many shapes and sizes, embodying a variety of business continuity risks. Identifying and labeling data allows prioritization and application of risk management. However, carefully documenting and labeling all types of data according to their sensitivity level and operational criticality must happen before making decisions about particular technical solutions. Some of the most critical data include authentication passwords and keys, email correspondence, customer data, financial records, system event logs, sensitive business documents such as R&D project data, user documents, custom applications, and many other types of data depending on the individual organization.

Choose an Optimal Cost to Recovery Point Balance

Backup options themselves also come in several types.

• Full-backups: Can be used to restore functionality and data quickly. The fundamental trade-off is that full-backups are costly, both time and storage media costs.
• Differential Backups: Record changes since the last Full Backup. This type of Backup is less costly in terms of storage media but takes more time to recover a system or data store fully.
• Incremental Backups: Record changes since the last differential backup. This type of Backup is again less costly in terms of storage media but requires more time for a full recovery. Also, incremental backups rely on having reliable differential backups.

Planning a backup solution using a combination of these backup types should primarily focus on the desired Recovery Point Objective (RPO) and Recovery Time Objective (RTO). RPO sets the desired goal for the most amount of forecasted data loss. For example, with an RPO of one week, a worst-case scenario would cause you to lose one week of data, while an RPO of one day would minimize the data lost for only 24 hours. RTO sets the desired speed of recovery and defines the goal of complete restoration. RPO and RTO interplay such that lower RTO and RPO require backing up more often, which increases storage costs. These RPO and RTO goals can be set individually for each data type identified and labeled in the previous step.

Keep At Least One Backup Copy Offsite and Air-Gapped

The 3-2-1 backup strategy model advises keeping three copies of data on at least two types of media with one last-resort Backup in the cloud or otherwise stored offsite. However, a rethink of the time-honored 3-2-1 strategy has been proposed advising variations in line with specific organizational risk appetite [14]. An example of a variation of the traditional 3-2-1 would be a 3-2-2, which may include one copy stored in the cloud and one copy air-gapped and held off-site.

If backups are on network storage, accessible Ransomware attacks have in the past and will continue to attack backups. Air-gapping full backups for critical systems is the most effective way to ensure safe data. Rotating backups keeping only one copy functional at any given time increases security by providing only one copy is reliably protected. Some large enterprises have responded by deploying offline tape-backups as a strategy. However, tape backups are expensive and require specialized IT staff, making it difficult for most SMEs.

Apply Additional Data-Protection Measures

Whether air-gapped or not, backup data needs to be further protected using additional measures. Even for air-gapped backups, note that network-attached storage devices contain their embedded operating system that could become infected with malware. Therefore, any backups with network access should employ strict access controls to protect the data from unauthorized access.

Completed backup data stores should have write permissions disabled for all users, including the data owner. This provides an additional measure of protection from unauthorized encryption. In addition, self-encrypting drives can protect the most sensitive data if physical backup drives are stolen. Finally, the integrity of each critical Backup should be validated periodically by taking hash-sums of the contents.

Develop And Test Response Recovery Procedures

Ensuring the effectiveness of a backup solution requires testing to verify that restoration can happen reliably and as soon as possible. This testing process is necessary for determining the actual operational ability to meet RPO objectives and allows a chance to optimize and improve the restoration process. Table-top exercises are meetings where all critical staff discuss their roles in a restoration. Functional exercises prepare staff to identify gaps in planned procedures and validate procedural effectiveness.

Conclusion

An effective strategy to protect an organization against Ransomware includes prevention and response planning. The best-case scenario is preventing initial access with solid perimeter defenses. Stringent access controls can limit the extent to which Ransomware can pivot and impact critical resources. In addition, early detection strategies may be able to identify and stop exploitation at an early stage by containing and eradicating the Ransomware tools before they can infect and encrypt data. However, a failure to prevent these initial stages allows only a single last line of defense - backups.

Since Ransomware and Malware strategies and payloads are constantly evolving, developing and deploying a bullet-proof backup system as a last line of defense is critical. A backup plan can be designed to limit the amount of loss and recovery time based on the sensitivity level of various types of data in an organization while optimizing costs. Cloud and air-gapped backups are a crucial component of an effective backup strategy to keep a barrier between persistent Ransomware and data, and testing backups periodically ensure their integrity. Finally, table-top and functional exercises help prepare for the worst-case Ransomware scenario.

References

[1] IBM / CISCO - IBM Security and Cisco Security: Addressing Ransomware

[2] Rapid7 - Ransomware Playbook

[3] NIST - NISTIR 8374 Cybersecurity Framework Profile for Ransomware Risk Management

[4] FBI / CISA - Joint Cybersecurity Advisory: Darkside Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks

[5] NIST - Protecting Data From Ransomware and Other Data Loss Events

[6] NIST - SP 1800-11 Data Integrity: Recovering from Ransomware and Other Destructive Events

[7] NIST - SP 1800 34 Validating the Integrity of Computing Devices

[8] NIST - SP 1800-25 Identifying and Protecting Assets Against Ransomware and Other Destructive Events

[9] NIST - SP 1800-26 Detecting and Responding to Ransomware and Other Destructive Events

[10] NIST - SP 800-53 Rev 4. AU-9 Protection of Audit Information

[11] NIST - SP 800-184 Guide for Cybersecurity Event Recovery

[12] NIST - SP 800-57 Recommendations for Key Management

[13] US-CERT - Data Backup Options

[14] Unitrends - Why 3-2-1 Backup Sucks