It’s been an eyeopening experience having now been on the SecOps side of the fence for just under two months. Immersing oneself into the world of security has been entirely overwhelming, and one of the most worrying areas I feel is that quite honestly I don’t think anyone truly grasps the scale of ransomware attacks – which also involves malware and advanced persistent threats from a wide variety of ‘Hacking as a Service’ organisations. Absorbing just how vast this threat is to businesses small and large worldwide is not an easy feat…
An interesting take that I’ve seen recently is one of backup and infrastructure vendors touting their latest product to be the answer to a ransomware attack on your organisation. Of course, marketing departments wouldn’t be doing their job if they weren’t aiming their tech at the latest craze in order to gain your attention; but that doesn’t mean that it’s the complete answer to the problem we’re collectively facing.
Before going further – I do want to point out that the next-generation backup platform vendors are absolutely doing thing right thing in innovating their technology to be more secure by design. Airgapped and isolated filesystems which aren’t based on Windows, with flash-based performance for quick data recovery and analytics delivered to understand data movement and compromise is incredibly useful and certainly should be on the shopping list as part of an infrastructure refresh.
That said, a backup product is exactly that – a backup of your data. It’s your safety net in case everything goes belly up… protecting your Crown Jewels to bail you out should you need it. Backup technologies are your LAST line of defence to being attacked. It is never to be thought of as the first line, nor will backup technologies give you any proactive protection against ransomware or Hacking as a Service. It’s a reactionary method for data protection & recovery.
The issue with being reactionary to ransomware in believing you can restore your data is that the professional hackers-as-a-service organisations are already multiple steps ahead of you; hey are proactive in their methods.
According to IBM Security’s 2020 report, bad actor organisations have been in your environment for on average 280 days before your ransomware attack occurs. This is called Mean Time to Detection, also known as Dwell Time. To put this into context; if you were ransomware attacked NOW (May 2021), the bad actors have most likely been in your environment since August 2020 (this figure is up from 96 days in 2019 according to Crowdstrike – which just shows how more advanced threats are becoming in your environment).
During the “dwell time” period the bad actors sit and observe how your business operates. They watch who has access to which data across your estate, and then attempt to laterally breach any private or public cloud instances, as well as SaaS platforms you use – such as Office365/OneDrive. They scout out financial records, exfiltrate secret or sensitive company data/records, and watch the human interaction element of your organisation to see if they can mimic people of authority to fool others in order to perform their wishes (ie pretend to be the CFO, requesting an immediate PO to be raised to a new account urgently for vague services to a new bank account – yes, this happens).
I always work better with a diagram. Here, we can see the hackers have been in the environment grabbing secret data across your internal servers as well as Office365, understanding your finances in order to demand a “reasonable” ransom according to your profits, and manipulating your staff to perform their will. This has all happened without your knowledge over a period of weeks or months… perhaps some logs have been raised within some syslog or tool somewhere… but who has time to look at alerts when they’re just too noisy?
The issue here is: solely relying on your backup vendor to bail you out of ransomware jail is taking action way beyond when the horse bolted. Yes, you may be able to restore your data from backup – which will most likely take days or even weeks to bring data back to prod… but the bad actors have already exfiltrated your secret data and have coerced your staff… and with this information can still demand the ransom payment to be made.
Take the Colonial Pipeline attack from May 2021; the Darkside organisation compromised their billing system and exfiltrated data way before the attack was recognised by the business. The internal IT staff then attempted to restore from their data from backups during a few days post the attack, before deciding to pay a $4.4 million ransom to not just restore their data but remove the risk of data leakage.
The Irish Health Service were also under attack in May 2021. Turns out that the Conti ransomware org released a free decrypter due to them attacking a critical public health service which could end lives, BUT according to Bleeping Computer, they’re still holding them to ransom due to data exfiltration and are looking for a payment of $20m!!!
Another example is with Apple earlier in 2021. Hackers stole secret design documents from engineering and then demanded them pay a $50 million ransom, otherwise those secrets would be sold to the highest bidder on the dark web.Hacking company secrets leaked to a nation state or competitor is detrimental to the company stock price, and could lead to government sanctions, lost revenue or even the business folding. No form of backup data recovery is going to get you out of this hole, and thus you end up paying the ransom.
The only way to really combat Bad Actors delivering Hacking as a Service and the constant threat to your organisation is to get ahead of the problem proactively, rather than be reactionary. Some top tips to get ahead:
- Harden your environment by following the top CIS controls
- Investigate your public cloud and SaaS platforms for misconfigurations and default settings which should be altered – the Public Cloud is not your friend when it comes to default security settings.
- Constantly scan the dark web to understand any possible personal data exposure or plaintext passwords which could be a cause or effect of a breach
- Proactively patch vulnerabilities, zero-days and CVEs when they arise
- Invest in a strategy to proactively hunt threats across your cloud, networks and endpoint environments with a combination of machine learning technologies and seasoned security experts as a 24/7/365 operation
- Implement a human security awareness program that embeds security posture hardening into the culture of your company.
This topic is exactly why I decided to pivot from on-prem infrastructure in order to join a cloud security company such as Arctic Wolf.
By applying a strategic approach to Security Operations, Arctic Wolf delivers a cloud-native and Concierge focus to both proactive security posture hardening and threat detection and response, alongside cloud posture management & human security awareness – all delivered as a managed service. It feeds every piece of telemetry across private clouds, endpoints, public cloud/SaaS platforms as well as whatever security products you already have into the Arctic Wolf cloud (without needing a SIEM, SOAR, log aggregration, on-prem management tools and more), and delivers security operations via a named concierge security team integrating into your business to proactively capture issues, threats or vulnerabilities before they become a factor of a data breach.
Crucially this isn’t another tool, this isn’t a product you have to feed or water and manage yourself, nor is it a ‘machine learning only’ solution where you’re relying on complex ‘if-statements’ to respond to human manipulated threats. It’s a true service with seasoned security experts that integrate into your business to deliver proactive outcomes.
This takes you out of the “we must pay the ransom because we don’t know what they have or how long they’ve been here” bucket into the “we have proactive coverage across all our clouds, but should a Bad Actor attempt infiltration, we’ll catch it in 30 mins or less”.
In the same IBM Security report I referenced before, the average cost savings of containing a breach in under 200 days vs over 200 days is $1.12 million. The additional savings realised if you could respond in 30 mins or less to containing breaches is absolutely staggering.
Do I believe that backups are useful? Absolutely. And having additional security implemented within the backup technologies are a good thing to see. Yes, it should be an air gapped platform with a separate file surface (Windows based backup technologies are just asking for trouble right now), and if you can restore data QUICKLY from the backup platform, even better. Granular AD backup/recovery. It just won’t save you from the advanced threats that hackers are implementing these days.