Q3 Cyber Threat Report: The Ransomware Ecosystem is Increasingly Distributed
Ransomware attacks remained high in Q3 2024 thanks to the RansomHub, PLAY, and LockBit 3.0 ransomware gangs. Check out the full cyber report for more info.
We’ve got the fundamentals down: ransomware attacks are a major concern, and threat actors target backups to encrypt or delete them. On the bright side, It appears there’s increasing awareness for the latter, as we have seen more organizations with viable data backup policies during ransomware incidents. And according to data breach experts, this means that fewer end up being forced to pay the ransom to restore their data.
What can we learn from these companies? First, regardless if they utilized an enterprise-level or small-business backup strategy, they all had backups of all their critical systems. While that won’t be the focus of this blog post, the significance of that cannot be overstated - know your critical systems and back them up. In addition to knowing their environment and backing up critical systems, they followed best practices to ensure their backups were protected from threat actors so they could be recovered and restored. They all utilized the 3-2-1 backup strategy (also known as a “3 2 1 backup rule” by some), which we’ll explore below, and take one step further. Let’s do this.
An effective security strategy is a layered approach that has backstops and catchalls (I’ll spare everyone the onion analogy). It should be no surprise that the most effective data backup strategy is about layers. Enter the 3-2-1 backup strategy, an approach that is as simplistic as it is effective. It goes:
The first layer is to have at least three copies of the data. I emphasize “at least” because I encourage going above this, especially with how existing backup technology makes it so easy to automate the process. When thinking about copies of data, take into consideration the following recommended configuration for your data storage system. There are best practices throughout that apply to all copies of the data.
This is a primary reason why you shouldn’t stick to just three copies since a disaster recovery plan exists because of this first line getting impacted.
Keep these backupa under lock and key!
Most commonly this includes two mediums. First, is tape backups where data is written to a cassette tape and then stored offline. Second, is the option of following cloud backup best practices, to safely store data in the cloud.
The different types of backups (media types) were scattered throughout the prior section. To summarize, here are various media types that are routinely seen in the 3-2-1 backup strategy:
Managed service provider or backup service
At this point, the offsite storage should be fairly straightforward. Two main options exist:
Physical media provides more of a logistics challenge but many vendors exist who will securely store your backups and work with you to quickly return them when needed.
While still requiring an active Internet connection, cloud backups offer an easy-to-setup and maintain solution for off-site backups. Layering in the best practices above will help ensure they are stored safely.
Let’s not stop at 3-2-1. We’re going to take this a step further to maximize your backup strategy. Enter the 3-2-1-1-0 rule being popularized by backup provider Veeam.
There’s a reason immutable copies were a best practice. It helps ensure that a backup copy can’t be deleted (whether accidentally or on purpose) or encrypted during a ransomware event. If done well, that immutable copy will be the backstop for you and serve as a reliable part of your incident response and remediation strategy.
Test, test, test and practice good cybersecurity monitoring! It doesn’t matter what you do if you can’t confirm it actually works. This is a step that so many organizations fail to do and they only realize that something is broken when it is too late. You don’t have to be one of those companies! Many backup solutions have automated backup verification to ensure your data is viable. Go even deeper. Put time on the calendar at least once a year to walk through the recovery procedure and test that the systems and applications work. It’s not enough to restore systems if the applications and services on those systems do not function after restoration due to hardware failure.
This can be through the hypervisor itself or through storage appliances that will provide snapshots of the data. Be cognizant of where your snapshots are stored. In traditional disaster recovery situations of failed disks, if snapshots are stored on the same storage as the production data you risk losing both.
To take this further, leverage a backup appliance that has additional snapshot capabilities.
Limit access to these systems to only those accounts that are needed for functionality and management. This same concept applies to the accounts used to manage the backup process itself.
While it is not instantly accessible through the cloud, cloud storage can serve as another layer of offline storage and has the ability to be immutable.
An effective backup strategy doesn’t have to be complex, you’ll find that sticking to the basics will work wonders for you when analyzing your options for incident response solutions. If you follow this simple recipe, the chances of success will multiply. The layers exist to help you mitigate risk and the likelihood of an attacker destroying your entire backup stack. Just like in security, layers of backups provide additional cyber risk mitigation. And just like in life, don’t make assumptions that what you’re doing is effective. Test, confirm, practice good cyber monitoring, and sleep easier.