Data search and indexing vendor, Index Engines, has said that companies wanting to counter ransomware attacks should pay more attention to their backups. This is not just a “restore and recover” message. It focuses on using backups to identify attacks and understand the impact an attack can have.
However, there is a caveat. Some ransomware variants now actively look for backups and pause them ahead of an attack. It leaves victims at increased risk.
Jim McGann, vice president of Index Engines, said: “Perpetrators of attacks are no longer individual cybercriminals or disgruntled employees, they’ve become high-tech organizations offering Cyberattack-as-a-Service (CAaaS), complete with big budgets and help desks.
“Sadly many enterprises are not prepared to go into battle because the very systems that are supposed to keep them safe, backed-up and secure, are not as effective as they need to be.”
Backups are more than just a data dump
One of the key parts of the Index Engines message here is that backup products have to do more than just data copying. They need a raft of additional capabilities to help counter ransomware. The first four capabilities it calls out are:
- Scan: search backups for signs of attack/compromised data in content (both unstructured files and databases as well as core infrastructure) such as encryption, ransomware, mass deletion, and slow corruption.
- Alert: immediately notify administrators when signs indicate an attack may have occurred.
- Diagnose the attack: understand the who, what, where and when of the attack to support recovery.
- Identify the last good backup: find the last known uncorrupted version so operations return to normal with minimal downtime.
Some of these capabilities have been appearing in backup products for a while. For example, the ability to scan backups for malware as they are created. But is this enough? A scan at the time of creating the backup is only effective if the ransomware is already known. How do you scan existing backups when new attacks are identified?
Defeating the smarter cybercriminal
Additionally, cybercriminals are getting smarter when it comes to avoiding detection. Many will use additional techniques such as infecting a victim but not launching an attack for some time. It allows ransomware and other attacks to sit in backups for some time. When a backup is restored, the attacker reactivates the attack, and the victim is back at square one.
To counter that, and other techniques such as slow attacks or VMs, Index engines want to see a further set of capabilities. These are:
- Metadata analysis: as ransomware has become far more advanced, solely examining file metadata for signs of attack is no longer reliable and can be circumvented.
- Trusting backups: without first validating its integrity. Slow attacks can slowly corrupt data, resulting in companies restoring data that still contains ransomware.
- Trusting security: attacks can hide inside virtual machines and cached copies of data to circumvent traditional security software, among other methods.
Enterprise Times: What does this mean?
Backups have long been seen as a solution to cyberattacks. The problem is that many organisations place unproven trust in their backups. For example, if you don’t test the restore of a backup, you cannot be sure it has any value. Additional reasons for doing test restores is to ensure that all data is properly backup up. IT is a dynamic environment with new systems constantly being added. It can be hard to ensure that the backup routines catch everything.
What Index Engines is asking for, however, is not just verifiable backups. It wants capabilities that SecOps teams can use to ensure backups have a place in the post-attack recovery.