Opportunities to Improve Your Ransomware Security Planning

Common Mistake – Backup and DR plans often don’t account for ransomware scenarios

A critical part of any organization’s incident response plan is the ability to restore from backup or
failover to a standby site/system – that is the ultimate safety net if hackers get in despite your best
efforts (remember, no one is 100% bulletproof).

When organizations are crippled for days or weeks due to a ransomware attack (e.g., Garmin, City of
Baltimore, Travelex, etc.), it begs the question why didn’t they wipe their systems and restore from
backup? Too often the reason is they lacked reliable backups and an effective disaster recovery plan
that addresses ransomware attacks.

Ransomware is different than other types of incidents that cause downtime or data loss. Here are three
key factors that make it unique:

• A ransomware virus can stay dormant for days before it’s activated, so your restore point – the
backup you use to recover – might have to go back several days or weeks. In fact, the backups
themselves may be infected. So it’s not necessarily as simple as restoring from last night’s
backup and carrying on.
• It’s not an obvious disaster, at least initially. There’s no fire, no flood, no hurricane, or even a
hardware failure. In fact, your system may be running perfectly fine. You just can’t use it. If your
DR strategy is designed only for smoking-hole scenarios, it’s not going to work for a ransomware
event.
• Your standby systems or DR site might also be infected or vulnerable to infection, so the
ransomware attack must be contained before you can execute a failover or you could be back at
square one as the virus traverses your network and eventually reaches your DR environment (if it
hasn’t already).

Take these actions to prepare your backup strategy and DRP for a ransomware attack:

• Apply Defense-in-Depth to your backup strategy: Snapshots and standard daily backups on
rewritable media aren’t good enough. You need multiple restore points and immutable backups.
• Ensure you have an effective DRP that accounts for ransomware events: Ransomware is unlike
traditional IT disasters. We can’t apply traditional IT disaster thinking and processes and expect
them to work.
• Integrate security response and disaster recovery: You need security and DR expertise working in
a coordinated manner to ensure a timely response to contain – and then recover from – a
ransomware attack.
Opportunities to Improve Your Ransomware Security Planning

Defense-in-Depth: Snapshots and standard daily backups on rewritable media aren’t good enough

You might be running hourly snapshots, local disk backups every night, and a tape backup that goes
offsite once a week. Sounds fairly thorough. Not so fast, though.

If a ransomware attack infects your local environment – including your backup server – all those
snapshots and local disk backups are now useless.

The time and money you’ve invested to minimize data loss due to traditional IT outages – from hard
drive failures to hurricanes – is meaningless in that moment because you didn’t guard against
ransomware.

Below are three strategies that will reduce your risk:

1. Improve your virus scanning: An ounce of prevention is worth a ton of recovery, so make sure your
anti-virus solution is solid to detect viruses before they reach your backups. However, this is a bare-
minimum strategy, because even the best virus scanners can’t catch everything.

2. Create multiple restore points, including offsite backups, on different storage media:

There are two goals with this strategy:

Opportunities to Improve Your Ransomware Security Planning

1) Provide more-frequent restore points so you don't lose as much data if you have to roll back.

2) Reduce the risk that backups are infected by using different storage media/solutions (disk, NAS, tape,
etc.) and backup locations (i.e., offsite backups). If you can make the virus jump through more hoops, it
gives you a greater chance of detecting the attack before it infects all your backups.

Also ensure your backup strategy aligns with business tolerances for data loss. If you are running hourly
snapshots because the business has set a target of no more than 1 hour of data loss, consider your
options if those snapshots are infected. If your best option is a week-old tape backup, that’s not good
enough.

I’m not advocating hourly offsite tape backups for all your data – or even necessarily using tape, as you
have other options to diversify storage media. Instead, start with your most critical data and design a
solution that considers business need, cost, and risk tolerance, as well as the concepts outlined here,
and then build from there.

For example:

For your most critical data, in addition to hourly snapshots, replicate data every four hours to your DR
site (i.e., offsite). Run your nightly backups at your DR site if that’s an option for you (again, removed
from your primary environment), or at least ensure your nightly local disk backups are taken offsite
every day.

Offsite backups don’t guarantee no infection, but it’s another layer of protection to reduce infection risk
and buy you time to detect and contain the attack.
Opportunities to Improve Your Ransomware Security Planning

There are many options, and this is just one example. Keep in mind the concept (multiple restore points
and diverse storage media/solutions) and consider the business impact to help you decide on cost and
strategy.

3. Invest in solutions that generate immutable backups: Most leading vendors for backup solutions offer
options to ensure backups are immutable (i.e., can’t be altered after they’re written). Expect the cost to
be higher, of course, so again consider business impact when deciding what needs higher levels of
protection.

Ensure your DRP is ready for a ransomware attack

At a high level, below are three elements of an effective DRP – and all elements might be required to
ensure your ransomware recovery meets business requirements:

• Agreement between IT and the business on recovery priorities, maximum downtime, and
maximum data loss. This determines where and to what extent you apply resiliency tactics such
as multiple restore points and diverse backup media. Resiliency is expensive, and most
organizations can’t afford to have maximum resiliency for all systems.
• A DR solution (DR site, backups, and associated technology) designed to ensure recovery
timelines meet business targets for maximum downtime and data loss.
Opportunities to Improve Your Ransomware Security Planning

• A recovery plan that is regularly tested to ensure your team is on the same page and there are
few surprises when a disaster occurs. This includes recognizing when an incident that may not
seem critical at first is actually a potential disaster. Tabletop planning, is an effective method for
identifying gaps in your current recovery plans.

The layers you need to add to the above are:

• Taking steps to ensure your DR environment (whether it’s on-prem, at a co-lo, in the cloud, or
some type of hybrid) has appropriate security in place to reduce the risk that a ransomware
attack spreads to your DR environment before you can contain it.
• Integrating security response and DR if it’s a ransomware attack, as outlined in the next section.

Coordinate security response and disaster recovery

When I execute tabletop planning exercises with clients, the interaction and decision making between
the security and DR teams is often not clear. At best, that delays the response. At worst, the teams are
tripping over each other.

A timely and coordinated response starts with incorporating the disaster declaration decision into your
security response workflow. As the security team cycles through their incident management playbook,
be prepared to ask whether the attack rises to the level of a DR event – i.e., taking more drastic
measures such as wiping systems to restore from backup or failing over to your DR environment.

Three considerations will factor into your DR decision:

1. Business impact: If it’s a critical system, spending two weeks troubleshooting and slowly eradicating
the virus and repairing the system is not acceptable.

2. Potential duration: Will the potential duration exceed tolerance for downtime? Again, if it’s a critical
system, you have less time before the business is significantly impacted. Be careful with estimating
duration, as it’s easy to fall into the trap of “I just need 30 more minutes.” Next thing you know, 8 hours
have passed and you’re in a much deeper hole. To avoid that trap, establish checkpoints where you look
hard at whether to start the failover if the incident has not been resolved yet.

3. Recovery capability: If it’s going to take you two days to failover, then you might give yourself more
time to repair in place. On the other hand, if two days to recover doesn’t meet business targets, then
you need to revisit your DRP.
Opportunities to Improve Your Ransomware Security Planning

As you move from analysis to containment to recovery, infrastructure staff have to be involved – not
just on standby, but as part of a coordinated attack response. It can’t be hard hand-offs between the
teams, as that delays containment and recovery.

For example, the infrastructure team’s tactics for isolating an infected system can conflict with the
security team that still needs to access the system to analyse the attack, determine the spread, and
identify the appropriate restore point. Similarly, if a critical database was infected, you need expertise
from the DBA to assess the damage and determine possible recovery options.

Summary
You might have an excellent backup and recovery strategy for a SAN failure or even for simply restoring
a file that a user accidentally deleted. However, ransomware is a different animal. Take a hard look at
your existing backup and DR strategy and make sure they can support recovery from a ransomware
attack.

Acknowledgement to Frank Trovato (BCP, DRP, Crisis Management expert) for his article series on improving
ransomware readiness Link to Article Series