Putting Ransomware Criminals Out of Business
The advent of anonymous peer-to-peer networks such as bitcoin have enabled cyber-criminals to not only steal and sell your data, they can cut out the middleman and get their ill-gotten rewards directly. This can happen with the added benefit of no trail for law enforcement to follow.
Cyber-attacks continue to morph, and now cyber-criminals have the infrastructure available to hold your data for ransom. So rather than steal-and-sell data, they now can encrypt data and hold it for ransom. Effectively, with ransomware cyber-criminals can get their money quicker and hold-up a victim over and over until the attack vector is closed.
A dire situation? It is for those that take no action. As well, it seems like no matter how much you invest in security infrastructure and closing vulnerabilities, it’s a never ending battle. But for most of us, it’s another mole to whack. If we step up and take the profit out, Ransomware attacks can be curtailed.
Okay how? The answer is in the US National Institutes of Standards and Technology (NIST) Cybersecurity Framework.
NIST developed a Cybersecurity Framework to “enable organizations to apply the principals and best practices of risk management to improve the security and resilience of critical infrastructure”. The NIST Cybersecurity Framework was released in 2014 and consolidates security research, international standards, and best-practices into a comprehensive protection structure.
At a high-level, the framework has five functions, and under the functions are categories and sub-categories.
I’ll leave it to you to read the details on the NIST Cybersecurity site, but essentially the five functions boil down to:
Identify—understand your assets, risks, governance, and create a cyber-risk management strategy
Protect—protect the assets, train your people, and keep up on maintenance
Detect—create the processes and implement the technologies to detect cyber mischief, and monitor for anomalies
Respond—develop a cyber-incident response plan and continue to improve
Recover—develop a recovery plan, test it, and continue to improve
Okay, I took a little bit of literary license and interpretation. In some respects, if you have any kind of a cyber-security program or have security protection mechanisms in place, you are probably already doing the first four functions in some fashion. Maybe not as organized as the framework, or the level of practice, but most organizations have something in place. If not a Cyber Incident Response Center, then perhaps a help desk with a notification and response tree.
What most organizations don’t have is the ability to systematically recover from a destructive cyber-attack; ransomware, destruction, or wiping event because we’ve not had to do that in the past. A cyber-criminal used to come in, steal the data, and leave. But when a cyber-criminal encrypts, destroys, or tampers with your data, the malware tool they used is still with you and needs to be removed, eradicated, and the vulnerability fixed.
Dell EMC’s Isolated Recovery Solutions provide you with the ability to recover.
In the Dell EMC Isolated Recovery Solution, copies of your critical data are protected in an isolated vault. Data is periodically copied into the vault over secured local networks, and at the end of the copy-in cycle the isolated recovery environment is segregated from the network. Inside the isolated vault, layers of additional security provide added protection.
In the event of a destructive cyber-attack, isolated copies of your data are available to begin your recovery.
But can’t you simply recover from last night’s backup? Certainly, provided the backup infrastructure was not compromised. In the Sony Pictures attack and several other attacks, backup data was destroyed first. Can you recover from tape? Yes you can recover from tape; after all, tape is the ultimate air gap. But consider how long it takes to recover from tape, and how many generations of tape do you need to go through to find clean data sets? Can’t I recover at a DR site? Recovering from a DR site is possible, but what’s the likelihood that the DR site was also compromised?
Adopting an Isolated Recovery Architecture is the best way to put ransomware attackers out of business. If an attacker doesn’t get a reward, then they will move on to something else.
Consider how the banking industry cut down the rash of bank robberies that periodically pop up. They implement increased controls, surveillance, man-traps, time-controlled-locks on safes, dye packs, etc. Unfortunately they couldn’t completely control stupid, but the measures have had the impact of reducing bank thefts. Likewise, we too in IT and IT Security can take the profit out of ransomware and move the cyber criminals onto to another endeavor.
While we will probably never get to a state of completely eradicating all vulnerabilities, and we won’t be able to control stupid, with an isolated recovery solution, we can recover and mitigate the impact of an attack.
In my next blog post I’ll go over some strategies on how to recover from a cyber-attack.