September 13, 2023
It's a story repeated all too often. Repeated, in fact, every 11 seconds across the world. The late-night escalation call, the spike in disk IO, the denied logins, and ultimately some form of communication asking for payment. These attacks infiltrate businesses through multiple vectors from email compromise to adversary-in-the-middle phishing attacks, payroll redirection attacks, and traditional website vulnerabilities. But after the dust settles, these attacks all have one thing in common: the goal is extortion. This attempt to extort enterprises comes in two predominant forms:
While preventing this type of attack is an aspiration of any organization, a plan to respond and recover from an incident should be part of every company's strategy. Any response plan will require some key pieces of information so intelligent decisions can be made.
Here we will focus on 4 pillars of a modern data protection platform:
Once upon a time, people needed a different username and password to log in to each system they used or managed, creating a lot of management overhead, and a lot of information for a user to remember. To combat that complexity, people started using the same usernames and passwords on all the different systems that they accessed, at least until they got out of sync due to different expirations or other issues. Then someone came along and said, "Hey, as long as we are using the same usernames and passwords, why not federate them and create Single Sign On capabilities, so we have one point of management and users only need one set of credentials." Perfection was finally achieved! That is, until it was realized that if an account was compromised, the bad actor had access to EVERYTHING, and the risk was exponentially worse if that user was also an administrator. Now, with criminal organizations operating a multi-billion-dollar industry exploiting this weakness, rethinking our approach to the security of authentication and identity management is critical, especially when it comes to protecting an organization's data.
Zero Trust - This is the first, possibly most important aspect to shore up, and can be summed up simply: Production and Backup environments should not be in the same authentication domain. Production domains with end users are the most likely to be initially compromised, and if an attacker gains access to an account and elevates privilege they have the keys to the kingdom. If backup is part of that kingdom, the attacker can give themselves access to that with minimal effort and there is no limit to the damage they can cause. Isolate credentials in backup environments so that they are only used for that environment, particularly for administrative level users that have policy altering or data destruction capabilities. If centralized password databases are kept, take extra precautions to ensure they are only accessible by duly authorized entities, and consider air-gapped storage for the most critical credentials.
Infrastructure Security - Second only to leaving the default passwords on your storage arrays, having the administrative interfaces of your primary and backup infrastructure participate in the production authentication domain is a recipe for disaster if a hostile actor gets in. Many storage platforms do not have robust authentication capabilities and even those that do can be subject to an array of denial-of-service attacks such as an over-provisioning or changing retention policies from a motivated admin level user. Perhaps someday, all platforms will integrate a "two-man rule" protocol for potentially data destructive actions, but until then isolating access is the best stopgap. Ensuring security of administration is critical, but all points of attack including KVM, CLI, and API calls need to be thoughtfully secured as well. Bottom line, your data will only be as secure as the platform it resides on.
Infrastructure Dependencies - Ensuring your software, devices, and appliances are secure is important, but there is usually adjacent infrastructure that can be vulnerable to attack and can cause downstream impacts. Obviously, a compromised identity provider is a key vulnerability, so steps should be made to lock that down. However, something like a time server (NTP) can be another critical vulnerability if retention policies and data aging are tied to an expiration date. Some platforms can defend against NTP poisoning attacks, but others may not, so thought needs to go into both the security of the time service and the policies that may drive automated aging. How might those systems be affected if the time was set forward say 20 years?
Multifactor Authentication - MFA/2FA has been around for decades to protect defense, banking, finance, and other critical services. It provides a secondary method of identity validation that will deny access even if a username/password combination is known. This will prevent most casual attacks and generally requires a man in the middle style attack to circumvent, usually by SMS or Email push notifications. Cyber insurance companies are starting to require MFA, so support for MFA is expanding, therefore all systems, if able, should require it to login.
Role Based Access Control - RBAC is a fancy way of saying give people only what they need based on their requirements. The days of giving everyone more access than they need is behind us. If a user needs restoration capabilities only, they shouldn't have access to create, delete, or modify policies. Only specific admins in locked down accounts should have such access. Everyone else gets a personal valet key.
Protecting backup data properly includes a few generally easy to follow guidelines and revolves around making sure the data that is backed up is not only secured, but that there are multiple copies in multiple locations.
Data Encryption - There are multiple points at which data and data transfers can be and SHOULD be encrypted. Data in flight utilizing data encryption such as SMB packet signing, HTTPS with valid certificate chains and others, can prevent man in the middle attacks and data leaks which can include information like usernames and passwords allowing access to important backup data.
Air Gapped Backup Copy - Multiple definitions of air gapping exist, from a physical copy such as tape that is located in a different location than the source of the original data, all the way to a logically segregated network copy with minimal access. This is a terrific way to have a copy of backup data that is not accessible to bad actors in the event services are compromised.
Immutability - There are several ways to achieve immutability. It makes sure that any data written cannot be altered or deleted before a set retention date is reached. It is a crucial step in preventing your backup data from being purged or altered in the event of a data breach.
Recovery Focused Data Protection - Protecting your backup data is a great start, but having the ability to recover that data in the event of a breach is vital to keep your company afloat. Most major backup vendors support a method of live mounting your data to make it immediately accessible and useable should the need arise. Options such as snapshotting your databases can instantly reverse any changes that were made, should that data be compromised via bad actors or accidentally via a privileged user. Ensuring your data is quickly accessible will ensure that if something does happen, administrators can act quickly to restore functionality.
The most fundamental role of any data protection solution is to protect corporate data and important system and application configurations. Let's take a look at how modern data protection solutions can put data protection on autopilot, give us flexible visibility tailored to engineers, auditors, and C-level, and allow us to track changes in our data protection environment to ensure configuration changes don't compromise the security of our data.
Recovering from a ransomware attack isn't just about getting applications back online quickly. In the heat of the moment, this is probably the first thing that crosses an administrator's or IT leader's mind. However, understanding how and what data was impacted can be just as critical to the recovery effort and reporting requirements that result from a data breach. Here are three data intelligence features every organization should have:
Implementing, maintaining, and continuously improving upon your data protection platform is a journey. Like all great journeys your chances of success are greatly improved with a seasoned guide walking with you step by step as you modernize your data protection. Call your AE Business Solutions team today and get ready to embark!