<img src="https://secure.leadforensics.com/86554.png" alt="" style="display:none;">

Ransomware protection: Five steps to prevent attacks and manage risk

Written on: Jun 30, 2020 4:48:32 PM

Written by: Alex Raben

Topic

[Commvault, Data Management, COOLSPIRiT]

Ransomware — the moment of truth

A ransomware attack is a classic ticking-clock scenario. Your critical business data has suddenly been taken hostage. Hackers have used advanced encryption to render it inaccessible — and now they’re demanding an exorbitant amount of money to decrypt it. How will you respond? Can you ensure the safety of your data if you refuse to pay — or even if you do? While you consider your options, your organisation remains paralyzed. Every passing minute increases the pressure to make the right choice. 

In this blog, we’ll explore the elements of risk management, including planning, prevention, monitoring, fast restores and testing. We hope this information can keep you from becoming a victim by providing a critical last line of defense against ransomware.

Your five steps to prevent ransomware and manage risk

A complete ransomware strategy includes both reducing the risk of a successful attack and lessening the impact of an attack that does succeed. Broadly speaking, there are five things you need to do: plan, prevent, monitor, restore (quickly) and test.

1 - Create a plan

An ongoing attack is no time for improvisation or ad hoc measures. An effective plan is the foundation for a full and speedy resumption of normal operations. The essential elements of an anti-ransomware plan — like any disaster recovery plan — are what, when and who:

  • What – Identify and prioritize critical applications so you can focus first on the systems and data that you’ll need to recover first.
  • When – Define the Recovery Point Objectives (RPO), Recovery Time Objectives (RTO) and Service Level Agreements (SLAs) for your systems, data and applications. How soon is soon enough to recover? How far back do you need the restore to go? Metrics like these will help you understand whether you’re adequately prepared for a ransomware attack, or if there’s more work you need to do.
  • Who – Which players will be involved in your data recovery efforts? How will they be notified? What conditions will trigger an escalation, and to whom? Your cast of characters should include both internal IT and line-of-business personnel, and external suppliers and vendors with a relevant role to play.
2 - Prevent attacks

While it’s not realistic to try to make your organisation completely invulnerable, every attack you can prevent will save you tremendous pain, time and cost. There are several ways to go about this. 

Start with user vigilance — possibly the single most important step you can take. Most ransomware — and most malware in general — is delivered via email and triggered by an unsuspecting employee. Preventing this can be as simple as checking attachments to make sure they’re from a known sender or trusted source before opening them. Similarly, software should be downloaded only from a legitimate vendor or app store, and should be scanned for malware before it’s clicked. Measures as simple as these could have stopped many high-profile breaches. 

IT needs to act responsibly as well. Updates and patches should be applied in a timely manner — especially given that most successful attacks exploit vulnerabilities for which patches have long been available. Sound IT practices are simply non-negotiable. 

Once you’ve reduced the risk of a malware attack from entering your environment, the next step is to secure and protect your data against any exploits that do make it through. This should include:

  • Foundation hardening – Vulnerabilities and configuration flaws in your operating system, database, application and web server technologies can provide an entry point for all types of cyberthreats. For example, you should disable the use of Server Message Block 1 (SMB 1), which does not support encryption. Hackers can use these vulnerabilities to compromise the integrity of your data protection platform and put your backups at risk. Make sure your foundation is free of cracks.
  • Application hardening – Being able to access your applications directly makes life a lot easier for a cybercriminal. Use the AAA Security framework as a guideline for protecting your applications: Authentication, Authorization and Accounting.
  • For authentication, Commvault integrates with virtually any secured LDAP-based directory service like Active Directory, as well as external identity providers, via protocols like Oauth and SAML. Commvault also supports two-factor authentication for advanced login security. Credentials and impersonation accounts used for backups are securely encrypted using the credential manager. As an additional measure, certificate authentication ensures that only Commvault resources can talk to each other, protecting against spoofing and man-in-the-middle attacks.
  • Once users have been authenticated, use fine-grained authorization to control the level of access they’re granted. For example, admins should be allowed to manage backup data, but not browse, view, or restore data they don’t own. Requiring a passkey to perform restores can help you maintain control. A data privacy lock can offer similar assurance, restricting browse and restore operations to the data owner or other select parties.
  • Accounting includes tracking and auditing users’ data access and capabilities on a regular basis. Who has what access — and why? What are they using it for? Are there privileges you can remove to increase protection without impeding legitimate work? You should also audit data encryption regularly to make sure your most valuable assets aren’t hiding in plain sight.
3 - Monitor your environment

No matter how consistent and effective your countermeasures are, you have to assume that at some point ransomware will enter your environment. At that point, the focus shifts to monitoring: detecting the attack as quickly as possible so you can reduce its impact. 

Detection can include scanning servers for anomalies such as unusual file system behavior that can signal that an attack is underway. Machine learning has become a key asset in this effort, using historic data to recognize the difference between legitimate activity and signs of potential trouble. 

Honeypots take detection one step further by creating a hidden file of a type that’s especially appealing to hackers, and monitoring it for signature changes and other anomalies.

4 - Restore your data

Fast restores can greatly reduce the impact of a ransomware attack. Not only do you still have an intact copy of your data — you also have the ability to make it available to systems and users quickly so you can resume normal business operations. 

There are three ways to back up data, each with different implications for restoration. 

  • Traditional backup operates at the file level. The system works through all the files and directories in the volume to determine whether they’ve changed and need to be part of the current backup. This can be a time-consuming and resource-intensive approach, though, as the system has to navigate every part of the index — an aptly named “tree walk.”
  • Block-level backup avoids the performance penalties of traditional backup by working on a block-by-block basis. The application doesn’t care how many files there are or what your index looks like. That allows faster, more efficient backups, which in turn makes it feasible to perform backups more frequently.
  • Replication takes a continuous approach to data backup. One way to do this is through continuous data replication (CDR), which involves logging all file write activity on the source computer, transferring this log to the data recovery platform, and replaying it to create a near real-time replica. Another option is to use incremental replication to continuously apply changes from a source backup to a synced copy of the backup. Volume block-level replication (VBR) is often the best approach, combining the efficiencies of block-level backup with the near real-time advantages of replication. This allows granular point-in-time recovery, crash-consistent recovery points, application-consistent recovery points and effective recovery point lifecycle management.
5 - Test your plan 

Once you have your plan in place, along with the procedures and technologies to execute it, make sure it’s really going to work as needed. Perform frequent tests to verify that you can meet the SLAs you’ve defined for critical and high-priority data and applications.


Taking action against ransomware

With COOLSPIRiT & Commvault your data protection and recovery solution can be a valuable part of your anti-ransomware strategy. Advanced technologies powered by artificial intelligence and machine learning make it possible to detect and alert on possible attacks as they happen so you can respond quickly. By helping keep your backups out of danger, and making it possible to restore them quickly, you can minimize the impact of even a successful ransomware attack so you can get back to business right away.

 

Learn more about our partnership with Commvault on a partner page.

Ready to talk? Call us on 01246 454 222 or email hello@coolspirit.co.uk

Discover our latest insights

Enhance your knowledge by browsing our extensive library of case studies, brief sheets, data sheets, ebooks and white papers. If you have any immediate queries or requests, why not reach out to our team?