The events and evolution of cyber-attacks have been well documented many times in the press over recent years.
Unfortunately, this awareness has shown that many organisations have suffered tremendously in the hands of cybercriminals - in this blog, we discuss where it all started and where we are today, including how cybercriminals are changing tactics to drive up their financial gain, and how to best protect your most critical asset - data.
Cyber threats have been in existence for several decades, starting with fairly simple malicious code and viruses that targeted a single machine at a time, which at the time were considered more of a ‘nuisance’ than anything more sinister. However, as the year 2001 came around we started seeing more organised and wider attacks, which included techniques such as DDoS (Distributed Denial of Service) attacks - from this time onwards we started hearing more about a rise in technological literate criminal gangs who had one main goal to achieve - extort money from their victims. This focus fuelled continuous growth in both the capabilities of these criminals, but also the sophistication required from security and anti-virus companies, who came to the market to help thwart these criminal activities.
Over the last decade, we have seen cybercrime grow beyond all expectations and is now worth billions of dollars annually to cybercriminals. Techniques used for extorting money and evading detection has grown, as has our whole security industry - required to counter these growing threats.
With great appreciation, during 2016 the UK government launched the National Cyber Security Centre (NCSC) to help promote a wider understanding of the cyber threat landscape and to help educate organisations to be better prepared to deal with these threats. Approximately one year later during 2017, IT teams across the globe started to experience the widespread damage caused by deeply sophisticated encryption ransomware (for example, Wannacry severely impacting the NHS in the UK). This malicious code exploited vulnerabilities in unpatched operating systems which taught us all the necessity of having, not only rigorous data protection strategies but also improved infrastructure management processes.
At this point, the threat to organisations' data had become very real for IT teams, and along with industry guidance, the focus of attention was on the importance of backups and solid data protection strategies, thinking that if a robust backup solution was in place then organisations would always be able to recover from any encryption-based attack. But because of this, cybercriminals started other areas of IT environments, writing code to also attack backup repositories - trying to render the backup and recovery solutions inoperable. And so the cycle continued...
As cybercriminals looked for ways to compromise backup infrastructure, organisations then looked at replicating backup data to multiple sites and even to the cloud. Cybercriminals watched on and developed techniques to follow the data wherever it was replicated to, which enabled them to compromise multiple copies of data.
Around this time, our industry then phrased the term “air gapped” copies of data - which became very prominent. This term describes the process of making a copy of live or backup data but placing it in a separate location that is not immediately available, accessible or addressable from the primary location (in effect introducing an ‘air gap’ between elements). At this point, existing storage mediums such as tape were a great example of being able to create an 'air gap' copy and is still relevant today, however, alternative 'disk-based' solutions were also introduced to the market, either on-prem or cloud-hosted, specifically utilising immutable storage repository technology or immutable file systems. These systems are designed to prevent tampering of data after it has been written to. Such storage technologies can massively help IT teams recover from a direct encryption attack, but one point to remember is they don’t actually prevent the backup solution from being disabled.
As we review events which took place during 2019 and through 2020, cybercriminals were again changing their approach... They are now looking to exfiltrate data from an organisation and extort money by threatening to expose data farmed from their activities (which typically includes either intellectual property information or financially sensitive information, along with PPI and credit card details - for example, from a customer database). A worrying trend is that cybercriminals appear to be realising that encrypting data doesn’t always have the desired results if an organisation can recover from reliable backup copies sources, and so in Q3 of 2020, we saw that half of all ransomware attacks were based upon data exfiltration.
We often presume that a ransomware attack is a single point in time event, with potentially very significant and impactful results. The fact that the impact of a ransomware attack can be severe, is absolutely correct, but in reality, an attack could very likely have started days, weeks or even months before an organisation is aware of a breach, or experiences a ransom demand. Sadly, cybercriminals operate in stealth and play the long game, taking their time to gain access into a target organisations IT system, and taking even further time to manoeuvre across these systems while leaving minimal to no digital footprints - all in the quest of searching for data with significant value - raising the stakes of their financial return and stakes.
How can organisations combat this? Unfortunately, there is no one silver bullet that can provide total protection. The best advice is to create protection strategies with a multi-layered approach, utilising different techniques and product solutions - incorporating enhanced data protection and advanced security to give any organisation the best chance of:
- Enabling activity awareness to help reduce the threat of being attacked.
- Ability to recover data from multiple secure storage mediums.
- Ensuring backup data is not infected or breached.
- Resuming operations as quickly as possible.
The protection of critical data against cybercriminals is a task which, unfortunately, has to be front of mind for all IT professionals today - but as the solutions and tactics we deploy advance, together we will fight this constant threat even stronger....
COOLSPIRiT would like to thank Paul Brunyee of Arcserve for his invaluable expert thoughts and insight - helping to create this blog.
If you would like to talk simply call our expert team on 01246 454 222 or email hello@coolspirit.co.uk