Principles for Ransomware-Resistant Protection
Ransomware has emerged as a significant menace to organisations worldwide with around 72% of businesses suffering from attacks. Sometimes even the best defences can be overcome. As part of a full cyber security strategy secure backups are a key piece of the puzzle, and further, fortifying the backups is a critical step. Lets explore the five principles of making your protection ransomware resistant.
Why Ransomware Resistance Matters?
Backups stand as a linchpin in a response to ransomware attacks. Attackers often target backups early, looking to cripple an organisation’s ability to recover its data. This threat extends to both physically disconnected storage and cloud-based backup services.
Principle 1: Backups should be resilient to destructive actions
Threat: Ransomware attacks attempt to destroy or manipulate backup data.
- Block deletion or alteration requests for a backup once created.
- Implement soft-delete by default.
- Delay implementation of deletion or alteration requests.
These steps will result in any backups hopefully being preserved in the event that a malicious actor trying to delete the backups
Principle 2: A backup system should not allow denial of all customer access
Threat: Attackers aim to deny access to backup data by disabling/ deleting customer accounts.
- Allow customer access via a separate out-of-band mechanism.
- Forbid IAM policies that restrict access to a single account.
This blocks a further method of getting rid of backups by locking out the owner of the backups.
Principle 3: The service allows restoration from a backup version, even if later versions become corrupted
Threat: Attackers flood the backup store with corrupted data.
- Provide mechanisms for system owners to test restoration from the current backup state.
- Store backup data according to a fixed time period.
- Offer flexible storage policies.
When this is in place it ensures backups are useable in some form. Even if the latest ones are damaged, older ones prior to an attack remain useable.
Principle 4: Robust key management for data-at-rest protection
Threat: Attackers compromise encryption keys.
- Follow NCSC’s cloud key management guidance.
- Offer out-of-band key backup options.
If a stored backup is encrypted for data-at-rest protection, an attacker doesn’t need to actually delete the data itself if they can simply delete or modify the encryption key which rendered the backup useless. By protecting the encryption key you protect the backup.
Principle 5: Alerts are triggered for significant changes or privileged actions
Threat: An attacker’s attempts to compromise a backup go undetected.
- Offer customisable alerts for activities affecting the backup system.
- Implement extra authorisation for significant changes.
- Initiate extra protective monitoring for changes in the backup system.
An attacker will hope their attempts to compromise a backup won’t be detected. By monitoring and alerting you can get a headstart on detection of a threat which is occurring and maybe stop a full attack happening.
By adopting and adhering to these key principles, organisations can bolster their backups, making them more resistant to the destructive impacts of ransomware.