If your business is like most, chances are it has a pretty good backup strategy. You're probably backing up critical data regularly, and that's a good thing. But it's not nearly enough. In fact, if your backups haven't yet been targeted by ransomware, it's only a matter of time.
Ransomware attacks grew by more than 365% in 2019 alone, and a growing number of those target backups. If you are attacked, your business could be forced to decide whether to pay the ransom. Plenty of people are doing just that, and it's expensive. One recent report found that the average cost of getting back to normal, including the ransom, costs nearly $1.5 million.
There are very good reasons why hackers are attacking backups: They know that the data in those backups are the keys to the kingdom, and they are extremely profitable.
"It's big business. In fact, it's one of the bigger software ventures where you can make money quickly, and the bad guys know it," said Marc Staimer, a storage industry analyst at Dragon Slayer Consulting. "It's organized, state-sponsored crime, and like any business, they reinvest the profits in R&D and go after anything that threatens those profits."
The result is a high-stakes cat-and-mouse game that sees backup vendors figuring out how to stop one type of threat, only to have hackers come up with new ways to get at backups. It's a never-ending cycle.
The Game of Whack-a-Mole Begins
So how did we get to this place? Ransomware has been a problem for a long time, but hackers didn't get around to effectively targeting backups with ransomware attacks until a few years ago. In 2017, the industry got a big shock with the Veeam ransomware incident, which put everyone on high alert. As one of the largest backup vendors in the world, hackers knew it was a good target. Hackers who found the backup repositories on the network would delete them, and then detonate ransomware's payload so the data could no longer be recovered.
Bolstered by that success, hackers kept pushing the envelope, and backup vendors pushed back. First, they did what they could to educate their customers to make sure backups were up-to-date and tested often, systems were patched, and employees were taught not to click on suspicious links.
As that information took hold, hackers then found more creative ways to get to backups by attacking the installations of backup products themselves. The ransomware would infiltrate the network through the front door via a phishing scheme, and then the payload would find backup copies and delete them. Once deleted, the malware would detonate, and the backup would be gone, unrecoverable unless a ransomware was paid.
Backup vendors again went on defense, encouraging customers to use the 3:2:1 rule: Keep three copies of data on two different media, one of them air-gapped and offsite.
Not good enough. Hackers fought back by putting a "time bomb" into the malware. Essentially, they enter through the front door with stolen credentials or via phishing and deposit a payload with a time bomb that does nothing for six to nine months. During that time, you are following the 3:2:1 rule, including the air-gapped copy on tape in some warehouse. But unbeknownst to you, you have backed up the malware. After the time is up, the bomb detonates and demands a ransom.
"You might be confident, because you can restore and even go back to your air-gapped copy, but during that time, the virus even made it into that air-gapped copy, so you are basically taking that syringe and sticking it right back in your neck and restoring the virus into your production machines," said Eran Farajun, executive vice president at backup vendor Asigra. "So you keep going to previous backups until you find a clean backup. You have to go months before you can do a clean recovery. And it's old and not that useful anymore."
Progressive backup vendors then took another big step, creating immutable backups. Basically, these backups can't be changed, deleted or moved for the life of the retention tied to them. Cloudian and Veeam, for example, teamed on an immutable storage project. With their solution, a feature called S3 Object Lock ensures that data can't be deleted or changed for a set period of time, which means that ransomware can't encrypt it.
While immutable storage is a step in the right direction, it's still not enough to defeat attack loops, experts say, because hackers can still launch attack loops and change retention times. They can spear phish backup administrators using keyloggers, capture the permissions and authentications, go into the backup and change the retention rate to, say, two hours. At the end of that two hours, the malware detonates and the backups are gone. They could also change the password policy or number of sign-in attempts allowed to their advantage.
Some companies then took the extra step of recovering backups in sandboxes, but Staimer said there are problems with that approach as well—a lot of the malware defeats sandboxes.
For some proactive backup vendors, the next step was requiring two-factor authentication for backups and embedding artificial intelligence and machine learning into their backup software. IBM does both.
"We wanted to automate the process as much as possible, and one of the things that can be done by tools is examining data streams," said Del Hoobler, an IBM senior software engineer. "[The process] examines backups every night to detect anomalies based on work patterns. If it notices, for example, that the last backup was unusual because it involved a strange amount of data or the data didn't dedupe or compress, that's a fingerprint of a ransomware attack."
Going on the Offensive
While these are good ideas, they are reactive, not proactive. In other words, they may tell you that you have been hacked, but they don't prevent attacks. There are a few vendors pushing the envelope by developing innovative solutions designed to stop attacks before they occur.
Asigra, for example, uses multiple malware detection engines in its backup and recovery streams to identify, filter and quarantine as much malware as possible. The AI-based engines continue learning, so even if they don't catch something right away, they might catch the malware at some point later, before the data is restored into the production environment.
To address the problem of immutable subversion—the situation where hackers can steal credentials and change retention schedules to delete backups—the company also has come up with what it calls Deep Multifactor Authentication (MFA). While hackers can easily get inside the network by stealing one person's credentials with traditional two-factor authentication, it's much more difficult with Deep MFA. This password-less approach to authentication impacts multiple roles and people in the authentication process. Each participant must approve or deny the step, which means that hackers have to guess who else in the organization is authorized to approve changes and get their credentials.
Other vendors are taking behavior-based AI to new levels. ioFABRIC, for example, adds behavior-based monitoring, management and file locking to existing network-attached storage, along with the option of offline snapshot replication. It also includes a built-in firewall and two-factor authentication. Because it pre-boots backups automatically using AI, the company says it can ensure that the backups are bootable.
One mistake many companies make is adding different security products to upgrade backup security instead of using a more comprehensive approach, according to Greg Tevis, a vice president at enterprise data protection vendor Cobalt Iron.
"Think about the infrastructure you need to back up company data. You need the physical server or cloud the backup runs on, the operating system, a backup server with backup software, a backup catalog or database, as well as storage and their attachment protocols, network ports and command line interfaces for each infrastructure component. That whole picture is a field ready for picking for a hacker," Tevis said. "If the backup software has two-factor authentication, they just go after the storage or the database. If they can wipe out the backup database catalog, it doesn't matter if their data is immutable."
Taking a comprehensive view means doing more than just making sure you have good perimeter protection and ransomware detection; that's only the first step. Staying ahead of attackers requires access control to your primary data, backup data and backup software as well as each of the components: the operating system the backup server runs on, the storage and the database.
No matter what route you take, one thing is for sure: Your approach will be tested—over and over again. The key is to come out unscathed.
It's never going to be perfect, and the cat-and-mouse game is likely never to end, Staimer said, so you must stay ahead of the hackers as much as possible and make it as difficult as you can for them.
"None of these vendors think they can defend against everything, but the most progressive vendors try to keep their customers more secure than others and much harder to break into, and keep innovating to try to stay ahead," he said.
Farajun agrees. "We are one step ahead for a short period of time while they are already cooking their next attack," he said. "So we just wait to see what other types of attacks organizations are experiencing. All backup vendors are watching and waiting."