When most IT managers think about disaster recovery today, the first thing that comes to mind is ransomware. There’s good reason for that, experts said at this month’s Interop Digital Data Management, Storage and Disaster Recovery event.
"If you look at the number of disasters or types of disasters people are dealing with today, the number one threat invariably is ransomware," said Marc Staimer, president of Dragon Slayer Consulting. "And it’s not just an individual – this is organized, often date-backed crime in which they are actively going after companies, governments and infrastructure for money."
Another challenge with ransomware data recovery is that ransomware is constantly evolving and changing, seeking out ways to circumvent any controls you put in place. In addition, ransomware events are more devastating to organizations because of the interdependence of systems and organizations to each other.
"An event or outage at one location, on one application or device, can cascade across an organization or ecosystem because we’re so interdependent and interconnected that it’s hard to separate how to recover one without recovering all," said Pete Renneker, technical resilience leader at Deloitte, at Interop Digital. This should shift thinking about how organizations design resilient systems and organizations that plan for, anticipate and circumvent disruption before it occurs, he added.
Because everything is interconnected, ransomware becomes a problem for more than IT, and for more than disaster recovery.
With a coordinated, organized and well-thought-out ransomware data recovery strategy, Renneker believes companies can combat this threat.
"Ransomware is exploiting the white space between traditional risk management programs, so we need to think about the problem as a cross-functional problem that needs to be solved by bringing together cybersecurity controls with business continuity, crisis management and third-party risk," he said. "They all need to come together to understand: What are the new controls we need to explore; what is the best place for us as an organization as it relates to where they fit; and how are we going prioritize those investments in the right way."
Some of the aspects companies need to figure out are how threats enter the network, how they move laterally and how they deploy the malware. It also requires having a good command of your IT asset management; without a view of the attack surface, you can’t defend it, Renneker said. It also requires having a proactive threat vulnerability management program that can identify known vulnerabilities, along with good identity and access management capabilities, including privileged user access.
Making sure you have technology that provides extra layers of defense is critical, Staimer said. One useful capability is CDR – content disarming and reconstruction, which removes potentially malicious code from files. One of the ways ransomware gets into a lot of systems is by embedding it in a file, PDF or link. CDR actually disarms it by finding the different components, removing potential malware, and then reconstructing the files. Staimer also recommended ensuring that all systems are patched on a timely basis. "The risk of a bug in a patch or update is far less than the risk of someone exploiting it today."
Staimer recalled a customer with ransomware embedded in a backup. The client bought a decryptor, but the detonation occurred again before it finished its job. They knew they couldn’t afford to lose that much data, so they paid the ransom. They ended up getting back only part of their data, and it took a while to decrypt it. After that happened, the company was determined to prevent it from happening again, so they added new technology, including a better backup system that scanned data on both backup and recovery.
That company was on the right track – to a point. When preparing for future threats, it helps to understand that it’s impossible to be completely prepared, no matter how thorough your ransomware data recovery strategy.
"Threats are everywhere, and that isn’t going to change. The answer is really getting to a place where everybody in the organization is thinking about cybersecurity and resiliency as part of their fundamental job," Renneker said. "It’s about making sure that you are considering the various threats to your organization and how they would manifest themselves and affect their most critical business services, and then putting in place the right controls. You can't defend or spend your way out of this."