Authored by: Kamal Brar, Vice President and General Manager for Asia Pacific and Japan, Rubrik
Ransomware attacks have crippled businesses and caused untold damage by encrypting their access to production files and storage devices. Without access to their critical business data, organisations face huge losses due to work disruptions, fines, and damage to reputation. As one of the fastest-growing digital economies in the world, the Southeast Asian region is a prime target for ransomware and a hotbed for cyberthreats. Insights from Interpol’s ASEAN Cybercrime Desk Report shows a significant number of ransomware attacks in 2019, targeting healthcare, education, transport and manufacturing sectors in the region.
Attackers typically use encryption to prevent booting and other common operations. Once critical services in an organisation have been brought down, the attackers demand a ransom to unlock the data so that services can resume. As a way of combating this, companies have relied on backups as an important line of defence against ransomware, but attackers have now found ways to corrupt it too. Advanced ransomware is now targeting backups by modifying or completely erasing them, which removes the last line of defence for companies, and driving larger ransom payouts.
Recovery from tape or other archives requires massive effort, and attempts to do so can overwhelm IT teams. Despite cyber security teams investing in myriad protection tools, threat actors continue to find new mechanisms to compromise and encrypt organisations’ data.
Design Backup Data for Immutability
Data backups can be an effective way to restore data that has been locked or encrypted by the attack. However, what if your backup data is also encrypted or deleted by a ransomware attack? How do you ensure that your backup data is not vulnerable to these attacks? The key is to make backups immutable. This means that once data has been written it cannot be read, modified, or deleted by users on the network.
Data management systems use standard protocols, such as Network File System (NFS) or Server Message Block (SMB), to advertise their availability to a wide assortment of clients. Data management solutions that use general purpose storage have limited or ineffective means for securely transacting data. Likewise, this can leave files in their native format while allowing clients to read the backup data directly.
While primary storage systems need to be open and available for client systems, backup data should be immutable. Backup immutability goes well beyond simple file permissions, folder Access Control Lists (ACLs), or storage protocols. The concept of immutability needs to be baked into the backup architecture so that no security exposure can tamper with it.
Here’s a list of solutions that can help integrate immutability into the organisation’s backup architecture.
Establish stringent validations before data transformations are committed
Customer data brought into the system is written into a proprietary sparse file called a Patch File. These are append-only files (AOFs), meaning that your data can only be added to the Patch File while it is marked as being open. This powerful file system will refuse writes at the API level that are not append-only. Patch Block within each Patch Files generate checksums. These checksums are computed and stored in a separate Fingerprint File before data transformations are committed. This process ensures that the original file remains intact with forced validation during read operations. Data integrity is achieved as Patch Blocks are routinely verified against their checksums. In order to counter a ransomware attack, the original, validated data must be restored from backup. As Patch Files are not exposed to any external systems or customer administrator accounts, this ensures that meticulous care is taken to restore exactly what was originally stored in a backup.
The other option is to divide Patch Files into fixed length segments called Stripes. As Stripes are written, the AOF computes a Stripe level checksum, which is stored within each Stripe Metadata. Stripes are further divided into physical Chunks where activities such as replication and erasure coding occur. As each Chunk is written, a checksum is computed and stored in the Stripe Metadata alongside the list of chunks. These checksums are periodically recomputed and compared against the checksums in the Stripe Metadata and if a data rebuild is needed, erasure coding is automatically leveraged in the background.
Identify and secure data cluster connections
Traditional approaches to cluster security often rely on a “full trust” model in which all members of the cluster are able to communicate with one another. This creates a weak surface area when designing a defence in depth architecture. Each cluster has some number of nodes that need to communicate with one another. Create secured cluster communications by using TLS protocol with certificate-based mutual authentication. This means each node that wants to exchange data should be validated by strong, randomised passwords on a per-node basis. Thus, the “admin/admin” style of default local authentication, easily searchable on the web and adds an attack vector, should never be an option.
Implement systems hardening standards to support backup architecture
There are numerous other elements to protect the integrity of the system through internal security measures. Organisations can minimise the attack surface by integrating systems hardening standards.
Control what end-users can do in the database using role-based access permissions
Screen and allow only certified applications and services to run within the data platform
Pre-configure the services that can access each other
Designate authorised personnel who can authenticate software images
Disable inactive user ports
Ransomware attacks can be debilitating and organisations need to devise a reliable recovery plan to ensure minimal downtime. A responsive ransomware strategy leverages the power of immutable backup to recover the most recent clean data and restore critical services. Today, when absolutely no organisations are impervious to cyber-attacks, backup immutability should be part of businesses’ defence strategy.