Another week, another deluge of ransomware attacks. A crippling incident at JBS, the world's largest meatpacking company -- which disrupted meat production in North America and Australia -- drew the headlines and the wisecracks about "meatspace" but there's been over 20 incidents reported over the past seven days. (JBS appears to be making a brisk recovery. The FBI has attributed the attack to REvil/Sodinokibi)
We've also seen updates about incidents involving Bose, the HSE, Scripps Health, the Azusa Police Department, and many others. "Do the basics" come the predictable refrains, but unpatched software remains rife (of the 4,400+ vulnerabilities disclosed between January and March 2021, 72% had no patches available, according to a threat report from NCC Group this week, which adds that proof-of-concept exploits were available for 29% of all critical vulnerabilities) and phishing attacks continue to work their effective magic.
Security pros keep fighting the good fight. As former National Security Council staffer Joshua Steinman noted this week: "Attackers need to get into a network, and the easiest way remains the traditional routes that have vexed parties responsible for the security of information technology systems for the past decade or more. Phishing, port-scanning, “n-day” vulnerabilities, and the like. Now is the time to double down on best practices like patching and upgrading, while talking with senior executives and boards of directors to look at making long-term investments into endpoint and network security for both IT and OT networks over the next 18-36 months.
See also: The Colonial Pipeline Hack: Two (just two) key lessons
He adds, with regard to the industrial processes that are increasingly at risk of downtime as a result of such attacks: "If you’re a COO, CTO, CISO, or simply the person who volunteered to own the ICS cybersecurity mission at your company, now is probably a good time to start asking hard questions. Modern industrial control systems are increasingly connected, either to IT networks, or even to the internet, by default. Be skeptical when you are told the systems are 'air-gapped.' Considering digging a bit deeper. Do the original equipment manufacturers or the system integrators have remote access? How frequently is the software/firmware updated? Are there are other points of connectivity between ICS and your company’s IT networks?"
The impact on supply chains meanwhile is growing. (No, this isn't "cyberwar". Yes, it is easy money for cybercriminals.) As Chris Waynforth, AVP Northern Europe at Imperva notes: "Mass disruptions that stem from security incidents is becoming commonplace and should be a concerning reality for the global economy. There’s a convergence happening between software and physical supply chains. Increasingly, we’re seeing consumer-facing shortages because of disruptions that started as a cyber-attack. Not only does this demonstrate the fragility of supply chains, but it exposes the vulnerabilities of third-party ecosystems that retailers rely on heavily."
As ever after such a high-profile incident, the responses from across the vendor and IT security community seem to be loudest from the prevention crowd. Perhaps understandably: most favour prevention to cure.
Yet, as Wes van den Berg, VP, UK & Ireland, Pure Storage notes: "Companies can no longer rely solely on anti-intrusion systems." While van den Berg clearly has skin in the game, but it's also hard to argue. Companies not paying close attention to their data backup strategy may find themselves regretting it in the near future.
Too often, as security professional Kevin Beaumont notes in a not-entirely-tongue-in-cheek Tweet storm, when the shit hits the fan, plans to restore from backups have been known to turn into "nobody knows how to restore from backup without Active Directory. Also, we have no backup server or tape library drivers.. or working backups."
https://twitter.com/GossiTheDog/status/1399844326855880704
As Wes van den Berg notes: "Organisations must plan for recovery if an attack does occur. This means implementing a data backup strategy that takes into account the necessary recovery through which data can be restored at scale and as quickly as possible.
Attackers have, of course, increasingly targeted backups and as per NCSC guidance, organisations should be looking to implement the "3-2-1" rule; at least 3 copies, on 2 devices, and 1 offsite. Advanced backup “snapshots” are also important, Wes van den Berg notes: "Snapshots are designed to protect data in the same way as backups, but with the goal of minimising data loss.
"They serve as a detailed index and protect metadata which acts as a guide for restoring an organisation’s systems, speeding up the process dramatically. Organisations need valid, immutable backup copies of their data which are protected and can’t be eradicated, modified or encrypted to prevent ransomware attackers from deleting stored backups. Even with immutable snapshots in place, if an attack should occur organisations will still be limited by the speed at which they can restore data to get them up and running again – crucial in today’s fast-paced business environment. But most data protection architectures are optimised for backup, not recovery. The same design that optimises for data ingestion and space-efficiency creates significant drag on recovery speed, because data needs to be reconstructed after being widely dispersed through deduplication.
"IT leaders should look at Service Level Agreements (SLAs) for restoring data at speed and at scale. Pure can deliver up to 270 TB per hour in recovery performance."
Other vendors are, of course, available. What is non-negotiable is the need to carefully plan, implement, and regularly test a data backup and restoration strategy. Not sure who's responsible every component of this plan is and how well stress-tested it is? It's probably time that you asked. And if you have storage admins, check in with them that they have what they need to help you recover, fast.