“So What? I have Backups” - A Ransomware Misconception

Ransomware is ever present and continues to plague individuals and companies alike. Between Apache ActiveMQ, banks like ICBC, casinos, iPhones, Confluence, and many other instances in the news, it’s hard not to hear about it. It is imperative to ensure your company is secure against these attacks, especially those that utilize zero-days to strike. Security is more than patching and backups, and ransomware breaches can be a costly way to find this out.

If your company is breached, and you have an obligation to investigate, backups will be the least of your financial worries. Third-party investigators will need to prove: the threat actor is gone, nothing sensitive was accessed, nothing sensitive was stolen, and security controls are in place to prevent a re-breach. Even if you restore from backups, none of this work is avoidable for proper due diligence that insurance carriers or regulatory bodies require.

What a company needs to stay ahead of costly investigations is a robust logging system, especially one that records firewall connections and the amount of bytes that go in and out of the environment. This backup system needs to be immune to encryption itself, because if your log aggregation tool is hit, it’s as good as useless. It needs to record any potential outbound connections, so investigators can quickly and easily determine exfiltration potential. This needs to be tested ahead of time. A firewall event log that only records DENY entries is of no use, because these hackers weren’t denied. It also needs to record both inbound and outbound data and go back as far as possible, because by the time contracts are signed, timeframes identified, and investigators are onsite, it could be over a month since the incident.

If the logs are not good enough to determine what the hacker may have taken from the environment, it may be determined that any system they had access to is completely compromised and all data lost. This can be a death sentence to a company that handles customer or patient records. The incident response team will need to do their best to inventory all data and trace its path if it leaves the system. Regulatory bodies often assume the worst case scenario if logs are lacking.

Logging and historic data is useful for determining root cause, and this can help speed up the process to determine clean backups. If the hackers dropped some method of persistence and waited a month or more to strike, your backups could be tainted. A threat hunt prior to backup deployment can serve to keep the restored systems clean.

To truly understand your risk if a zero-day were to occur, schedule a demo to see how Glassportal can help your organization: demo@glassportal.io