So let’s take a look at backup and recovery in a time of cybercrime.
Strategic approaches include validating data integrity, forensic reporting and diagnostics, and full analytics. The following functions are essential.
Scan — Cyber protection requires that backups be searched for signs of attack and compromised data, including content (both unstructured files and databases) and core infrastructure. Signs include encrypted data and ransomware as well as mass deletion and slow corruption.
Alert — Administrators should be immediately notified when signs indicate an attack, suspicious behavior, or cyber corruption.
Diagnose — Administrators need to understand the who, what, where, and when of the attack. Post-attack reports and diagnostic details will assist recovery.
Identify the last good backup — The system must find the last known uncorrupted version, so operations return to normal with minimal downtime. Modern data analytics can validate the integrity of all files and databases on the initial scan.
Regardless of the vulnerabilities, the rise in ransomware is putting pressure on enterprises to have a real cyber recovery plan and not depend on their disaster recovery systems. Here are a few outdated practices that are woefully insufficient in the current era of cyberattacks.
Metadata analysis — As ransomware has become far more advanced, solely examining file metadata for signs of attack is no longer reliable. Metadata scanning and analysis can be easily circumvented, not to mention sophisticated corruption also hides inside files and databases.
Two-part scans — Some security products do an initial scan and then send flagged content to the cloud for further analysis. However, sensitive information should not be transmitted to the cloud.
Trusting backups — Always validate backup integrity first. Some strains, like Conti, can shut down backup software entirely. Slow attacks can corrupt data over a long period of time, resulting in companies restoring data that still contains ransomware. Use machine learning analysis to compare data changes over time.
Trusting security — Attacks can circumvent security software by hiding inside virtual machines and cached copies of data, among other methods. The highly destructive Ragnar Locker and WastedLocker evaded traditional security products that scanned disks.
Sadly, many enterprises are not prepared to go into battle because the very systems that are supposed to keep them safe, backed up, and secure are not as effective as they need to be. Surviving a cyberattack today with backup practices from the past is unlikely. Following these suggestions can speed up recovery time and decrease downtime.