Tips for ensuring you can recover from a malware incident

At HALOCK, our incident response and forensic team has responded to numerous scenarios where multiple important systems and data are no longer functional or accessible. Logically, the fastest method to restore the functionality and data should be from restoring from backups that are in place at an organization. However, cyberattackers are increasingly executing attacks manually and surgically. The attackers know which systems are critical to an organization’s ability to quickly recover and go after those critical systems first. Backup infrastructure is often at the top of an attackers list to corrupt and therefore forces the organization to decide to pay a ransom (in the case of Ransomware) or embark on a long and costly rebuild effort. Provided are recommendations to create a reliable and resilient backup infrastructure that can consistently be restored from.

 

House backup infrastructure on its own network segment: There are several benefits to doing this.

  • If there are signs of unwanted activity on the network, access to and from the backup infrastructure can be turned off at the firewall. This will ensure that an attacker cannot impact the backups by encrypting or deleting them.
  • A network segment will go through a firewall so that access to and from the backup infrastructure is visible and anomalous activity can be identified and acted upon.
  • You can restrict communication to and from the backup infrastructure. For example, you can allow communication the originates from the backup segment but not allow traffic originating from non-backup infrastructure to communicate to the backup environment.

 

Protect the backup management console and backups: Attackers will locate the management console and backups and corrupt them via encryption or permissions removal. By attacking the backup console, even if the backups themselves are protected, there is not a method for an organization to restore the backup data. The following items are recommended.

  • Place the management console on the secure backup segment to protect it just like the backups.
  • Require MFA to access the management console (and backup infrastructure). That way, an attacker that gains access to administrative and service accounts will not provide access to the console.
  • Do not join the backup console and infrastructure to an Active Directory domain. Attackers compromise domain accounts to gain access to other systems.
  • Use a privileged account management solution to protect accounts that access backup components. Ideally utilizing Just in Time provisioning is a great way to ensure there are no standing credentials to compromise and use to access the backup environment.
  • Encrypt backups at rest to protect them if they are copied to a different location. Whole disk encryption is not an effective approach, the backup solution or a third party encryption solution should be used to perform the encryption.

 

Store multiple copies of key systems and data: There is an older recommendation to follow the 3-2-1 rule. 3 copies of your important data and systems, 2 different types of media should be used, and 1 copy should be kept off-site. Over time, this recommendation has proved to be costly for many organizations. Current recommendations have evolved to be the following.

  • Keep 2 copies of critical systems and data.
  • Keep one backup copy local and one in a non-continuously accessible location. A non-continuously accessible location is typically a cloud location or a SaaS backup solution that cannot be identified via an attacker’s network reconnaissance and accessed with potentially compromised credentials from a credential store that contains administrative and service accounts.
  • Ensure one of the backup locations is immutable/cannot be modified. This can be done by making the backups read only or by utilizing a backup solution that only allows a resource to perform restorations and backup management through an interface and not by direct access to the backup systems.
  • Utilize MFA to access the locations where backups are stored.

 

Perform test backup restorations: Sometimes it is discovered during an incident that the backups are present and have not been modified but there is an issue with the backups.

  • Ensure your backups are occurring regularly. There have been situations where we have seen backups are not executing as expected and a restore from several days, to weeks, to months had to be restored.
  • Ensure the process to restore key systems and data are documented. Sometimes, the person that implemented the backups is no longer with the organization and the remaining personnel do not know how to access and restore backups.
  • Test restorations of critical systems and data. Restoring a particular system, application, or data may have nuances to successfully restore to a functional state. It is best to understand special conditions and document the procedure as needed. During an incident response is not the best time to figure this out and will result in a longer restoration time.

 

Use a dedicated management network segment to access the backup infrastructure: This will further lock down access to the key backup components to manage but not allow anyone on the internal network to access.

 

By following the recommendations provided, you will have a more resilient backup environment and better chance for a successful recovery. If you are interested in further understanding the backup recommendations or would like help to identify solutions that will address the recommendations provided, please contact HALOCK to schedule a discussion.

 

HALOCK recognized in 2024 Verizon Data Breach Investigations Report (DBIR) on how to estimate risk.

Estimate risk based on real threat data. Read Appendix D in the 2024 Verizon Data Breach Investigations Report (DBIR) to augment your risk analysis.