Ensure Data Recovery with Resilient, Monitored Backups
Restoring all encrypted data in a ransomware attack is unlikely for a number of reasons, says John Shier, senior security adviser at Sophos, and the simplest reason is likely the most accurate.
“They’re criminals,” he says. “They don’t have to give data back if they don’t want to. And the problem is that, in some cases, they’re unable to decrypt all the files even if they intend to.”
Brian Kelly, director of the cybersecurity program at EDUCAUSE, agrees.
“The short answer is that you’re dealing with cybercriminals, and they either don’t have the best intent or they don’t have the right infrastructure to actually get that data back.”
The best way to ensure that as much data as possible can be recovered in the likely event of a cyberattack is to back up regularly, and monitor and test those backups to ensure they’re working as intended.
“All too often, we see institutions have a backup program in place, and they blindly trust that the backups are happening. And sometimes, they find out that they weren’t happening on the schedule they thought they were,” says Shier.
Common mistakes can include failure to monitor whether files are being corrupted during the backup process, along with backing up files to the same network where cybercriminals launched their initial attack. The reasons these mistakes are made run the gamut, Shier says, but the only way to ensure data is being backed up correctly is to check.
“Having all the telemetry at your fingertips to know when something is wrong is supremely important,” he says. “You need to be able to put some reliable and sensible alerting into your process so that you’re not being alerted at every single little failure. Still, there are certain failures that you want to know about every time they happen, one of those things that you want to raise a red flag in the SOC to say, ‘We need somebody to look at this.’”
Dedicating a single person or a team of people on staff to review backups is a smart idea, Shier says, but part of the solution can and perhaps should also be found through automation.
“A lot of these tasks could possibly be automated, and the only one that requires a human is the one where you actually go for a proactive restore and just double-check that everything is good,” he says. “You can intelligently devote your human resources to the places where machines might be more prone to failure.”