Ransomware has hit the headlines in a big way over the years—causing widespread gas shortages, disrupting meat plant operations, exposing critical police files, and more.
In response to these increasing cyber threats, the White House raised ransomware to the top of the national security agenda, issuing a bluntly worded warning for American businesses to take urgent security measures to protect against attacks. Here are the topline recommendations and how to implement them.
The Evolution of Ransomware
Hackers used to gain access primarily through phishing emails that would deploy malware when an unsuspecting employee clicked on a link. The malware would encrypt company servers, and the decryption key would be offered in exchange for a five- or six-figure ransom. Typically, these threat actors didn’t target company information, nor did they know which company they would ultimately target. It was about searching for opportunities to exploit a system.
But the game has shifted, becoming a dangerous threat to businesses’ core operations. Today’s attacks involve exfiltrating company information, understanding the financial picture, and identifying opportunities to exploit for maximum gain.
Threat actors are often sophisticated criminal organizations that seize sensitive company data and target backup systems before issuing a “pay up or else” ultimatum. The ransom now being demanded is also significantly higher—often tens of millions of dollars.
See the latest with the 2023 White House Cybersecurity Strategy
Ransomware Protection Is a National Security Priority
With ransomware now a national security priority, the US government has developed new policies surrounding ransom payments and holding countries accountable for harboring cybercriminals. Yet, addressing the risk also requires a concerted effort, with businesses sharing the responsibility of thwarting attacks.
5 Steps to Reduce Ransomware Risks
The newly released White House memo outlines five steps that businesses can take now to bolster their defenses in response to the current ransomware threat.
1. Back up your data. Backing up data, system images, and configurations is a fundamental part of protecting yourself against ransomware. Unfortunately, today’s sophisticated attacks head straight for backups—compromising everything before taking over production environments. In other words, standard backups aren’t enough.
A multilayered defense with a modern approach to backup and restore is essential. Backup data and backup metadata must be protected in an immutable state. By backing up files through frequent snapshots that can’t be deleted, encrypted, or modified, organizations gain peace of mind that their data is locked down from malicious attacks. That protected data must also be readily available in a time of need, requiring underlying infrastructure that delivers accessibility and speed. With this level of data protection and restore, businesses can avoid the major organizational, reputational, and financial impacts of a ransomware attack.
It’s also essential to understand that there are two critical components associated with backing up data:
- Proven recoverability: Organizations must have proven recoverability that goes beyond immutability. While sophisticated attackers can’t tamper with an immutable backup, they can delete it if they have the right credentials. A solution like Pure’s SafeMode™ snapshots eliminates the ability for the attacker to delete your backups and is essential for recoverability.
- Ability to recover quickly: Along with having an immutable recovery point, you also need to be able to recover quickly. As we’ve seen with recent attacks, organizations have had to pay ransoms in an attempt to speed recovery times because their backup systems were so slow to restore. Therefore, backups and recoverability aren’t enough. Speed, like the petabytes of restore per day that you can achieve with solutions like Pure FlashRecover™, Powered by Cohesity® and Rapid Restore are critical to getting key systems up and running faster.
2. Update and patch systems promptly. This includes having visibility into your IT estate and staying on top of the security of operating systems, applications, and firmware—and applying critical patches as needed. A centralized logging platform that logs details about all systems and a patch management system can be beneficial. A risk-based assessment strategy that supports your patch management program and an effective security analytics program to identify anomalies in your environment are also key.
Pure1® can assist with patches, and a solution like Pure FlashBlade® gives you the ability to log all your systems via a platform like Splunk or Elastic. It provides the critical, high-speed analytics processing required to help identify attackers in your environment, hopefully before they launch their attack.
3. Create and test your incident response plan. Testing is a critical component of reducing ransomware risk. Along with creating an incident response plan, consider the infrastructure necessary to support it. Today’s best plans are highly focused on prevention with the solutions in place to catch issues before they occur. Testing your response plan must include testing the supporting infrastructure, as well as all components of the process. Just table-topping and testing the process isn’t enough as it won’t identify the real gaps that likely exist in the restoration capabilities.
Failing over between sites is also a critical component of testing. Organizations should ensure their storage solutions have the ability to fail over seamlessly—and with little to no data loss. Solutions like Pure ActiveCluster™ offer a true zero RPO/RTO. This means true, instantaneous failover with no manual intervention. In addition, solutions like Pure ActiveDR™ offer a near-zero RTO/RPO with the click of a button. Such solutions can also aid in disaster recovery testing by allowing you to test failover capabilities and then fail back with no user intervention. This is a huge benefit, especially to large and/or geographically dispersed organizations.
4. Check your security team’s work. You’ll want to double down on testing your internal security and ability to ward off an attack. A third-party penetration testing service is well worth the investment. Then, prioritize and address any identified vulnerabilities. Bug bounties can also be a valuable option that allows you to get a more “real world” look into how vulnerable your organization is from the eyes of real, external attackers. Often, penetration testers take a fairly siloed approach to testing. They have a one-size-fits-all assessment methodology and tooling, which ultimately limits the outcomes that are available. Bug bounty programs, on the other hand, have no such guardrails and give full “creative freedom” to the attackers to find vulnerabilities that allow access into your environment.
5. Segment your networks. With cybercriminals more focused on disrupting operations than just stealing data, it has become vitally important to separate corporate business functions from manufacturing/production operations. Carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised.
Keep in mind that the whole premise of segmentation is to ensure a degree of recoverability by limiting an attacker’s ability to destroy systems. Segmentation is both expensive and time-consuming. It requires continual care and feeding and resources to manage. SafeMode offers the same technical result, without the overhead and complexity of virtual networking. SafeMode also creates out-of-band, multifactor-authentication-protected backup snapshots that can’t be deleted, even by an attacker who holds administrative credentials.
Along with these best practices, the executive order also recommends that businesses immediately implement the following common sense, security practices:
- Enable multifactor authentication.
- Deploy an endpoint detection and response system.
- Encrypt all data, at rest and in use.
- Develop or seek a skilled, empowered security team.
Corporate Boards Also Play a Role in Data Security Oversight
Along with the White House, the US Federal Trade Commission (FTC) has also sounded the alarm on increased security threats to data. Stressing the need for corporate boards to prioritize data security and ensure consumer and employee data is protected, the FTC encourages companies to:
- Build a team of stakeholders from across your organization. A sound data security program includes stakeholders from business, legal, and technology departments, including both high-level and operational experts.
- Establish board-level oversight. Cyber risks should be prioritized within the boardroom and not simply delegated to an audit committee. Board-level oversight can ensure cybersecurity threats, defenses, and responses have the attention of senior management and get the necessary resources.
- Hold regular security briefings. Cybersecurity is not a one-and-done project. It requires board members to be informed, engaged, and updated. With regular briefings, boards can effectively manage their oversight responsibility, as well as understand the security landscape and prioritize threats to the company.
- Don’t confuse legal compliance with security. A common misconception is that compliance translates into good security. It doesn’t. Because cybersecurity threats are rapidly evolving, boards should ensure that their security programs are aligned to their unique needs, priorities, technology, and data—and not just geared toward meeting compliance obligations and requirements.
It’s All About Protection, Detection, and Rapid Recovery
When systems go down, what really matters is how fast you can bring your business back online.
Before an attack, protection and detection are key. Pure1 helps with both: a data protection assessment to proactively secure arrays, and anomaly detection to detect threads. After a ransomware attack, you need a clean environment to recover to while forensic investigation is underway. Pure Storage Evergreen//One’s new Ransomware Recovery SLA offers the only industry guarantee for getting back online, including:
- Next business day shipping of clean recovery array(s)*
- 48 hours to finalize a recovery plan
- 8 TiB/hour data transfer rate
- Bundled services, including technical services engineering to finalize the recovery plan and an onsite professional services engineer from time of array arrival through replacement of infected array(s)
*If shipping to North America, Europe, or the UK. For Asia-Pacific, it will be 48 hours.
Contact the team at Pure Storage® to learn more.
