In part one of this two-part blog series, we analyzed the UK National Cyber Security Centre’s (NCSC) guidance relating to backups and data protection. Now in this post, we will examine NCSC’s guidance around mitigating malware and ransomware attacks.
Recall that NCSC, at present, provides information and practical guidance in various articles on its website rather than formal requirements or regulations. That said, following NCSC’s sound guidance can greatly improve your cybersecurity posture.
Let’s take a look at NCSC’s guidance (bolded and italicized) and how Rubrik Zero Trust Data Security can improve your cyber resilience.
Adopt a Modern Security Mindset
Mitigating Malware and Ransomware Attacks
Law enforcement do not encourage, endorse, nor condone the payment of ransom demands. If you do pay the ransom:
There is no guarantee that you will get access to your data or computer
Your computer will still be infected
You will be paying criminal groups
You're more likely to be targeted in the future
The ability to recover quickly and with minimal cost using solutions that support automation, like Rubrik, to deliver very low RTO and RPO changes the economics of ransomware response. With quick and accurate recovery from an attack along with visibility into what data was impacted, paying the ransom is often not necessary. And as NCSC points out, paying the ransom can invite more attacks.
Since there's no way to completely protect your organisation against malware infection, you should adopt a 'defence-in-depth' approach. This means using layers of defence with several mitigations at each layer. You'll have more opportunities to detect malware, and then stop it before it causes real harm to your organisation.
You should assume that some malware will infiltrate your organisation, so you can take steps to limit the impact this would cause, and speed up your response.
No defence is 100% guaranteed against ransomware. Cybercriminals evolve and improve their techniques just as those of us defending against threats. Resources spent on ensuring timely response and recovery with minimal impact on your organization’s operations represent a better investment than continuing to layer on protective controls which will ultimately not provide total protection.
This above point is reflected in NCSC’s number one recommendation around malware:
Action 1: make regular backups
This comes before the preventative measures (Actions 2 & 3). NCSC also recommends the following under Action 1:
Make regular backups of your most important files – it will be different for every organisation – check that you know how to restore files from the backup, and regularly test that it is working as expected.
Rubrik’s complete data security platform was built to automate backup and recovery. An SLA policy engine allows you to set the parameters of data backup, such as backup frequency, snapshot window, archive location, and retention period. Automation makes it possible for backup testing to be done more frequently.
Ensure you create offline backups that are kept separate, in a different location (ideally offsite), from your network and systems, or in a cloud service designed for this purpose, as ransomware actively targets backups to increase the likelihood of payment. Our blog on 'Offline backups in an online world' provides useful additional advice for organisations.
Make multiple copies of files using different backup solutions and storage locations. You shouldn't rely on having two copies on a single removable drive, nor should you rely on multiple copies in a single cloud service.
Rubrik Cloud Vault is a fully managed service that was designed for isolated, offsite storage of your data in a secure cloud bunker. This SaaS offering is built on Microsoft Azure. The environment is logically air-gapped from your core data center and cloud workloads, thus dramatically reducing the risk of backup data breach, encryption, or theft. Immutable backups in Rubrik Cloud Vault cannot be changed or deleted. Rubrik also offers CloudOut, a customer-managed cloud archival solution that is compatible with all major public cloud providers.
Make sure that the devices containing your backup (such as external hard drives and USB sticks) are not permanently connected to your network. Attackers will target connected backup devices and solutions to make recovery more difficult.
Rubrik’s purpose-built file system ensures your native backup data is not exposed via open network protocols. Because Rubrik backup storage is not online nor is it accessible over the network, there is a logical air gap that blocks data from being discoverable or accessible. When coupled with role-based access controls and multi-factor authentication, the logical air gap can deliver the same or better risk mitigation as a physical air gap.
You should ensure that your cloud service protects previous versions of the backup from being immediately deleted and allows you to restore to them. This will prevent both your live and backup data becoming inaccessible – cloud services often automatically synchronise immediately after your files have been replaced with encrypted copies.
Rubrik SLA Retention Lock prevents attackers, or even rogue administrators, from reducing or eliminating data retention at any backup location, including cloud locations. Once enabled, Retention Lock strictly prohibits any modification to an SLA domain policy resulting in deleted backup data. This includes outright deletion or data expiration and data redirection via Rubrik’s archival and replication policies. The security of retention locked SLAs is managed through a validation process within Rubrik’s compliance team. If a customer requests a modification to retention locked SLA, two appointed individuals from the customer’s organisation must authenticate and acknowledge the alterations with the Rubrik Support Team.
In addition, Rubrik’s natively immutable file system prevents data from being modified after being written. Since Rubrik stores data in a non-native format, data cannot be easily read or exfiltrated. This approach is in contrast to other solutions where data is readily accessible in its native format, making it easy for attackers to modify or steal backup data.
Ensure that backups are only connected to known clean devices before starting recovery.
Rubrik uses a Zero Trust architecture and file system that, as mentioned previously, never exposes backup data via open network protocols. Because Rubrik backup storage is not online or accessible over the network, there’s a logical air gap that blocks data from being discoverable or accessible. This approach offers similar protection without the impact on the recovery time of a physical air gap.
Scan backups for malware before you restore files. Ransomware may have infiltrated your network over a period of time, and replicated to backups before being discovered.
Rubrik’s incident containment capabilities include the ability to hunt for threats within the backup platform. Threat hunting solutions have traditionally enabled organisations to search production systems for patterns of malicious activity and indicators of compromise (IOCs). Rubrik is bringing this capability to our backup platform so that you will now be able to easily search the backup environment for IOCs, without any impact on production systems.
This capability further arms you to reduce your incident response times and strengthen your posture against ransomware. With the ability to quickly search backup snapshots for IOCs, you can now more accurately pinpoint a last known clean snapshot so that malware will not reinfect production systems upon restoration.
Prepare for Incidents
Action 4: prepare for an incident
Identify your legal obligations regarding the reporting of incidents to regulators, and understand how to approach this.
In the event of an attack, Rubrik Ransomware Investigation helps you assess the blast radius. Rubrik Sensitive Data Discovery discovers, classifies, and reports on what types of sensitive data reside where and who has access. You can leverage predefined policy templates as a starting point or create your own to identify PII and other common data types from regulations such as GDPR and PCI-DSS. When Ransomware Investigation and Sensitive Data Discovery are used in conjunction, you can quickly identify what sensitive data was impacted and communicate to the appropriate parties accordingly.
To summarize, NCSC has put forth guidance across data protection and data security; Rubrik Zero Trust Data Security checks the boxes and more. Think you are prepared for when ransomware strikes? Put your plan to the test and assess your ransomware readiness with the Rubrik Ransomware Recovery Assessment tool.