We recently asked renowned Ransomware Expert Allan Liska to define a ransomware proof backup strategy. See his response in this video, and in case you’ve missed it, here’s the transcript:
Scott Bekker:
No single tactic is enough to defend against ransomware, but backup and recovery is obviously pretty important. What are some of the most important components of a really, I don’t want to say bulletproof, but a very strong backup and recovery plan or set up?
Allan Liska:
Right. The nice thing about a good backup a plan is it gives you options when you suffer a ransomware attack, because if you don’t have backups, you almost always have to pay the ransom. It’s impossible to recover without them. There are a few things that you want.
One, you want to make sure that you have copies of your backup that are not readily accessible from the network. Ransomware actors will specifically look for backups and try to encrypt those because if they can encrypt those they know they’re more likely to get paid. You want to have those backups not readily accessible from the network, what we tend to colloquially refer to as offline, but of course there’s no real offline backup unless you’re storing them at Iron Mountain or a place like that. You want to have backups that are a reasonable backup point. You have to have an acceptable amount of data loss that you are willing to accept in a ransomware attack. If that’s an hour of data loss, four hours of data loss, whatever that number is, you have to be aware of that and you have to have your backups timed in a way that you know that, okay, I’m going to lose this much data, but I’m okay with that because it means my backups will be inaccessible to the ransomware after.
The other thing is you have to test your backups. This is a big, big area where a lot of organizations don’t think about it, but you have to conduct regular full test of your backups. Not, can I restore a single file, but can I restore a single server? Can I restore a whole server? Can I restore multiple servers? What does that look like? That’s really a big part of the backup strategy is making sure that the restoration actually works and works in a way that is acceptable for your recovery time. Those are really some of the big things that we think about.
Scott Bekker:
Those are some great things to think about. You mentioned about offline backup and how if it’s not at Iron Mountain, what exactly does that mean. How do you protect those offline backups? Is it having a different administrator account for those backup than your core? What are some of the best practices?
Allan Liska:
Right. You want to have different administrator accounts. You want to have your backups put onto, if you can, immutable drives so that they can’t be tampered with, although that gets to be very expensive so you have to be careful with that. You often want to think about having them in a disaster recovery network segment, that’s isolated from the rest of the network so there are ways to pull data from backups to have the backup software reach in, copy the backups that it needs, copy the data that it needs, and then store it separately from the network. That’s really the tools that are built into the really good backup software and the most reliable backup and recovery tools.
Scott Bekker:
That makes a lot of a sense. One of the things that I also wanted to ask about is, people talk about dwell time. How do you think about that as far as your backups go in terms of what kind of files, loaders and things could be left behind by someone who’s got dwell time and they’re in your backup files as well. Is there anything to do about that?
Allan Liska:
That’s a really good question. Most modern day ransomware attacks where the ransomware actor is in the network anywhere from several hours to several days to weeks means that there are going to be artifacts left on these machines that’ll be part of your backups. Just reality. The way that we do that is when we’re recovering from a ransomware attack, machines that need to be restored are restored disconnected from the network. After you’ve done your initial incident response, understand how the ransomware actor moved around the network, what tools they used, what artifacts to look for. Then as you start the restoration process, you restore from backup, and if you happen to detect any of those tools on those systems, then you remove them before you put the restored machine back into service. That should be a part of your disaster recovery plan is building this isolated network that you’re going to restore the machines on, then you’re going to put them into service.
Scott Bekker:
Excellent. Well, great. Thanks a lot for these tips. Great help.
Allan Liska:
Yeah. Thank you.
Interested in viewing more videos about Ransomware? Visit our Ransomware Video Gallery