Data backups were once thought to be a fallback solution in case of a natural disaster or hardware failure, and more recently as protection against a cyber attack. With a regular backup process in place, a business would be able to restore operations and ensure business continuity should the primary data source fail. Data exfiltration attacks, considered to be the game-changer for ransomware attacks, stripped away this safety net and exposed a gap in traditional backup and recovery plans: what happens when the data is stolen?
Long-touted backup best practices such as creating redundancies only prove to exacerbate this problem as more data copies means more attack vectors and potential vulnerabilities to monitor and protect. Even recent advancements in the backup space including immutability and stronger perimeter defenses fail to address this problem. And as backups provide a rich data source for hackers and remove the organization’s last line of defense against attack when compromised, it’s no wonder that backups are becoming an attractive main target. We predict that backup security will become critical in 2023 as an increasing number of ransomware attacks actively target backup repositories.
How Data Exfiltration Attacks Undermined Backup Strategies
Data backups have been an important component of ransomware strategy and defense for many years. Victims of attack could avoid paying a costly ransom to decrypt their primary data by simply recovering from backup. Immutability inside the backup environment further secured the data by ensuring that it could not be wrongfully encrypted or altered in any way inside the backup repository. Ransomware attackers wisened up. In late 2019, the first data exfiltration attack was reported in which the data was not merely encrypted inside the repository but a copy was stolen first. The data copy proved to be the leverage needed to ensure high ransom payouts as refusal to pay could result in publishing or selling of the stolen data. This shift in attack strategy undermined data backups as the victims’ post-attack priority shifted from recovery and business continuity to instead maintaining the integrity of the stolen data and keeping it off the internet. In just three years, data exfiltration attacks rose to the point that today they are reported in over 83% of ransomware cases,1 thereby exposing a gap in the traditional security stack.
Data Backup as a Primary Target
Once data exfiltration attacks became the norm for ransomware, we started seeing backup data become a primary target. The goal of a pay-to-decrypt attack was to halt day-to-day business operations until the ransom was paid. While still a headache to clean up, an attack on backup data alone would not cause the same level of urgency.
However, backup data is very attractive to attackers seeking to steal data in order to weaponize it as leverage against the victim. Data kept in backup repositories is typically data worth keeping, meaning that it is vast and sensitive in nature: blueprints, customer transaction history, personal employee information, trade secrets and other intellectual property. In addition, backup data, having enjoyed many years of not being a main target, does not always have adequate security to withstand today’s sophisticated attacks. And while many backup solutions have the tools to protect the data while it’s in the repository, almost none can protect the data from being stolen. For these reasons, we saw a massive increase in attacks on cloud backups up to 94% of reported cases in 2022.2 Of course, hackers care little whether the data they are stealing is primary or backup. Data exfiltration attacks have exposed the need for better detection and blocking of an attack in progress along with anti-theft technology at the data level.
How Does Ransomware Attack a Backup Server?
The Cloud Security Alliance (CSA) recently reported that attackers can reach the “crown jewels” in just three steps. This means that they need just three “connected and exploitable weaknesses” to gain system access.3 Most commonly, attackers will try to reach backup data over the network via NFS or SMB. If this doesn’t work they may look for known exploits (CVE’s) or common misconfigurations directly on the operating system of the backup server.4 Compromised credentials are also targeted for gaining administrator rights to turn off existing security or decrypt files. With every successful ransomware hit, the attacker’s resources grow, providing even more time and money to invest in finding new exploits. Many organizations are unaware of just how insecure their data environment actually is.
Don’t Just Recover From an Attack, Absorb it.
Data exfiltration exposed the need for better tools to detect and block an attack while it is happening. In addition, data security today needs to include tools to protect data, even through a theft attempt. Cyberstorage, a new data protection category coined by Gartner last year,5 is the anti-exfiltration response to fill the gap in the current security stack. Merging high-performance security features with the data storage and processing environment, emerging cyberstorage solutions have the ability to absorb a ransomware attack in progress. Calamu Protect, for example, includes advanced triggers to automatically respond to suspicious activity and quarantine the impacted environment. By transforming the way data is processed, Calamu Protect ensures that a readable copy of the data can never be stolen out of the repository, thereby eliminating the exfiltration threat. As data exfiltration attacks increase and evolve, it is more important now than ever to secure your last line of defense.
Ready to see how cyberstorage can protect your data backups? Schedule a customized demo now with one of our experts.
1 Kroll | 2 Veeam | 3 CSA | 4 Network World | 5 Gartner