Ransomware attacks have been in the public eye for quite a while now. Growth is propelled not only by the surge in the number of cybercrime groups specializing in ransomware, but to a large extent by the continual increase in attack sophistication. Ransomware has evolved into a fully-fledged industry, with competing groups that continually introduce new capabilities and techniques. While some of the new trends in data crimes, such as data leaks, threats of data exposure, and shaming techniques have ignited media attention, other, potentially more devastating threats are still not widely discussed, which we’ll attempt to correct here.
Breaking the Myth: Storage, Backup, and Data Recoverability
A few years ago, very few chief information security officers (CISOs) thought that storage and backups were important. That’s no longer the case. In a security research study published by Continuity and CISO Mag, more than two-thirds of respondents believed an attack on their storage environment would have “significant” or “catastrophic” impact, and almost 60% of respondents were not confident in their ability to recover from a ransomware attack.
Ransomware has pushed backup and recovery back onto the agenda. Cybercriminals like Conti, Hive, and REvil have been actively targeting storage and backup systems to prevent recovery. Regulators are starting to pay attention to backup systems and data recovery, and industry awareness is also steadily growing.
The National Institute of Standards and Technology (NIST) released a Special Publication 800-209 entitled Security Guidelines for Storage Infrastructure that places significant emphasis on securing and protecting data against attacks. This has driven CISOs to look again at potential holes in their safety nets by reviewing their storage, backup, and recovery strategies.
Storage and backup systems may seem relatively minor in the information technology (IT) stack, but size isn’t the best measure of the criticality of storage. Let’s compare storage to the human heart. The heart is modest in size but pumps life-giving blood throughout the body. So to does storage house critical, high-risk data that feeds your applications and devices. Just as shooters aim for the heart, so to do hackers target data where it lives, in your storage systems. Letting cybercriminals leak data from storage and backup systems means that they can sell it or give it away.
Unlike an attack on individual endpoints or servers, which can be highly inconvenient to a large enterprise, one that targets central storage or backup can be truly devastating. This is because a compromise of a single storage fabric can bring down thousands of servers. Furthermore, while recovery of an individual server is relatively straightforward, recovery of a storage fabric is a complete unknown to many CISOs.
Finally, far too often the actual data and its recovery copies are kept without sufficient isolation. Think about storage arrays that keep both the primary data and snapshots, or admin accounts that are used to manage both servers as well as backup. In other words, storage and backup security neglect will take its toll. CISOs must learn the ropes and must stop pushing it off as someone else’s responsibility.
Current Threat Landscape for Storage, Backup, and Data Recovery
NIST SP 800-209 provides a detailed overview of storage and backup system threats, risks, attack surfaces, and security recommendations. Some of the more sophisticated ransomware tactics include:
- Compromising storage operating systems, firmwares, and drivers: These attacks will rarely be detected by existing vulnerability detection tools, which offer no support for storage systems and networks.
- Exploiting overlooked attack surfaces: This ranges from the most obvious storage array factory accounts that are sometimes not removed during installation, to more elusive ones including servers that can send storage arrays commands through Fibre Channel devices.
- Poisoning snapshots and backups: Even when a ransomware attack does not succeed in corrupting existing storage and backup systems (e.g., when immutable storage is used), it may still find a way to suspend or corrupt future snapshots or backups. It’s then just a matter of waiting long enough before locking production data. By that time, the only remaining valid copies may be too old for any practical use. Most organizations do not test recoverability frequently–so such attacks are likely to go unnoticed.
By successfully infiltrating these new targets, ransomware gangs can:
- Prevent recovery efforts by destroying or tampering with backups (including offsite cloud-based copies and immutable storage).
- Steal or encrypt petabytes of data easily stored on a single storage or backup system.
- Evade detection by existing data loss prevention (DLP), intrusion detection systems (IDS), and most modern threat intelligence solutions. Some hackers take advantage of cloud-based offsite backup solutions which, if not secured properly, can provide access to copies of huge datasets without introducing any visible load on production systems.
Data is a major part of the role of any CISO, and in today’s digitized, data-everywhere world, an organization must make significant investments in data protection and storage and backup hardening. CISOs have the skills to do it; many simply lack a clear view of the problem. The problem needs to be reframed in the minds of security experts, and fast. Analyzing data storage and backup security posture is a new skill that security teams must adopt to deal with emerging cybersecurity threats.
Organizations report that they are now starting to pay much more attention to their storage and backup security than ever before. In a recent study we conducted among CISOs, more than two-thirds confirmed that auditors were recently hired to review their storage and backup systems. I’m expecting to see much stricter national guidance to organizations to tighten their data protection solutions and to avoid negotiating with criminals.
I highly recommend evaluating your internal security processes to determine if they cover storage and backup infrastructure to a sufficient degree. Some of the questions that could help clarify the level of maturity are:
- Are you evaluating the resiliency of your storage and backup systems on an ongoing basis?
- Do you have detailed plans and procedures for recovery from a successful ransomware attack on a storage or backup system?
- How confident are you that you can recover from a successful ransomware attack?
Storage vulnerability management would significantly help security teams get a full view of security risks in your storage and backup systems by continuously scanning these systems to automatically detect security misconfigurations and vulnerabilities, and then prioritizing those risks in order of urgency.
I would also encourage readers to learn more about ransomware resiliency for storage and backups by reviewing the NIST Guide for Storage Security, a report I co-authored with NIST. This guide provides CISOs with an overview of the evolution of the storage and backup technology landscape, current security threats, and practical recommendations.