I read an article that a Cybersecurity insurance company is refusing to pay for a Merck breach incident because it is NotPetya and that is from Russia and was designed as a cyber warfare tool. "Acts of War" are not covered under insurance policies. A major shipping company got hit with that too. I heard that the only thing that saved the shipping company from the total, worldwide destruction of their entire network was a power failure in East Africa which took a select number of servers "off-line". Because they were off-line, they were not infected. The "clean servers" were ordered left off and flown back to headquarters to be the core of the re-built network.
Last night I read that Trickbot, which is often the pre-cursor infection to Ryuk, has been traced back to North Korea. Is that another act of war situation?
I also read last night about new Windows malware that connects into a machine, reboots it in safe mode so the core defenses are all down, finishes the infection and the alterations to allow it to operate on the device in secret and then reboots back to normal operation!
On Monday I watched a high-level presentation on how these bad actors are targeting all our backups.
One presenter who I have immense respect for is probably the smartest person I have ever hard on these sorts of things made the following comment:
"Everything can be defeated. You will be breached. Plan for the failure of your systems. At the end of the day, it is all about the backup."
This is exactly why we are recommending that you all have layered defenses with multiple tools as well as a subject matter expert security analysts watching over your network. If one line of defense fails, we have a plan b and plan c. If we can't deny infection, we can detect it through behavior on the device or through the firewall, and then hopefully deny lateral movement to dramatically limit the damage to your servers and workstations.
The presenters stressed that you need to know you have good backups and that if something bad does happen, you have a way out that will restore your systems to the way they were without serious data loss.
However, they stressed a couple of major points:
- The bad guys are actively looking for your backups. They are looking for your backup software by name. They are looking for backup agents and backup related registry keys on your endpoints. They want to do three things:
- Get into your backups and alter them so you don't know you are being destroyed.
- Disable the backup agents so that they don't back up at all
- Outright delete your backups.
- Are you really taking seriously and investigating why backups are failing on certain servers?
- Are you really reading your logs and being vigilant about what you see?
- Are you really doing test restores to prove that you actually have data that isn't corrupted?
- The bad guys are actively seeking out any USB attached storage, NAS drives and CIF shares to corrupt/delete the contents.
- Many people are attempting to implement "manual" backups as air-gapped, last resort backups onto removable disk. However, the bad guys are first seeking out that storage to kill it and second manual processes fail because everyone gets busy, sick, or leaves the district. The process is then abandoned.
- A number of organizations are re-visiting tape (really) as an automated, completely disconnected, archival backup set to sit on a shelf in case the worst happens. The current LTO technology has amazing densities on those traditional LTO size tapes.
- The bad guys are not just looking for your on-site data. They are seeking out your cloud data:
- Cloud backups
- Off-site, replicated cloud backups
- Google Apps Google Drive cloud storage
- Microsoft Office 365 OneDrive cloud storage
- How are you securing the Cloud data?
- What protections are in place or should be in place?
As people transition more and more staff and student data to the cloud, the issue of what Google or Microsoft actually can recover your data becomes vitally important. Google generally can recover data within 25 days. Microsoft Office 365 can recover data within 30 days. However, there are some serious limitations of what "recover" means in different situations in terms of granularity vs. all or nothing restores, and what happens if the folder/directory structure is destroyed. Your mileage may vary. Check with your provider for more detailed information on what you can and can't do in your environment.
Adding a cloud backup product for Google Apps or Office 365 is probably warranted to provide the backup/restore functionality we are all accustomed to in traditional backup products. (Talk to Lisa for more information on that).
There is a whole lot to talk about and unpack in what I have written. We are happy to work with you to figure all this out and help you better position your district to keep you safe against these growing, ever more sophisticated threats we all face.
Give us a call.