A member of the Dell Expert Network explained to attendees at MSP Expo 2023 why implementing secure data backups have become mandatory is this day and age.
In "Surviving a Cyber Attack and Keeping Critical Data Safe," Kevin McDonough, advisory systems engineer at Dell Expert Network, told attendees the key steps that can be taken to protect your most critical data and avoid costly repercussions.
"All the adversarial groups are starting to work together," McDonough said. "If they want in, they're going to get in," he said.
Even paying the ransom doesn't guarantee you can rebuild, McDonough said. You might get your data back if you pay up, but it will be in bad shape, he said. "They only have to be successful once and they win," he said.
The increase in available computing power has allowed bad actors to increase the pace of attacks they're issuing. If they have the resources, there's really nothing you can do to stop them. "Brute force attacks are becoming more common," he said.
The best you can do to protect your company is to implement a secure backup system that will allow you to recover from any hack, he said. First you detect the problem, then you isolate it, and then you implement recovery operations, he said. "Isolation tied with immutable is how we get invulnerable," McDonough said.
What day of the week do most cyberattacks occur? On Mondays, McDonough said. Why" Because Microsoft issues patches on Tuesday, and everyone knows it, he said.
Hackers have developed multiple ways of attacking your business, he said. Three big issues that concern McDonough now include:
- Insider-based credentials. If someone gets hold of manager credentials, your most valuable data is at risk. "If they can see it, they can destroy it," McDonough said.
- Zero Day exploits. Unpatched vulnerabilities are disseminated quickly among hackers ."They get past your ID and protocols tools each time because there is no signature," he said.
- Dwell time. Hackers like to sit inside your system and watch what happens. "They understand your entire backup structure," he said, "and they know which things you're replicating."
Obtaining your last clean data set depends upon knowing exactly when the attack occurred, McDonough said. "With a cyber event, you don't know exactly when the attack occurred or started," he said. "The amount of dwell time you see is quite phenomenal."
He said hackers were inside Sony for nearly two months in 2014 before the attack was discovered. Obtaining command and control is their goal, he said. To prevent that from happening, McDonough said to:
- Create a functional air-gap network.
- Leave no trace in production as to where data is copied
- Pass data to backup in malware-free containers
- Employ advanced immutability and NTP protections
- Orchestrate all your backup maneuvers from the vault side.
A little resiliency goes a long way, he said. Data in the vault should represent about 25% of your company's complete data set, he said. On the production side, backup measures are invisible, he said. Keep production away from backup. "We like to make sure the vault is physically isolated," he said.
"Disaster recovery and cyber recovery are not the same thing," he said. Also, cyber restoration does not equal cyber recovery, he said. Data restoration doesn't involve accessing clean backups, he said. You can't depend upon disaster recovery techniques after a cyberattack, because your backups will likely be taken down too, he said.
Edited by
Greg Tavarez
