Like every other industry, the cyber security industry is constantly moving. Along with that comes changes in the advice from experts to consumers, businesses, and governments on how to best protect their data from the cyber threats of today. However, there’s one piece of advice that has held strong as a Silver Bullet for protection from cyber threats of the past and of today, including ransomware: backups.
A Silver Bullet in cybersecurity protection is not a mythical solution that solves every single problem, but one that covers the vast majority of your bases and increases the efficacy of your security posture drastically. When you look to the media for advice today, you’ll find backups to be the top recommendation almost 10% of the time according to our research. We’re going to explore why backups are no longer the silver bullet they once were, and what solution or solutions have taken its place.
The past is the past.
There was a time when backups were the Silver Bullet that we all needed. Cyber threats were less advanced, and having good reliable backups was almost all you really needed. Viruses and trojans would work their way into your computer and you could roll back to a version pre-infection with little to worry about. Even after the introduction of early ransomware, backups were still proving to be the most effective way to protect yourself. Encrypted photos and files could easily be retrieved from your latest backup and your day continues on. However, as they always do, cyber criminals looked to improve their success rate in getting the ransom paid; and their number one target? Your backups.
In a recent Ransomware infection at software provider Marketron, their CEO stated “This issue comes despite significant recent investments in separating backup and disaster recovery…” Even with these heavy investments into backups, Marketron was still stuck at a standstill with all services down for their customers.
Ransomware quickly evolved to target backup drives, network shares, or any place where you could be storing those precious backups if they were found connected to the device. Successfully encrypting your backups increased their odds of receiving a ransom payment to almost 100%. While it was beginning to show spots of tarnish, the cyber security industry continued to latch onto backups as the shinest Silver Bullet.
While writing this piece a new report was published about the Conti Ransomware Gang describing their practices of targeting on-premise and cloud backups by hunting for privileged users inside your network to access, exfiltrate, encrypt or remove your backups. All but guaranteeing a ransomware payment is coming their way.
The gold standard.
Needing a new approach to backups to keep ransomware at bay, the advice to air gap your backups came to the front line. Air gapping a backup is keeping it disconnected from your device and network when you’re not actively doing a backup. This potentially makes it impossible for ransomware or other malware to see that you have backups and certainly stops them from encrypting those backups.
However, there are many flaws that come into play with the air-gapped strategy. The more air-gapped your backups are the less reliable they’re going to be. You’re keeping the backups separated from your network for longer periods of time leading to backups that have less and less of the information on them that you need. On top of that, malware has been using time-release tactics for years and years now. There is no big leap for ransomware to lie in wait and trigger on a device when it is able to detect backups have been connected and are in progress.
The pivot to theft.
With air-gapped backups, we discussed the possibility of ransomware evolving to time-release and wait for you to reconnect your backups. The possibility. Ransomware shifting to data theft has long been a guarantee. In early 2020 the FBI was warning industries that ransomware was specifically looking to steal data in an effort to increase the odds that you pay the ransom. Backups or not, if you have any kind of sensitive or customer data and it’s stolen and released on the dark web, you may be looking at an even more expensive PR problem than just paying the ransom.
While ransomware gangs like Conti might rely on it as a secondary fallback, data theft can be detrimental to some businesses. For those in Healthcare, Finance, or even Education, it can be a crushing blow for your user or customer data to be released onto the dark web. However, because there’s a smaller chance that blackmail will be the driving factor to pay the ransom, most ransomware gangs are still focusing on destroying or encrypting your backups to ensure there is no quick road to recovery. A swift end to your ability to do business will drive immediate attention to making a ransomware payment. And who can blame you?
The last line of defense.
What is now painfully obvious, backups cannot be relied on as the silver bullet in your security stack. They still play a critical part, and every security stack should have reaction layers like backups and EDR combined with prevention layers like Firewall and Application Whitelisting. The lack of recommendations surrounding adding prevention layers into security stacks to defeat ransomware is nothing short of astounding. In our research, we saw one single article recommend adding Application Whitelisting to help defeat ransomware. One article out of one hundred and one total articles that we digested to comprise this data set. Prevention is the key to defeating ransomware and without more inclusion in the advice and recommendations that so many look to, ransomware will be here to stay.
The contrast is so stark between the advice and recommendations from the media and the top institutions around the world. While little to no media coverage recommends Application Whitelisting, almost every top agency in the US and many across the world praise it as an incredibly important solution to add to every security stack.
- The National Institute of Standards and Technology (NIST), has recommended controls that everyone should “Employ a deny-all, permit by-exception policy” in their environment. Application Whitelisting fulfills this requirement to default-deny all unknown executions and only allow those explicitly permitted.
- The US Department of Homeland Security states that “Application Whitelisting should be an integral component of a defense-in-depth solution.”
- The Cybersecurity & Infrastructure Security Agency (CISA) has created a program to fully fund Application Whitelisting for 2 full years inside the Federal Government. Urging Federal Agencies to deploy this into all security stacks.
- In Australia, the Australian Cyber Security Centre lists Application Whitelisting as one of its eight essential strategies to mitigate cyber threats like ransomware including it in every level of their Matruity Model.
- The US Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC) in 2020 recommending application whitelisting for Level 3 and requiring it for Levels 4 & 5 across all of the US Defense Industrial Base.
We’re not here to completely shut down the notion of backups and their importance. Having good, reliable backups is a critical component of your overall security stack. The problem is that in today’s environment cyber criminals have evolved to defeat the simple notion of: “we have everything backed up”.
However, adding Application Whitelisting into security stacks will drastically reduce and potentially eliminate the overall threat of ransomware. This practice is recommended by all of the highest agencies in the US and many around the world including in Australia. It’s time for a new Silver Bullet in Cyber Security, and Application Whitelisting is here to stay. If you’d like to learn more about Application Whitelisting and its history, check out our in-depth analysis.