Bigger Field = Bigger Problems
The global COVID-19 pandemic challenged us all. One thing that came along with it, was the massive increase of cyber attacks. Victor Dohlmann, Regional Sales Director Denmark & Norway at Veeam, says: “The core issue is that IT has become more spread out and therefore, you also have a large concentration in the cloud. And when IT is spread out, you make the playing field bigger which means there are more pieces to the puzzle to keep in check”. He elaborates on this: More businesses implemented Office365 to bring down costs and have help in operations. But even though you put things in the cloud, you still maintain sole responsibility”. The responsibility is truly what was put to the test: “During the pandemic, we saw an increase of 715% in the number of attacks. This is an aggressive increase. One contributing factor was the increase in the number of people working from home. The reason for this is that when you decentralize the work, you give the hackers better working conditions. The hackers have taken advantage of the fact that you cannot block a virus when you do not recognize it or notice it. And this becomes even more difficult when you are sitting at home and cannot ask your office roomie about suspicious emails, files, or links”.
New Trend: The ”Human” Attack
The development is moving quicker than ever before and the nature of the attacks has shifted. During the first half of 2020, only a year and a half ago, the automated attacks dominated the types of threats and those were bad enough as it were. But what we see now are actual, real live people who force themselves into the companies’ systems and stay there for a long time while they get themselves ready to pounce. We are seeing that the destruction is greater because the damage is not just to the Windows systems, but also to our virtualization layers and the cloud. We are seeing that they can stay in the systems for up to 10 days. They typically go unnoticed before they make themselves known by encrypting or locking our data.
A Managed Service You Did Not Ask for
As a former IT Manager in a Global Company, Torben Christensen has seen and experienced the security developments firsthand. He recognizes Victor’s narrative of how the attacks have shifted in nature: “In most recent years, I have gotten more insight into how the interactions with the hackers go. It is somewhat like getting a Managed Service you did not ask for,” he says. “One example is this: a large corporation suffered an attack during which everything was encrypted. Including the backup. We were met with an incredible service – a welcome screen which explained that an attack had occurred, and which contained a link to a helpdesk. Here, you could chat with a friendly supporter who instructed you to pay in bitcoin. You are told about the price structure and afterwards, you got your restore instructions. It was very professional,” he says and elaborates:
Two out of Three Don Not Have Their Backup
“In the past, they would hit the production data, but now they are targeting the backup,” Victor Dohlmann from Veeam confirms. “This is a new norm and it happens to 23% of all servers in the world,” he says. “As reflected in our Data Protection Report 2021, a very large portion of the victims CANNOT recover their data. A whopping 58% did not have their backup under control.”
Today, we just need to make our backup read only and at Veeam, this is actually one of the first things we offer now. It is incredibly effective. The thing is that if we for instance put a copy of our data in the cloud, but the hackers can get to it, well then they just delete or lock it. Therefore, with Veeam, we can make your backup read only for a period of time. The buzz word is immutability. It is also about having things being physically gone. Gone from the fire safe or the cloud. Everyone has to place their focus on their backup. It has to be tested correctly and function well. To ensure that, we use Veeam today. The 3000 responding companies have also as a whole put backup as the overall first priority in the future.
Hacking as an Industry
The people behind the attacks are still driven by money. In the most recent attack we were involved in, the client received a pretty physical letter in which they required 5 million USD in crypto currency. And we also tried negotiating with a group recently that offered reports and support; you were assigned a hotline until you got your data back. Just as you would in a hostage situation where the captain’s ship is boarded, the process is the same. It has all shifted to a more professional and almost corporate structure.
”We are Seeing Managers Writing on the Whiteboards like Crazy”
When we say Disaster Recovery, we assume that the damage has ALREADY occurred. We do not (only) discuss protection from attacks, but instead the ability and the preparedness to recover. When we speak of Disaster Recovery, it is still surprisingly few companies, who have a Business Continuity plan. It is almost inconceivable when we think about how time is passing by and the attacks are rapidly increasing. Far too many come up with the plan AFTER a catastrophe has occurred, whether it is an attack of something else. Of course, a catastrophe would also be technical in nature, but we see far too often, that there are doubts as to which systems need to be brought back up after any breakdown. And this is actually across the board: Many are wiped out and have no plan whatsoever. The managers are then writing like crazy on whiteboards, while disaster is happening all around them and the money is just going down the drain.
Being Able to Trust Your Backup
In the traditional backup industry, the concept is that when the alarm sounds, the fire has already broken out and we do NOT know, how it made it through the door. Veeam’s new technology can more or less be explained like this: We have some bouncers who are created to recognize a virus. Our ”employees” in the club need to monitor and look for new or deviating behaviors and thereby detect the danger and remove the problem before everything catches fire. We have a patented, new technology which can do just that. The company can use our Restore technology to remove the virus from their backup. The tool can cleanse a backup in order for the data to be restored, even if the backup was infected by a virus. Sort of like a vaccine or antibiotics.
The people and the data are the most important parts of the company. Therefore, the basic elements such as antivirus MUST be in place. However, to gain an advantageous position in the game of cat and mouse, we have now created an automated process which will scan and restore data. This is because the restoration of data is the essence of the recovery process. We have reached a point where many companies make their backup immutable and RBAC’ed, yet they do so by moving the data into safes and large containers with only one key. The paradox is that on top of that, they actually do not know if the backup they have locked up is actually usable. However, it is expensive to invest in hardware whose only purpose is to make a backup immutable. It is overkill and very inflexible. Instead, with our tool, you can get by with three moving boxes rather than an entire shipping container. Companies should be building their backup infrastructure in tiers. One quick I/O tier close to the production data, one immutable tier which is good for 30 days and finally a separate long-term tier which has the lowest possible cost,” Victor Dohlmann says.
From 3-2-1 to 3-2-1-1-0
When it comes to preparedness against attacks and ensuring continuous operation, the golden backup rule “3-2-1” cannot be denied: Have three copies of company data – in two different forms of media one of which must be off-site. Today, many operate with more than three copies and many have taken these types of backup media to new levels. There are more ways around the 3-2-1 formula, but the benefit is that it can be applied somewhat universally. However, Veeam has taken the rule in their own hands and developed their own version of it. The update to the rule means that it not only works today, but also in the future.
The rule is now 3-2-1-1-0 as far as Veeam is concerned. The explanation is as follows: Simply put, it helps to ensure Recovery after a breakdown. The old rule remains still to some extent, but in addition to an offline backup, you now also have an offline backup which has been completely separated from the remaining infrastructure and which also cannot be accessed through it. The little “0” at the end is solely about the fact that using Veeam’s SureBackup will ensure zero errors AFTER testing and verification of the backup.
Practice Makes Perfect!
Torben Christensen also believes that the test aspect is key and the same holds true for tools such as the one Veeam has. “First off, your backup needs to be able to restore the ENTIRE infrastructure – that means it needs to be complete. You must have a complete set of data in house. Secondly, your backup CANNOT be part of your active directory. Finally, you must have an extra backup of the most recent 20-30 days which must be heavily encrypted. The latter Veeam can handle – they have a completely locked encryption which not even the company themselves can unlock,” he says.
As far as the testing is concerned, Torben says: ”Very few companies actually manage to test their backup on an ongoing basis, and they forget to PRACTICE a complete restore.
Previously, we tested the quality of our backup. Now it has become a quantity test. We actually need to know that we have a connection quick enough to complete a restore at lightning speed. When we discuss preparedness and recovery, we also discuss methods, such as software,” Torben concludes. “The problem is that people do not know the quality of their backup. They just know that it is there. And they do not know the bandwidth of their backup AT ALL and that is critical for the ransomware to be very destructive. Even if you get an encryption key, you MUST build a new infrastructure. You cannot know if there is anything left over. It is great that you are able to access the data, but you must create a new active directory,” Torben Christensen opines.
There are many tools to stop an attack. And backup is the last resort. “When you are at that point, you know it has all gone off the rails and that is never good,” Victor Dohlmann says. The feedback is clear when responsibility must be placed: “There are NOT enough questions posed at the management level. Responsibility must be placed with management. It is undoubtedly a matter of company security and that must be ensured from the highest level, not from below.” Victor Dohlmann, Veeam, concludes.