When it comes to ransomware, an ounce of prevention is worth 3x the cure.
Your business continuity plan may look much the same when it comes to recovering your data — whether the data loss is caused by a natural disaster or a ransomware attack. Earlier this year, I covered Qumulo’s built-in security controls to help you protect your data from malware as part of a holistic security posture.
In this series we are going to focus on ransomware in the context of business continuity and disaster recovery because, with the advent of ransomware as-a-service (RaaS) and the huge ransoms being paid, attacks are on the rise. For instance, the FBI has investigations into more than 100 variants of RaaS, many of which have been used in multiple ransomware campaigns. While recent ransomware incidents have been highly publicized, many more have been kept private to protect the victim’s reputations.
Business-critical data is being encrypted for ransom and cyber criminals are getting paid for the sake of business continuity.
According to Sophos’ 2021 State of Ransomware, a report based on data from 5,400 decision makers representing over 30 countries — organizations on average, got only 65% of their data back after paying the ransom. But the cost to business continuity, the downtime, is what hurts organizations the most. The report states the average ransom paid by mid-sized organizations was US $170,404. However, the average bill for rectifying a ransomware attack, considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc. was US $1.85 million.
How does ransomware get in? Let me count the ways…
Cyber criminals use clever tactics to infiltrate a company’s environment at multiple layers and deploy ransomware. One of the most common is social engineering–a phishing email where a company insider is tricked into sharing credentials or downloading malware and letting the threat in.
USB drives, partner networks, unpatched vulnerabilities, and easy-to-obtain passwords–all are potential threat vectors for malware to gain entry. New hybrid work models may create more. This is why it’s important to take a holistic approach to security to prevent entry, detect ransomware when it happens and stop it from spreading to other parts of the network. Last but not least, a holistic approach includes having a business continuity plan in place that includes data backup and disaster recovery from ransomware.
Ransomware: The Anatomy of an Attack
Ransomware can infect just about any device with an operating system or digital connection including network devices, IoT devices, desktop computers, servers, digital cameras, printers, and zip drives. The goal of most ransomware attacks is to exfiltrate data and/or encrypt data to force organizations to pay for keys to decrypt their data. Attacks typically happen in phases:
- Gain access to the network and at least one initial device
- Infect as many additional devices as possible to gather information
- Exfiltrate data
- Deploy additional modules that; for example, encrypt data
- Encrypt data for extortion
In the first phase, the intruders continue to gather more information about the infrastructure (users, data flows, network topologies, devices). Then, at a later stage, they start to exfiltrate data and/or load additional malware to start other threads that can access data and encrypt files.
This is why an efficient risk management strategy is needed that focuses on attack vectors to prevent infection or detect early phases at the point on the network and compute devices where the infection occurred. Data storage is at the end of the infection cycle. The longer the malware runs, the further the infection spreads, complicating disaster recovery and resumption of operations.
Qumulo’s holistic security architecture: overview
A holistic security approach to ransomware detection captures data from as many devices as possible to identify suspicious events at the entry point(s) for analysis and correlation. Upon detection, action is taken to stop the ransomware from gaining access to subsequent layers including your file storage.
Implementing a holistic security approach that includes network, compute, device and event-monitoring techniques, together with data correlation and analysis, is preferable over siloed security solutions that are embedded in the storage system. The goal is to keep the ransomware from getting anywhere near your file data.
The Qumulo File Data Platform is built with security at its core and includes a broad spectrum of modern technologies and data services designed to keep data safe. Qumulo’s software architecture is a purpose-built file system with a natively developed protocol stack. It uses no third-party code for file data access protocols. Bi-weekly software updates include Qumulo image and operating system and updates and fixes are built in by Qumulo including any common vulnerability and exposure (CVE) issues.
For these reasons and more, Qumulo is able to support a holistic security strategy across three domains. Prevention and detection are covered in this article and recovery and resumption in the second article of this two-part series:
- prevention to reduce your risk surface
- detection to discover and stop suspicious activities early
- recovery and resumption to support business continuity
The Qumulo File Data Platform
Holistic Domain: Prevention
The most common malware attack exploits happen outside your storage system and you want to prevent them from getting there. The first objective of ransomware is to get behind your firewall and into your network–where the bad actor can watch, move around, and plan the attack. Here are many of the easy-to-use security features that are built into the Qumulo file system software to reduce the threat surface available to ransomware and other exploits.
- Locked-down Linux OS–a minimal Ubuntu image to reduce risk surface
- Bi-weekly product updates — with built-in security features and patches
- The file system runs completely in user space (LD/LDAP)
- Role based access control (RBAC)–specifies what each user group can do with predefined roles and delegates least privileges
- Restrictions to SMB and NFS file access to hosts on network
- Access-based enumeration (ABE)–privileges required
- The ability to hide SMB shares (the exact path is needed to mount the share)
- Data encryption (data at rest is encrypted by default))
- Data on the wire can be encrypted and set per share
Holistic Domain: Detection
Integration with modern security information and event management (SIEM) solutions capture data from devices and offer holistic approaches to detect and stop malware infections. One important aspect for detective controls is central event capturing and correlation. The advantage of a centralized SIEM approach is that it provides a common solution for all data center or cloud instances and services. Data can be gathered easily, and indexed, filtered, analyzed, searched, and visualized. Automated or semi-automated actions can be triggered when suspicious activities are detected. This is the most effective approach because ransomware is being identified and stopped before it reaches your file system.
Qumulo sends audit logs in industry-standard syslog format to SIEM solutions on the market including Splunk, Elastic Search, AWS Cloudwatch, and Azure Sentinel.
In addition, intrusion detection systems (IDS) can detect patterns of dangerous network traffic; for example, anomalous domain name server (DNS) queries used to exfiltrate data packets that are correlated to an exploit technique. Many companies are using intrusion prevention systems (IPS) for detection controls with advanced fire walling and exploit-detection capabilities that block some categories of attacks.
Implement automated responses using the Qumulo API
The Qumulo File Data Platform supports all major security software on the market through its auditing feature. In addition, Qumulo’s API allows you to initiate automated mitigation actions from any attack surface should a malicious activity be detected. There are multiple ways to leverage the Qumulo API with direct API calls and Qumulo provides Python libraries to simplify API script development and the Qumulo Core CLI.
On the network, once the IDS system has detected a suspicious or even malicious activity for a file, the system can trigger automated events to mitigate risk. Qumulo provides a rich REST API which allows automating all kinds of management tasks on the cluster including malware mitigation tasks in case of a security event:
- Set a quota for a directory or set the full system to 0. Any new write activity is prevented (but overwrites might still be possible).
- Set a share to read-only or restricted IP addresses
- Remove privileges for a user(s)
- Take or restore a snapshot
- Start an antivirus on-demand scan
Recent history has shown that even good security controls can be overcome by ransomware; and therefore, a means to recover and resume operations is needed. Qumulo’s file system supports disaster recovery strategies with some very effective and easy-to-implement data services that are built into Qumulo Core including erasure coding, immutable snapshots, cloud backup, and snapshot policy replication.
In the next article of this series, I’ll cover the third holistic domain: data recovery and resumption of operations (roll back) after a ransomware attack.
- How to Use Qumulo’s Preventive Controls Against Malware
- How to Use Qumulo’s Detective Controls Against Data Breaches
- How to Use Qumulo’s Corrective Controls to Minimize Data Loss