Kyndryl: Best Practises for Ransomware Recovery

Scott McAvoy is the Director of Security Consulting for Kyndryl, the world's largest provider of IT infrastructure services, where he leads a team of security professionals, delivering cloud security strategy and architecture to clients across industries, enabling strategic, secure, cloud transformation. Since 2012, McAvoy has specialised in assuring cloud workloads across the major cloud platforms, and has helped transform both public and private sector workloads.

He sat down with Cyber Digital to discuss ransomware recovery.

How well prepared do you think modern enterprises are for ransomware attacks?

The short answer is that most businesses are less well-prepared for ransomware attacks than they realise, sometimes dramatically so. That might seem surprising, given that ransomware is such a well-publicised category of cyber risk, but what we are often seeing is not a lack of ransomware awareness, more a set of misperceptions around what a business needs in order to bounce back from a ransomware attack.

As a result, there’s actually a really encouraging rate of deployment out there for things like malware scanners, backup and recovery software, and zero trust methodologies – but how these things are configured, and the knowledge being applied in their management, isn’t going to deliver what businesses want and need in the event of an attack.

If that’s the case, who or what is at fault, and how big is the problem? 

There are two things to consider here: a decades-long trend towards consolidated infrastructure with high data availability, and a structure of increasingly stringent Service Level Agreements (SLAs) created to govern that infrastructure.

Consolidation has enabled data to flow more freely through organisations in really important ways, and has typically come with investments into clustering and storage replication to guarantee uninterrupted access to critical information. This is great in the case of something like a power supply failure, and we’ve become really skilled at orchestrating that handoff so that another machine can step in when one goes down. All of that replication is also, however, an accelerated propagation vector when something like ransomware shows up: from the infrastructure’s perspective, the newly-encrypted data which the attacker intends to hold as ransom is something which needs to be preserved, and so the corruption spreads at pace.

The irony here is that the SLAs, which an organisation might reasonably take as evidence of preparedness, actually signify a vulnerability. A dashboard full of green lights showing successful timely backups and data consistency across clusters is good news only for some forms of risk. As a result, I’ve had many conversations with leaders shocked to discover that their likely data recovery timelines should be measured in days or weeks, not hours or (as they sometimes expect) minutes.

What does a good approach to ransomware look like today?

We can identify a few key attributes of a Cyber Tolerant Recovery System – that is, one which is built to handle incidents like modern ransomware attacks as well as it handles other forms of risk and compromise.

The first two are about the safety of backup data: introducing an air gap which acts as a firebreak to the propagation of compromised data and storing those backups in an environment with immutability and retention lock, as a policy against editing or deletion once committed to disk. Next, it must be possible to verify that data before triggering a recovery process from it, using an anomaly scanner which can detect indicators of compromise. Finally, even if the data is stored, intact, and trustworthy, it will only be useful if it can get a business back on its feet faster – and therefore with less financial damage – than simply paying the ransom. Therefore, the capability for mass recovery is needed, which can mean handling traffic tens of times greater than normal backup workloads.

Note that these features are cumulative: an organisation should not think that adding immutability to their backup systems will, in itself, solve the issue. Likewise, they build on top of those security investments I mentioned earlier: businesses should be seeking advice in terms of reconfiguring and adding to their security, not replacing it!

You mention the costs associated with ransom: how critical is this threat to modern enterprises?

A recent IDC study surveying businesses with over 500 employees in a range of sectors found that 69% of respondents had suffered at least one successful ransomware attack in the preceding 12 months, and nearly a third had paid in excess of $50,000 to regain access to their data.

The likelihood, and likely damage, of compromise obviously depends on many factors. For the sake of both understanding the scale of the threat and better planning how to mitigate it, I always recommend that organisations start with a holistic review before forging ahead in defining an RFP to ameliorate the situation. In particular, identifying critical systems and how much loss from them can be endured and ranking the priority of recovery for those systems can tell you a lot about what to expect and where to invest.

**************

Make sure you check out the latest industry news and insights at Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

**************

Cyber Magazine is a BizClik brand 

*************