Restoring Company Data After Any Crisis
The source of a cyber incident will be found in one of three areas:
- Malicious activity committed by a network insider,
- An accident or misjudgment made by a network insider, or
- An attack by an outsider, who likely ferreted a way inside with the help of malware.
All three of these security failures may lead to the loss of system files and cause corruption in system configurations. Database records may be destroyed. Application codes may be altered.
Smart businesses that plan for these kinds of attacks will have in place elaborate cyberattack prevention and incident response plans. They will make sure that their systems and data are backed up, and the backups will be scheduled at a frequency that supports their target window of recovery.
But what if the backed-up data has also been compromised? Testing the integrity of backups before restoration is the only way to ensure they are completely free of malware. So, how is that accomplished?
What If there is Malware and Mayhem in the Backup?
We have all seen the suspense thriller where the protagonist sweats over which wire to cut before the bomb goes off. A wire is chosen and cut, and the timer freezes. But just as the bomb is being dismantled, a secondary timer activates and the whole mechanism blows up anyway. Boom.
This metaphor fairly describes the experience of finding out the hard way that, recovering from a cyber attack and during the process of restoring all the data, the backed-up data also explodes in your face. Ransomware, in particular, can encrypt backed up files just like any other.
Assessing the integrity of that data, and cleaning it up before restoration, is critical. But this is easier said than done. The approach to it largely depends upon what kind of incident happened in the first place.
Let’s look at three scenarios.
Cleaning Up after a Data Manipulation Attack
Data manipulation attacks are a problem that can happen well under the radar and for an indeterminate length of time if proper monitoring is not in place. Imagine the disgruntled employee of a company using their access to alter records, or steal proprietary company information, before quitting. If the network is without file integrity monitoring, the manipulation can look just like normal network activity. It is activity that can go completely unnoticed for a long time before the damage is finally discovered. Elon Musk learned this a year ago – sabotage in the digital age can be devastating.
Backups are essential to recovering from an attack of this sort, and the key will be to have multiple restoration points and integrity checking in place. Preventing insider attacks with endpoint visibility is also a very good idea. When network users know that their behavior is always tracked for forensic purposes, it will deter them. Prevention is always cheaper and easier than the cure.
Also, encrypting the backup data is wise. Doing so is another hedge of protection you will be glad to have against malicious activity like this.
Cleaning Up after Data Destruction
Lately financial institutions have suffered from bad actors hacking into their systems and disrupting entire networks by monkeying with the time and date stamps of files and switches. But although data destruction can be deliberate like this, an honest mistake or hardware failure can just as easily lead to corrupted records or applications, and it can happen to any business in any industry.
Preventing data destruction, and responding to it when it happens, is not very different from responding to a data manipulation attack. Testing the backup during the recovery process, and sandboxing it to make sure all the backup processes are operational and the applications are functioning correctly, will catch issues before the system is restored. We recommend testing the restoration process at least every 6 months. Having confidence in key server configurations is important. Remember that a backup is only as good as the restoration process that is in place for it.
Cleaning Up after an Outside Attack: Malware and Ransomware
When ransomware enters a system, it may lie undetected and inactive on a local machine for a while. It may be just one more file that gets copied onto the company’s server backups. Infected backup data needs to be cleaned up before a network can be recovered. So how is this accomplished?
Backup software does not necessarily recognize whether source data is corrupted. All it does is copy and save. What’s worse; if the infection is bad enough, historical versions of the backups may also be affected or even destroyed.
Again, an ounce of prevention is worth a pound of cure. Shielding your data backup process with a malware detection tool is one way to protect backup data. Air gapping your backup separate from your network is another. Both are essential if you need a dependable recovery point after a ransomware event. Before restoring the system from a backup, the data’s integrity should be tested and retested. Testing is best done using a spare system drive, or at least on a partition separate from the original data. Check the applications to see how they run. If they are behaving as they should, then you have reason for confidence. If they do not, then further work to find and remove the offending malware or corruption must be the next step before recovery is possible.
Backup Integrity and Malware-Free Confidence
A company’s backup is the true insurance policy of the company. As such, investing in a well- equipped backup service that is tested regularly for clean and complete backups that run at the frequency the company requires is the best way to be sure that the company will survive when disaster strikes. A restoration process that is likewise tested regularly has to be part of the maintenance routine. And finally, scan every backup for malware and encrypt it. Store it separate from the network. Doing all these things may seem like a huge investment of money and time, but if the day comes that cyber disaster strikes, whether your business survives may entirely depend on whether you did.