Giving Away the Keys to Your Backups? Here’s How to Keep Out Hackers

Businesses are struggling with increased costs, including cyber insurance Premiums up a staggering 92% YoY in 2021. The skyrocketing costs are due in part to an increase in business interruption costs, which are primarily driven by attackers’ ability to locate and destroy an organization’s backups and production data, preventing timely recovery.

According to Veeam, backups were targeted in 94% of attacks and compromised in 68% of attacks “2022 Ransomware Trends Report.” Without a backup to restore, unplanned downtime costs 35% more than planned downtime, according to IBM. A proactive approach to securing your environment actually means cost savings.

In recent years, the complexity of threat actors has increased exponentially, but organizations have not implemented the necessary technical controls and configurations to keep up. The cybersecurity industry and many cybersecurity professionals are policy and compliance oriented, but the hackers don’t follow your policies. They go according to your controls and configurations.

As a last line of defense, there are precautions like immutability that can help your backups survive, but the success or failure of most organizations’ security methods depends heavily on the users – those who don’t have an IT or security background. Unfortunately, most organizations’ technical controls and configurations do not reduce the likelihood that users’ endpoints will be used to cause harm.

Too many organizations allow (sometimes unknowingly) an array of meeting software, remote access software, password managers, browsers, personal email services, and file sharing tools. This unapproved tech explosion creates a greater opportunity for threat actors to harvest your users’ credentials, exfiltrate data, gain access to an endpoint, or gain remote access. Cisco was recently injured by allowing users to access personal email services and store company passwords in the browser.

Most violations follow a predictable course. Here’s an example: A user accesses a malicious email by clicking a link that reveals their credentials or grants local access to a threat actor. The attacker then installs a Remote Access Trojan (RAT) on the endpoint and collects privileged credentials from either the endpoint via a credential dumper such as Mimikatz, the dark web, or a network share. Then the attacker uses the privileged credentials to move laterally through the network, finding and exfiltrating the most valuable data, destroying the backups and encrypting all production data.

So how do you avoid becoming a victim of common attack methods?

improve education

All users need to be educated on the evolving risks posed by everyday tools and how attackers use them, particularly email. According to Verizon’s “2022 Data Breach Investigation Report,” Threat Actors Prefer Email for Malware Delivery; 86% of malware delivery is via email.

IT experts also need consistent training. Too often, victims believe the injury they sustained was accidental. IT pros are often unaware of the vulnerabilities and misconfigurations in their environment and how sophisticated hackers have exploited them.

Getting security right takes a concerted, single-minded, anti-political personality to get an organization to take the necessary steps. Even blocking personal email services within an organization is likely to face resistance, but it has to be done.

Get a review

Finding a partner who can perform a thorough technical assessment of your environment, leveraging knowledge of data breaches, is a great addition to your IT department and a worthwhile investment. IT systems are often poorly configured and have inadequate technical controls. However, organizations are often unaware of these accepted risks.

A regular, at least annual, assessment cycle is important because risks are constantly changing and providers are constantly releasing updated functions and services. The suitability and configuration of the technical controls must be checked regularly so that they do not compromise your security posture.

Even large vendors like Microsoft have default settings that make organizations more vulnerable from the start. Lately, Microsoft warned of large-scale phishing attacks against more than 10,000 organizations. Allegedlythe attackers were able to bypass Office365’s multi-factor authentication (MFA).

If configured incorrectly, MFA will not protect your organization and can even be a reason for denial of insurance coverage. An evaluation would reveal such misconfigurations. When your controls are properly orchestrated, it becomes more difficult for a threat actor to leverage collected credentials for access.

set roles

Ultimately, security is everyone’s job, but IT pros and security teams need to have clear responsibilities and work not just with each other, but with leaders as well. Internal politics must be set aside for the greater good of protecting the organization from threats.

For example, in some cases, leadership doesn’t allow the IT team to do what needs to be done to properly secure an organization and pushes back on controls that may seem too strict.

There is also often a natural tension between security and IT. If CISOs and security teams are asked to secure an environment after the IT infrastructure has been built, they will find it difficult to implement security piecemeal based on what is already in place. You can’t duct tape yourself into a secure IT environment.

Once you’ve got your marching orders, you’ll need to focus your security plan on stacking controls and securing endpoints, among other things. When a threat actor gains access to an endpoint, most organizations lose. With the right technical controls and configurations in place, you can better protect your endpoints, credentials, production data, and ultimately, your backups.