The best time for IT Professionals to start building a ransomware response checklist is now, before an attack occurs. There are several reasons for creating a checklist:
√ Successful Ransomware Response requires preparation.
√ Stress levels are high during an attack. You might forget a critical element in a rush to get everything back online.
√ A checklist will expose areas where you must practice and test.
√ A checklist provides a framework for comprehensive auditing.
Section One: Build a Ransomware Resilient Foundation
▢ Implement a Prevention Solution
The first step in building a ransomware response checklist is to have the foundational elements covered. The best response is the one you don’t have to conduct because the attack doesn’t get through. While no prevention solution is perfect, and you still need a response strategy, they are effective at preventing many types of attacks.
▢ Simplify Patching
Most patch releases sent to IT professionals today involve closing down potential security exploits. These patches should be applied upon release. The problem is most IT professionals are hesitant to apply patches to the environment because of downtime and the potential for unexpected impact of the patch. This is especially true of infrastructure software since an errant patch or downtime because of a patch can impact dozens of servers instead of just one.
Another challenge is that most IT infrastructures are comprised of multiple pieces of software. Instead of a single, cohesive data center operating system (DCOS), IT must run layers of incompatible infrastructure software components, including networking software, virtualization software, storage software, and data protection software. Patches are applied to these layers when the respective vendor for each layer releases a service pack, which rarely coincides with when the vendors of the other layers release their patches.
Look for a vendor that takes a DCOS approach to infrastructure, which is not only critical to simplifying patching but also simplifies the entire ransomware response effort.
A DCOS should provide two deliverables in terms of patching. First, it should be able to simplify the foundational DCOS patching process by integrating the legacy IT stack into a single software element. Second, it should make the patching of guest operating systems and applications running inside VMs simpler by enabling zero-capacity and zero-performance impact clones so that IT can test the released patch for conflicts with other elements within the data center. If there is a problem with the patch, IT can roll back to the prior version, or if the patch works, roll the patched version into production.
▢ Harden the Operating Environment
An essential but often overlooked step is to harden the infrastructure software as much as possible. Suppose the ransomware can infect a part of the core infrastructure, like the hypervisor, the storage software, or the data protection software. The impact is widespread in that case, and recovery is far more complex.
While most mainstream OSs are not resilient to attack, you should ensure your core infrastructure software, like the hypervisor, storage, and networking software, are hardened. Look for infrastructure software that takes special developmental steps to make it act like firmware, loaded into RAM, and can be replaced easily from an unalterable good copy. Again, a DCOS makes these processes easier since only one software component needs to be hardened instead of three or four.
Section Two: Build a Ransomware Resilient Protection Strategy
▢ Increase Protection Frequency and Retention
Protecting data is an obvious inclusion in any attempt at building a ransomware response checklist. Most data centers run into three challenges when creating a ransomware-resilient data protection strategy:
- Protection events occur too infrequently to be meaningful.
- Protected copies aren’t retained long enough to outlive a prolonged attack.
- Too many protection solutions are used, making the process complex and expensive.
A best practice for a successful ransomware response is to make sure you are capturing all data hourly. Snapshots, on paper, look ideal for this use case, but most solutions experience significant performance problems as the number of snapshots increases, limiting how long those snapshots can be retained.
▢ Consolidate Protection Tools
To get around the limitation of traditional snapshots, most organizations use at least four data protection tools to protect their environment. They may use a combination of hypervisor snapshots, storage system snapshots, replication software, application-level backup utilities (dumps), and enterprise backup software. Using all these applications makes the data protection process more expensive and complex, especially during a ransomware recovery effort. IT may be unsure which part of the process has the best known good copy.
Look for an infrastructure DCOS that enables you to consolidate, preferably down to one, the number of tools used for data protection. In essence, the DCOS will protect itself. It should provide the ability to protect data frequently and retain those protection events indefinitely without suffering performance degradation. It should enable you to restore the entire data center footprint, if need be, including network and storage configurations, with a single click. Lastly, it should enable affordable, high availability so data can be moved off-site and adhere to all aspects of the 3-2-1 rule.
▢ Consider a Snapshot Alternative
Traditional snapshot technology, standard in most storage systems and hypervisors, is ill-suited to meet these requirements. The metadata requirements to maintain a high frequency, long retention snapshot schedule is too great. It impacts performance and makes deleting old snapshots to free up capacity too time-consuming. Clones are a better option for performance and retention because they are independent copies, but without global inline deduplication, frequent clones and long retention will consume too much storage capacity and degrade performance too much to be practical.
Look for an infrastructure that combines the best benefits of both clones and snapshots by implementing DCOS-wide deduplication. If the deduplication technology is built into the core of the DCOS, then it will eliminate concerns about algorithmic performance overhead and capacity consumption while enabling the cloning of PBs of data in milliseconds.
Section Three: Build a Ransomware Resilient Detection Strategy
▢ Detect Data Anomalies
Detection is a critical component of building a ransomware-resilient checklist. The sooner the DCOS can alert IT to an attack, the faster IT can stop and remedy the situation. Most ransomware attacks take two vectors after the malware finds its way into the environment. First, they start encrypting files as fast as possible, and second, the malware starts replicating itself to encrypt more files in parallel.
Again multiple detection tools are problematic. Look for a DCOS that can deliver in near real-time, a single source of alerting based on data change rates. In a globally deduplicated environment, the DCOS builds an alert off of an unexpected increase in capacity consumption.
▢ Preserve Forensic Data
When ransomware attacks, most IT professionals’ first reaction is to start the recovery response as quickly as possible. The problem with jumping right into recovery is that the process will likely destroy any forensic data available to determine how the attack entered the environment and how it spread. Both data points are crucial to future prevention efforts.
Instead, look for a DCOS that enables quick isolation of the current state. Again using a cloning type of technology powered by global inline deduplication enables these clones to be made in milliseconds without consuming too much capacity. It is also critical that this clone be independent and isolated.
▢ Create Ransomware Honeypots
Another detection strategy is to create Honeypots of the environment and expose them to attack, obviously anonymizing data in them. These honeypots can alert you of a potential wider threat and provide excellent practice for further hardening your data center. Honeypots typically have a lower false positive rate, when compared to most traditional intrusion-detection systems.
Look for a DCOS that can virtualize entire data centers in the same way that virtual machines virtualize servers. Then the DCOS can easily create honeypot data centers that are securely isolated from the production virtual data centers.
Section Four: Build a Rapid Recovery Strategy
▢ Mount the Recovery, Don’t Copy
When ransomware strikes, rapid recovery is critical. Depending on the severity of the attack, IT may need to recover a few VMs or an entire data center. Copying data from another snapshot or a backup process takes too much time. Again, clone the current state for forensic reasons, then start recovery. The key is to be able to mount, in place, the last known good copy of data. That mount still needs isolation so IT can scan it for any malware trigger files before returning it to production.
Look for a DCOS that can in-place mount a previous VM version or an entire data center. An in-place mount provides instant access to the data so IT can scan it to ensure there are no malware remnants and then provide user access.
How’s Your Checklist?
Building a Ransomware Response Checklist is only effective if you tick all the boxes. If your evaluation is missing a couple of marks, then consider attending VergeIO’s next TechTalk, “Creating a Ransomware Response Strategy,” with our CEO, Yan Ness, and SE Director, Aaron Reid. They will dive deep into the elements of this checklist and show you a live demo of our IOfortify solution for recovering from a ransomware attack.
