Ransomeware attacks can paralyze an organization when losing access to the data needed for daily operation. One of the best practices to avoid ransomware catastrophe is to back up the organization's data regularly. Simply:
- Backup on a regular basis.
- Keep backups on separate device/s.
- Store backup offline.
- Test the backups regularly.
- Backup servers should require authentication of backup clients and of backup administrators
- Employ Role-Based Access Control (RBAC) for all backups to determine who can make backups and who can restore from backups
- Backups should be encrypted at rest
- When sending backups, use encryption in transit (SSH or SFTP/FTPS for example)
- Create “golden master” (the final version of a software compilation or configuration prior to release into production) prior to host deployment on the network
- Create snapshot after initial system build to hasten recovery time
- Create snapshots after major configuration changes to hasten recovery time
- Ensure that some backups exist in offline media to help recover from data corruption/ransomware
- Prepare for a rebuild on different hardware/platforms. Consider whether a system image has a compatibility issue. It is best to store source code, executable, or license with backups
- Read/overwrite access-controlled outside the ecosystem being attacked
- Immutability setting on backup devices: admins can't delete
- Two-factor for backup admins
- AWS S3 Object Versioning (and lock, w/bucket creation)
- Any other architecture where the backup is no longer modifiable from the system that produced the data
- Test backups regularly
- Spot check file system backups
- For large/critical applications, consider documenting the length of time it takes to recover from backup for disaster recovery and planning purposes
- Employ role-based access control lists for all recoveries
- Ensure backup date/time precedes date/time of first known exploitation
- Create an isolated environment to test the recovery of backups that may still contain malicious code
- When recovering from an incident, attain a list of IoC’s from the Incident Commander and test backup for the existence of IoC’s prior to recovery on production/live environments
- Virtual machines may be restored to an isolated “host only” network