Ransomware Defense: Quest Offers a Backup and Recovery Game Plan
It is now reasonable to assume that most organizations have or will suffer a ransomware attack. While the statistics were already sobering, recent data points to an even more ominous threat landscape. Quest Software has an answer for that.
According to CyberEdge’s eighth-annual Cyberthreat Defense Report:
- A record 86% of organizations suffered from a successful cyberattack last year.
- A record 69% of organizations were compromised by ransomware.
- 57% of ransomware victims paid ransoms last year, but one-quarter (28%) of them failed to recover their data.
Understandably, for many organizations, there has been a shift in emphasis. While seeking to prevent ransomware and security attacks in general remains critical, what to do if and when the ransomware attacks occur has emerged as an essential initiative — considering that organizations’ operations typically cease to function until the ransomware attack is resolved.
To this end, one potential solution is database, systems and security software provider Quest Software’s Recovery Manager for Active Directory Disaster Recovery Edition (RMAD DRE) 10.2 storage designed to both protect Microsoft Active Directory backups from malware and to minimize the impact of ransomware attacks.
“It’s essential to not just make regular and trustworthy backups of your Active Directory, but to keep them in air-gapped storage,” Bryan Patton, Certified Information Systems Security Professional (CISSP) and consultant for Quest Software. “That means a place where they are offline — disconnected and inaccessible from the internet and internal networks as well.”
The Datastore
One of the most obvious first lines of defense against ransomware attacks is to maintain backups that are inaccessible through network connections once the data is archived. Traditionally, in the past, this process often consisted of making a backup on tape and shipping the tape to a secure off-site location on a regular basis. However, in addition to having to invest in hauling the archived data offsite every hour or so — or in shorter time increments depending on the industry — this is largely unfeasible.
“The old-school solution was to write backups to tape and send them to an off-site storage facility such as Iron Mountain,” Patton said. “However, that approach isn’t just cumbersome and costly; it also slows recovery significantly, since retrieving, transporting, mounting and reading tapes necessarily involves a great deal of time.”
Furthermore, it is highly likely that the backed-up data contains vulnerabilities that served as the attack point for the attack in the first place. Also, once an attack occurs, organizations must have a very efficient data restoration process in place, which once created, can often lead to dismal failures if it has not been properly tested.
Since most organizations use Microsoft Active Directory (AD) to manage identities and provide access to business resources, such as databases, files, applications and endpoints, nothing can be restored until AD is back up and running.
“You can’t restore from backup if your backups have been corrupted,” Patton said. “Today’s ransomware attacks now seek out and destroy any network-connected backups in order to maximize the chances that you’ll have to pay the ransom to restore your data.”
With RMAD DRE 10.2, it is possible to expedite the process of recovering, with Active Directory continuing to serve as the “central nervous system for the entire business,” Patton said. RMAD DRE 10.2 supports the recovery effort, Patton explained, in order to allow the:
- Backup team to provide the backups and perform restores.
- Storage team to ensure you have enough storage to restore servers from backup.
- Network team to make sure that the servers being restored are sandboxed and that domain controllers (DCs) can communicate.
- Server team to validate that the restore is correct and complete and also to install any additional antivirus or anti-malware software that’s required.
- Security team to validate the ransomware is not on the restored servers.
- Application team to validate that applications are working.
- External parties, such as Microsoft, the backup and recovery vendor, and cloud storage provider to be coordinated and managed.
The recovery process involves identifying which applications are most critical for business operations so that the DevOps team can focus on restoring them first, Patton said. This is followed by determining which domain controllers (DCs) are essential for those applications and restoring those first, “enabling sign-in and business-critical functions as soon as possible,” Patton explained.
“Often, the key domain controllers are the ones in the data center, rather than in remote offices,” Patton said. “Once you have recovered them, the application teams, database teams and others can start their recovery process while the Active Directory team moves on to restoring less critical DCs.”
