ST2401
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
MANAGEMENT: RANSOMWARE<br />
SHIELDING YOUR FILE SERVERS:<br />
AN ESSENTIAL GUIDE<br />
ARON BRAND, CTO OF CTERA, REMINDS US THAT THE KEY LESSON<br />
TO LEARN FROM RANSOMWARE THREATS IS THAT IT IS NEVER A<br />
GOOD IDEA TO PAY THE RANSOM<br />
Ransomware has been a significant hazard<br />
in the digital world for a number of years,<br />
impacting various industries with<br />
devastating effects. Manufacturing,<br />
construction, healthcare, and financial services<br />
are especially at risk, not just due to the nature<br />
of their operations but also because of their<br />
stringent time sensitivities and compliance<br />
obligations. The disruption caused by<br />
ransomware in these areas can lead to severe<br />
consequences, affecting both operational<br />
continuity and regulatory compliance.<br />
The need for robust and effective ransomware<br />
defence strategies is urgent. To protect against<br />
ransomware attacks, organisations need to<br />
take a proactive approach, one that is more<br />
comprehensive and layered than simply<br />
updating and securing all networked devices.<br />
DOES PAYING FIX THE PROBLEM?<br />
In short, no. The risks associated with paying<br />
ransoms are considerable and often<br />
misunderstood. When organisations agree to<br />
ransom demands, they inadvertently set<br />
themselves up for future attacks. Ransomware<br />
actors don't play fair and frequently target their<br />
previous victims, not just because it's convenient<br />
but also because they know these victims are<br />
willing to pay. Paying may, in fact, increase<br />
ransom demands in subsequent attacks rather<br />
than solving the initial problem.<br />
ENDPOINT PROTECTIONS ALONE ARE<br />
NOT ENOUGH<br />
Traditional signature-based defences are often<br />
ineffective against evolving ransomware threats<br />
specifically designed to bypass static security<br />
measures. In environments with outdated<br />
operating systems or embedded IoT devices,<br />
this is further intensified as they often can't<br />
support client-based ransomware protection<br />
tools like Endpoint Detection and Response<br />
systems. Such devices, if not adequately<br />
secured or updated, can easily become<br />
vulnerable entry points for ransomware attacks.<br />
Advanced measures are the only effective way<br />
to safeguard against the sophisticated and<br />
constantly evolving nature of such attacks.<br />
NOT ALL BACKUPS ARE CREATED<br />
EQUAL<br />
Backups are a vital safety net in the event of an<br />
attack. However, their effectiveness in<br />
ransomware scenarios is heavily dependent on<br />
how they're managed and protected. By<br />
targeting backups, ransomware attackers aim<br />
to incapacitate an organisation's ability to<br />
restore data independently, thereby increasing<br />
the likelihood of a ransom being paid.<br />
That is why backups require air-gapped,<br />
immutable storage, i.e. a physical gap<br />
between the backup data and the network that<br />
blocks attempts to access or alter that data<br />
through network-based attacks. This ensures<br />
both the integrity and availability of backups,<br />
enabling organisations to recover critical data<br />
without succumbing to ransom demands, a<br />
crucial deterrent that significantly reduces the<br />
leverage ransomware attackers hold over their<br />
victims.<br />
EARLY DETECTION AND PROTECTION<br />
Adding effective early detection methods to<br />
your security workflow is key to identifying and<br />
mitigating threats at the file-server level, even<br />
before they necessitate data recovery. This is<br />
where advanced ransomware detection<br />
methods come into play. They're designed to<br />
identify suspicious activities and potential<br />
threats via three primary approaches, namely:<br />
1. Threshold-based detection: This method<br />
involves monitoring and defining thresholds on<br />
file activities. They focus particularly on<br />
operations such as file modifications, renames,<br />
and changes in entropy, common indicators of<br />
ransomware activity. Their effectiveness lies in<br />
early detection, allowing for prompt response. It<br />
should be noted that they're sensitive to users<br />
performing atypical, non-malicious tasks, which<br />
can lead to frequent false positives.<br />
2. Signature-based detection: A method that<br />
detects known ransomware signatures within<br />
user behaviours or files, providing a reliable<br />
line of defence against known threats and<br />
nearly zero false positives. Where this method is<br />
limited, however, is its ineffectiveness against<br />
new, unknown ransomware strains - also<br />
known as zero-day threats.<br />
3. Behavioural AI detection: AI-driven tools in<br />
this method analyse user access patterns,<br />
matching them to known ransomware tactics,<br />
and offering a sophisticated, proactive<br />
approach to identifying potential ransomware<br />
attacks. Leveraging the adaptability of machine<br />
learning, this method continuously evolves to<br />
counteract advancing techniques used in<br />
modern ransomware. And since it detects<br />
tactics used by ransomware rather than<br />
signatures or thresholds, it reliably catches new<br />
ransomware strains and provides solid<br />
resilience against false positives.<br />
FILE SYSTEM VS. BACKUP-BASED<br />
DETECTION<br />
In the realm of ransomware defence for file<br />
servers, detection methods are broadly<br />
categorised into two variants: post-discovery<br />
tools that analyse the content of periodic<br />
backups, and real-time detection tools that<br />
monitor user behaviour and file operations.<br />
This distinction is critical in understanding the<br />
strengths and limitations of each approach in<br />
safeguarding data against ransomware attacks.<br />
POST-DISCOVERY BACKUP-BASED<br />
DETECTION<br />
This method focuses on analysing backups<br />
after they have been created, scanning for signs<br />
32 STORAGE Jan/Feb 2024<br />
@STMagAndAwards<br />
www.storagemagazine.co.uk<br />
MAGAZINE