Immutable backups sound like a niche nerd topic, but somehow CEOs, boards of directors, and risk and audit specialists suddenly get interested. They are nervous – but why? What is the threat, and how do immutable backups help? And how can IT organizations turn such an idea into a technical reality if running 100% of their workload in the public cloud?
New Threats on the Rise
Ryuk, NotPetya, and the Russian cyberattacks on Ukraine before the invasion are a Pear-Harbor-like wakeup call for CIOs and CISOs. The Ryuk ransomware aims to infiltrate IT infrastructures to encrypt critical company data. Then, they “offer” help to decrypt the data after a ransom payment. They ask for a six-digit payment, not for millions – a sum a typical SME or organization can pay, be it a hospital, a school, or a governmental agency. That is the first threat on the rise. The second relates to state-sponsored destructive cyberattacks, with the 2017 NotPetya attack being a prominent example. It encrypts the victims’ data without anyone (including the attackers) being able to decrypt it. While Ukraine companies were the primary targets, it spread worldwide. Thus, the first learning of NotPetya is: system-relevant companies and organizations such as electricity companies, power plants, or oil and gas pipelines are prime targets for destructive state-sponsored attacks. Second, there is collateral damage. Why would an attacker invest in sophisticated algorithms to narrow an attack to hit only electricity companies when they can damage other companies in a targeted country, even with less engineering effort? Becoming collateral damage of state-level cyberconflicts and cyberattacks is a real threat today.
A Typology of the New Cyber Threats
The characteristics of today’s cyberattacks get apparent when comparing them with a long-ago global malware incident. Experienced IT managers might remember early May 2000. These were the days when many employees got love emails at work. However, you should get suspicious when the secretary, your boss, and the CEO write you an “I love you” email shortly before the mail servers crash. A worm programmed in Visual Basic took the world by storm. It replicated by sending itself as an email attachment to all Outlook contacts of a victim besides performing some destructive actions on the workplace computer. Today’s attacks, such as Ryuk or NotPetya, are different and more dangerous:
- ILOVEYOU targeted workplace computers. They are, besides mobile devices, just an entrance door for attackers today; servers are the jackpot.
- ILOVEYOU was easy to detect. Surprising emails, crashing servers – admins had to get active. In contrast, companies today still do not detect 20% of compromises within the first seven days (SANS Incident Report 2019).
- The ILOVEYOU damage was neither systematic nor did the worm try to do maximal harm. In contrast, today’s attackers analyze the victim’s IT infrastructure and try to take over admin roles to maximize damage.
With this changing threat landscape, companies might want to reassess how likely devastating attacks are. Attackers do not have to delete all databases to bring a company down. What happens with a bank if cyber-gangsters encrypt “only” the databases required for the authentication component of online banking together with the customer names and address database? Can an industry company survive if the inventory management and the supply chain database are encrypted? Once companies rate such a risk as not-acceptable and start looking for mitigation options, (immutable) backups are no longer a niche technology but a board-of-directors topic.
Backup Use Cases: Four Oldies and One Newbie
Backup solutions saw as much innovation and action in the last decade as cemeteries on a rainy November night at midnight. But now, the rise of public clouds as backup storage (not here in focus), sophisticated cyberattacks, and the hope and need for immutable backups in the cloud mix up the scene.
The classic backup solutions cover four prominent use cases:
- Device Failure: Technical components fail, e.g., a hard disk crashes, and there is no way to restore the data from this disk.
- Operational Failures: An engineer deletes a critical database, a VM, a file share, or any other system or storage solution by mistake.
- Critical Operations Safeguard: An engineer plans a risky change, e.g., deploying a patch or reconfiguring a database schema. Before applying the change, he makes a copy. If there is any issue with the change, he restores the previous situation from the backup.
- Site Failure: A company’s data center with all servers becomes unavailable, e.g., because it burns down.
The new use case for immutable backups is:
- Cyberattack Restoration: The ability to reconstruct a working state of all applications and their data after a cyberattack has taken over admin accounts and deleted or encrypted critical resources.
The main difference between classic backup use cases and the immutable backup for cyberattack restoration is the ability to “survive” with an attacker having the highest admin privileges. When in the public cloud, companies cannot place appliances and storage systems in a data center and manage them with local user rights and an emergency keyboard. You also cannot use backup robots that write your data on tape. In the cloud, an admin can do (nearly) everything. Thus, companies need new backup concepts.
In part II of this two-part series, Klaus Haller examines implementation of and alternatives to immutable backups in the public cloud.