What can you trust as your point of recovery, when you choose not to pay?

Mikko Larikka

Mikko Larikka

Lead Security Consultant

August 27, 2020 at 08:44

Most of my customers do not backup workstations, as work is assumed to be done in "centralized" systems. Using centralized systems may be a good strategy. However, we often see that taking backups of the centralized systems fails as well, at least in the sense that they would protect against ransomware attacks. Often backups are taken daily with 30 days retention to a storage that is integrated with your AD for use and administration. If you take into account that our assumed threat actor will have full control of your ICT environment, you may have an unfortunate situation similar to what was discussed at the TechRepublic forums a while ago: yes, you have 30 backups taking a huge amount of disk space, but they all are encrypted by ransomware, rendering them useless.

Your AD went south as well

Let us think about it from a workstation recovery point of view. Assume an attacker owned your AD, and all workstations and all connected file repositories were encrypted. You could easily recover your data by paying the required amount of bitcoins. What would you trust as your point of recovery or as the backup method, if you choose not to pay?

If ransomware encrypts everything in your environment, your backups might be lost, too.

The risk of losing work due to not having a tested and trusted way of making backups in place seems rather high. Even if a person does make backups, everyone has to decide what method to employ, and we all know what that could lead to. Even when not considering the protection of said files, it is not something we recommend to our clients, to be sure. 

So, coming back to the topic, what can you trust as your point of recovery or method, when you choose not to pay? What would work for you?

Options to secure your personal recovery

For individuals and special applications, the first thing is to know which files and configurations are to be secured, i.e., what do you choose to backup and how often. One backup option is to have encrypted external storage. Mac has Time Machine, which probably functions well enough. Similarly, Windows has a file history feature. Both are journaling file systems. However, purchasing external hard drives at a larger scale may be a pricey option, and it's impractical to carry the disk with you because it might get stolen or destroyed just like your laptop. If you don't bring the disk with you, then it is easy to forget backups. So even at an individual level, this is only a workable interim solution, but a centralized and/or automated solution is a must. 

Based on recent attacks on workstation infrastructure, it seems you are forced to start from a clean environment, reinstall and restore the data you can. In those cases, the recovery of personal files should be a "plug-in" type, suggesting that online file storage with a seamlessly integrating client would be the best fit.

The 3-2-1 backup rule for the win

With the online file storage, it may be hard to comply with the 3-2-1 backup rule, which means having three copies of data on different storage media while having one of them located offsite. The online storage clients' basic behavior is to continuously synchronize changes, leaving attackers some leverage to perform "secure erase" of online files or having the online data as the primary target in the first place. By quick looks, online file storage services optimize delivering availability over file recovery features, which may simply rely upon file version history and restoration from "Recycle Bin". These recovery methods may not respond to the kind of threat we anticipate here.

An old school solution could be an SVNRepository to fetch, check-out, and check-in files and folders. Then backup of the SVNRepository itself to an offsite location can effectively build a personal file storage system, which does comply with the 3-2-1 backup rule.

But coming back to the topic, by following the 3-2-1 rule, we can establish a point of recovery, which we can trust. Together with an automated refreshed & clean workstation installation, we can choose not to pay. 

What do you think? How would you approach your professional computing system and data recovery?


The article was originally published on Mikko's blog.


Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.

Related blogs