Every eleven seconds. That’s how frequently ransomware attacks were predicted to happen this year according to Cybersecurity Ventures. And if U.S. Treasury predictions are correct, the payouts from those attacks will exceed a billion dollars by the end of the year.
Despite taking steps to be better prepared, many companies still end up paying ransoms because the cost of extended downtime to restore from backups with limited resources exceeds the ransom demand. Even then, assuming the decryption key even works, there’s no reason to assume threat actors won’t make additional modifications, leave backdoors they can exploit again, or use exfiltrated data against you.
But, you don’t have to let that be your story. Today, we’re explaining the reasons for testing your security stance, different testing strategies and best practices including penetration testing and recovery testing, and steps you can take to develop a testing protocol.
Ransomware is on the rise. Level up your security practices along with it.
First, Implement a Strong Backup Practice
Backups are a critical piece of your ransomware defense strategy. Before thinking about testing, take the time to shore up your ransomware defenses by implementing at least a 3-2-1 backup strategy, if not a more comprehensive strategy like 3-2-1-1-0 or 4-3-2.
If you’re unfamiliar with these strategies, they advise keeping at least three copies of your data on two different media with at least one off-site. Strategies like 3-2-1-1-0 and 4-3-2 go a step further, advising you to keep a copy offline or protected by Object Lock, ensure your data has zero errors, and/or keeping additional backup copies for good measure.
Ransomware Readiness Resources
The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), publishes a set of guidelines that support the development of secure information systems. These controls cover operational, technical, and management practices for information security teams, including:
- How to identify and protect assets against ransomware.
- How to detect and respond to ransomware incidents.
- Recommended controls to mitigate ransomware risk.
- Guidelines for cybersecurity event recovery.
NCCoE is a collaboration between industry organizations, government agencies, and academic institutions that work together to address the most important cybersecurity challenges facing businesses today. NCCoE develops modular, adaptable example cybersecurity solutions that demonstrate how to apply standards and best practices using commercially available technology.
The Cybersecurity and Infrastructure Agency (CISA) also offers a module, the Cybersecurity Evaluation Tool, that guides network administrators through a process to evaluate the cybersecurity practices on their networks. When it comes to evaluating your cybersecurity defensive stance, these resources are a good place to start.
Why Test Your Ransomware Defenses?
Weathering a ransomware incident depends on how prepared you are before the attack. First, by establishing a solid backup strategy. Second, by analyzing your vulnerabilities in a penetration test. And third, by testing recovery procedures to prepare and familiarize your team with your defense systems and your recovery plans. While there are many, the biggest reasons for testing your ransomware defenses include:
- Shifting threats: Cybersecurity threats are always evolving and changing. Regularly evaluating potential vulnerabilities and testing your recovery practices prepares you for unforeseen situations.
- Compliance: Companies in certain industries are required to show proof of vulnerability assessments and recovery testing in order to comply with regulations.
- Creating a culture of preparedness: Familiarizing your staff with testing and recovery procedures better prepares them if the real thing happens. In the moment, they’ll know exactly what to do.
- Prioritizing budgets: Identifying threats and potential vulnerabilities helps your team prioritize spending around the most mission critical efforts to protect your company.
Maybe your backup system is functioning well, but the effort to test recovery scenarios or analyze your environment for vulnerabilities is lower priority than day-to-day demands. Or maybe you’ve looked into vulnerability testing or recovery planning, but it’s out of scope for your organization—you may not need enterprise-scale solutions.
Either way, if you need any more justification to implement a vulnerability testing program or recovery solution, look no further than the many companies scrambling to respond to the Log4j vulnerability. A security engineer from a major software company explained it well in a WIRED article, “Security-mature organizations will start trying to assess their exposure within hours of an exploit like this, but some organizations will take a few weeks, and some will never look at it.” Any amount of time you can spend on preparation brings you that much closer to security maturity.
Testing Your Cybersecurity Readiness
Two security practices that security-mature organizations regularly undertake include penetration testing and disaster recovery testing. When thinking about your overall cybersecurity readiness, it helps to have an understanding of these key practices.
What Is Penetration Testing?
Penetration testing or pen testing is a broad term that covers many different levels of testing from phishing assessments, to vulnerability identification, to full on adversarial hacking simulations. Most organizations will choose to work with an outside consultant to conduct penetration testing and will scope out the depth and breadth of the testing procedures. Ideally, you want to work with someone with little or no knowledge of your systems so they can uncover vulnerabilities you might not see.
Those vulnerabilities are the output of a pen test, and they help organizations identify and prioritize steps to address in order to implement security upgrades.
What Is Disaster Recovery Testing?
Disaster recovery testing involves going through a simulated recovery scenario to make sure you can recover quickly and completely from backups. In the event of a ransomware attack or identification of a breach, the last thing you want is chaos. Regularly testing your recovery protocols helps you and your team build familiarity with the procedures. If you ever are attacked by ransomware, you’ll be much more comfortable knowing exactly what to do to bring your systems safely back up.
If you’re using Veeam to manage backups, you can use Backblaze Instant Recovery in Any Cloud to quickly recover your systems without the overhead of an enterprise-scale solution. Instant Recovery in Any Cloud is an infrastructure as code package that makes ransomware recovery into a VMware/Hyper-V based cloud easy to plan and execute. Read more here.
The Testing Process
Whether you’re approaching a pen test or a recovery test, the overall steps in the process are generally similar:
- Design test objectives: Testing consumes time and resources, so it is essential to be thoughtful about what exactly you decide to test. If you are new to cybersecurity testing, you might find it helpful to start by running a simple small-scale test. At a minimum, define the business function you’re testing, the test duration, test method, the test objective, and any secondary objectives.
- Execute the test: Make early decisions about execution, including when you’ll conduct the test, if the test will interrupt production, and whether you’ll make employees aware of the test. There are pros and cons to most execution methods, so it really depends on your overall objectives.
- Analyze test results: When analyzing test results, identify both technical issues and business impacts. Did the process substantially disrupt production resulting in extensive downtime? How can you work to minimize that business impact?
- Implement continuous improvements: If you find gaps in your process during testing, celebrate that fact. You now know where you need to boost defenses or strengthen your recovery protocol before a real attack comes along. Generally speaking, focus your continuous improvement efforts on two principles: impact and likelihood. For example, a vulnerability capable of taking your payment system offline would have a high impact. If that vulnerability is also highly likely, addressing this issue may be a top priority.
- Schedule the next test: In IT security, there is no such thing as “done” because threats are constantly evolving. Tomorrow’s threats may require different safeguards. That’s why experts advise conducting annual testing of cybersecurity programs and recovery procedures as a starting point.
You Can Reduce Your Security Risk
By using regular testing and continuous improvement, you can reduce the likelihood of a severe IT security incident. Of course, there are other ways you can enhance your safeguards. If you’re looking for more detailed information on ransomware and how to protect data, identify threats, and recover from an attack, download our Complete Guide to Ransomware.