In my last blog post, I explained why it’s critical to be prepared to restore your data and systems after a malware attack: Every minute your business is down, the more revenue you lose and the greater the chances that customers will jump ship for your competitors. But maybe you’re not convinced that your organization really needs to worry about malware. After all, you’ve set up Group Policy to keep users from inserting removeable media, you provide comprehensive security training for everyone right up to the C-suite, and follow all the other best practices for attack surface reduction. (You do all that, right? Right?) So, why worry about malware attacks?
Prevention measures are wise, but malware IS going to get in.
It’s true that not so long ago, the vast majority of malware was introduced via a physical device, such as an infected floppy disk (remember those?) or USB drive. But today there are a number of vectors attackers use to set malware loose in corporate networks, and new ones are being created and exploited all the time. Maybe you have indeed fully blocked the use of removeable media (though I doubt it), no matter how much security training you provide, you can’t guarantee that no user will ever click on an infected attachment to a phishing email, or visit a carefully crafted website that will hits them with a drive-by download. Even if you faithfully keep all your systems and applications up to date on patches, you’re still vulnerable to fileless malware attacks that leverage zero-day exploits. And no matter how well you vet your software vendors, you can’t be sure that one of them won’t be compromised by hackers who then launch malware from a standard, everyday application that’s on your whitelist, as happened in the infamous NotPetya attack that crippled organizations around the world.
Detection strategies are crucial, but malware moves at lightning speed.
Okay, you might say, some malware might get into my network at some point. But I’ve got monitoring and threat detection processes in place, so we’ll spot it and lock everything down before we suffer any real damage.
Having solid monitoring and threat detection capabilities is great. Essential, in fact, for security, compliance and business continuity. But even the best tools cannot guarantee a 100% success rate. After all, hackers know a lot about your antivirus and other detection solutions and take pains to sneak around them — for example by carefully avoiding using the patterns of activity that antivirus tools are designed to spot. More targeted malware is designed to fool specific detection systems; for instance, the Stuxnet worm was able to destroy almost one fifth of Iran’s nuclear centrifuges in part because it ensured that the machine’s logic controllers would continue to report that everything was working fine.
Moreover, malware can spread alarmingly quickly, so even if your tools do detect it, it might be too late. That NotPetya attack I mentioned earlier? It brought down the network of a large Ukrainian bank in just 45 seconds and completely crippled a multinational corporation in a couple of hours. On average, ransomware starts encrypting files within three seconds of execution, and many variants encrypt only the first few hundred kilobytes of each a file, so they can render entire folders useless in a few additional seconds. One IT pro who was testing the security of IoT devices plugged a Wi-Fi-connected security camera into his network, and it was compromised by a malware worm in just 98 seconds.
Every organization needs a comprehensive, flexible DR strategy.
This much is certain: There is a dizzying array of malware out there, and you need to be prepared for the very real possibility that your organization will be infected. But what does being “prepared” actually entail?
Well, for starters, native tools don’t cut it. Microsoft provides some basic recovery tools, like the AD and Azure AD Recycle Bins, but they are intended for restoring a document that was recently deleted by mistake; they were never meant to be a comprehensive Active Directory disaster recovery solution. And just the first step in Microsoft’s manual Active Directory forest recovery process involves 13 complex sub-steps, each of which must be performed accurately and in the proper order, even as the C-suite is breathing down your neck and the phone lines are lit up like a fireworks show.
Having reliable backups of your data and storing them offline is a good first step, but it’s not a comprehensive DR solution, either. You need to have the flexibility to recover from a wide range of disaster scenarios, from encryption of a few files to the loss of all your domain controllers, in a way that meets your organization’s unique needs and priorities. If you have a hybrid environment, you need to be sure you can get your entire IT environment, both on premises and in the cloud, back up and running normally as quickly as possible. And the recovery process needs to be automated, because the clock is ticking and the continued existence of your company is at risk.
As I noted in my previous blog post, most disaster recovery solutions simply don’t deliver this flexibility, automation and breadth of coverage. Want to learn about one that does? Stay tuned for my next post and learn how to develop a truly effective disaster recovery plan!
