Beyond Backups: Unleashing Powerful Strategies for Ultimate Cyber Resilience
Businesses are increasingly threatened by ransomware, making countermeasures essential. In this article, we will focus on cyber recovery strategies based on the NIST Cybersecurity Framework, considering the current state of ransomware. Additionally, we will explain the role of backups and propose effective countermeasures.
1. The Current State of Ransomware
1.1 Ransomware and the Growing Threat
Ransomware is a type of malicious malware that encrypts systems or data and demands a ransom for recovery. In recent years, the predominant tactic has evolved to "double extortion," where attackers threaten to release stolen data if their demands are not met. The threat of ransomware attacks remains significant, with the number of attacks and ransom payments in the first quarter of 2024 showing an upward trend compared to the same period in 2023 (*1). Additionally, there has been a decentralization of attacking groups and the emergence of new tactics. According to a report from SecureWorks, 31 new ransomware groups were identified between June 2023 and July 2024 (*2). These trends suggest that the threat of ransomware will continue to grow in the future.
1.2 Impact and Damage of Ransomware
When infected with ransomware, the consequences extend beyond direct damage, such as data encryption, theft, operational stoppages, and ransom demands. It can also lead to significant impacts, such as difficulties in business continuity, opportunity losses, and loss of customer trust. For instance, in 2024, major Japanese publisher KADOKAWA was targeted by a ransomware attack, which leaked the personal information of approximately 250,000 individuals (*3). This incident caused the distribution of their publishing business to drop to about one-third of the normal level, leading to a notable loss of approximately 2.4 billion yen. Additionally, the largest fuel pipeline in the United States, the Colonial Pipeline, was targeted by hackers in 2021, causing a system shutdown. This led to panic buying, resulting in gasoline shortages at gas stations from Florida to Virginia in the southeastern United States and a rise in gasoline prices (*4). This not only puts corporate intellectual property at risk but also raises concerns about the impact on the overall economy. There are multifaceted risks beyond financial losses, including operational disruptions and reputational damage, necessitating prompt countermeasures and awareness throughout the organization. Detecting and containing attacks swiftly and restoring business operations quickly to minimize damage are crucial.
2. Recovery from Cyber Attacks
2.1 What is Cyber Recovery
The NIST Cybersecurity Framework (CSF) provides guidelines for organizations to understand and manage cybersecurity risks. An update was made in February 2024, and CSF version 2.0 has been released (*5). Cyber recovery refers to the processes and solutions for restoring systems and data to their original state after an attack or data loss. Backups play a crucial role in this restoration process.
2.2 Transition to Cyber Resilience
Traditional backups address system failures and disaster recovery, emphasizing fast backup and restore functions and handling workloads such as virtual environments and the cloud. However, a survey by Veeam revealed that, on average, only 57% of the data damaged by a cyberattack could be recovered (*6). Therefore, simple backups are insufficient to support recovery from cyberattacks; cyber-resilient backups are needed. Cyber resilience ensures robustness to continue operations even after an attack, including threat prevention, early detection, and rapid response. The goal of cyber-resilient backups is quick recovery from data damage (such as encryption) caused by cyberattacks and risk identification and countermeasure implementation through visualizing threats within the data. The requirements include:
- Robustness of backup systems and data.
- Quick investigation to execute restoration.
- Visualization of potential risks in the data.
By fulfilling these requirements, strong defense against cyberattacks and quick recovery can be achieved.
2.3 Best Practices for Backups in Cyber Recovery
How can the requirements for backups as part of cyber resilience be realized? The measures listed above are divided into the technological perspective (Table 1) and the human and organizational perspective (Table 2). First, measures to embody the CIA triad (Confidentiality, Integrity, Availability) of information security are essential. Specifically, ensuring confidentiality through data encryption and access controls, protecting data integrity with consistency checks and change management, and guaranteeing data availability through regular backups and quick restoration procedures are necessary steps. Second, the introduction of automation tools is crucial. They allow for a swift process from data investigation to restoration in case of a cyber incident. Specific tools include backup software and SOAR (Security Orchestration, Automation, and Response). Utilizing these tools significantly reduces response time. Lastly, backup visualization and centralized management are required. Centralized management tools can comprehend all backup statuses in real-time, enabling efficient and integrated operations. Additionally, regardless of how excellent the security products (technology) adopted are, measures involving people and organizations are indispensable. This includes internal education and setting internal rules. Implementing these best practices enables quick recovery from cyberattacks and minimizes business interruptions.
| Requirements | Measures from a Technology Perspective | Details |
|---|---|---|
| (1) Robustness of Backup Systems and Backup Data | Encryption | Encrypt backup data to protect it from unauthorized access. |
| Air-gapping and Multiple Locations | Store backup data in multiple physical and cloud locations to protect against attackers. | |
| Creation of a Write-protected Backup | Create read-only backups to ensure data integrity. | |
| Access Control and Permission Management | Minimize data access and enforce the least privilege principle to protect it. | |
| (2) Accelerating Investigation Required Before Restoration | Implement of Monitoring and Detection Tools | Implement SIEM (*7) and EDR (*8) to monitor logs and detect anomalies in real time. |
| Implement Automation Tools | Automate processes to expedite tasks and reduce human errors. | |
| (3) Visualization of Risks in Backup Data | Implement Risk Analysis Tools | Implement tools to identify and evaluate data risks and visualize them. |
| Vulnerability Scanning | Regularly scan data vulnerabilities. |
Table 1: Measures from a Technology Perspective for Requirements
| Measures | Details | |
|---|---|---|
| Human and Organizational Perspective | Recruitment and Retention | Recruit and develop personnel with specialized knowledge to improve the efficiency of restoration work. |
| Training and Education | Regularly educate employees on backup procedures and their importance to ensure proper awareness. | |
| Roles and Responsibilities | Clearly define the roles and responsibilities of personnel responsible for backup operations and provide appropriate supervision. | |
| Policy Setting | Establish and adhere to clear policies and procedures regarding backups. | |
| Regular Risk Assessments | Conduct regular evaluations and implement measures that are appropriate to the current situation. |
Table 2: Measures from a Human and Organizational Perspective for Requirements
- (*7) An abbreviation for Security Information and Event Management. These systems collect and analyze data from various sources within an IT infrastructure to identify and respond to security threats in real-time.
- (*8) An abbreviation for Endpoint Detection and Response. These solutions focus on detecting, investigating, and responding to suspicious activities at the endpoints (e.g., computers, servers, mobile devices).
3. Strengthening Cyber Resilience through Backup Strategies
Backup strategies to strengthen cyber resilience must incorporate the fundamental principles of information security (CIA: Confidentiality, Integrity, Availability), the introduction of automation tools, and visualization and centralized management. This ensures the security and availability of backup data, allowing for a swift response during a cyber incident. Additionally, employee training and establishing proper operational rules are essential to enhance the reliability of backups. However, many companies lack sufficient resources for security measures and are often unsure of which measures to prioritize. Our company provides comprehensive support, from risk assessment of ransomware attacks to data protection. Utilizing our vast experience and global network across various industries, we evaluate the appropriateness of countermeasures and offer optimal solutions. Furthermore, our highly reliable cyber recovery solutions ensure quick system restoration and business continuity. For example, we received an unclear request about ransomware countermeasures from a large customer in the global hospitality industry. We swiftly identified the customer's concerns regarding cyber resilience and provided proposals aligned with the client's roadmap. By leveraging our flexible and globally scalable capabilities, we achieved adequate data protection for the customer. As a result, companies can implement sufficient security measures with limited resources and respond swiftly and accurately to cyber threats.
After joining NTT DATA, He has engaged in global strategy and service planning in Data security and OT/IIoT security.
