Ransomware has been a prominent threat to government agencies, enterprises, and individuals alike since the mid-2000s. In 2017, the FBI’s Internet Crime Complaint Center (IC3) received 1,783 ransomware complaints that cost victims over $2.3 million. Those complaints, however, represent only the attacks reported to IC3. The actual number of ransomware attacks and costs are much higher. In fact, there were an estimated 623 million ransomware attacks last year alone.
But what is ransomware? Ransomware is a type of malicious software that gains access to files or systems and blocks user access to those files or systems. Then, all files or devices are held hostage using encryption until the victim pays a ransom in exchange for a decryption key. The key allows the user to access the files or systems encrypted by the program.
Currently, there are issues with ransomware gangs like Conti that want to prevent government agencies from using their data so that they can extort money and cause havoc. The likelihood of cyberattacks is at an all-time high. In March of this year, the White House released a statement warning organizations to back up their data due to potential cyberattacks from these rampant, ransomware gangs.
However, if government agencies have a resilient data recovery plan in their back pocket, they would be able to not only deter the threat of cyberattacks, but they could also recover all that data back if a proper recovery plan is in place. The main questions government agencies need to think about are: how will we respond when we’re attacked? How can we get our operations back up and running? And not all applications are created equally, so what can we do to identify which application system is the objective for recovery?
For government agencies to be prepared for these possible cyberattacks, they need to follow these four steps to create a resilient data recovery plan in order to reduce the likelihood of an attack, detect threats, and recover data.
When making a resilient data recovery plan, remember that it is a plan to protect the agency. It’s imperative for that plan to be something that everyone in the agency is clear about and understands. If only one person is educated on the plan, it creates a high-risk situation for the entire organization. That one person could be sick or on vacation, and if a cyberattack hits, there’s no guidance for what to do next. Having everyone in the agency educated on the procedures of this plan is vital for success and protection of that static data. Many agencies are also geographically dispersed. So, when grouping and thinking about what the static data is, it’s important to know where the data is and how much data is held in each location.
However, before government agencies can have a successful recovery plan, they need to think about what data is the most essential to keep, and they need to focus on what their static data is.
Once data is classified as static data, government agencies can think about Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). These help determine how long it will take to recover that data and how much data the organization will be willing to lose. It’s highly recommended for every organization to include their stakeholders in this conversation because a planning process can be created for a compromise of what the tolerable amount of time is for recovering that data, and how much loss of that data is acceptable. Again, most people will want to say zero data lost, but it’s important to talk about the reality of the situation and get them to focus on what is the most essential to keep.
Having all of this in mind, its lucrative to setup an Active Directory (AD). This is one of the most essential parts of the entire process. AD is the primary way you gain access to the agency’s applications, databases, files, and endpoints. All of this data can be restored, but without AD, it’s impossible to access any of that restored data. Without access to these domain controllers, government agencies will still be at a loss even if every other step of this recovery plan is successful.
Most agencies that follow this data recovery plan back up their AD after each workday to ensure that nothing is lost. Without AD, everything else falls apart.
Planning, Prioritization, and Dependencies
When planning and prioritizing what data is essential to keep, it’s a good idea to look at the dependencies of that data. For example, when baking a cake, the ingredients are needed to achieve this goal. Otherwise, the cake can’t be created. When looking at the dependencies of organizational data, the sequence of how that data is retrieved is critical to understand. This allows agencies to identify all risks to better prepare for a cyberattack.
Without knowing where the vulnerabilities of these data dependencies are, hackers can take advantage of these weak spots and cause damage to the organization. Knowing who has access is another risk agencies need to keep in mind.
For example, in 2020 a Tesla employee was targeted by a Russian hacker to try and install malware on a company device in order to receive 1.5 million in cash. According to the U.S. Department of Justice in a newly unsealed indictment, “The purpose of the conspiracy was to recruit an employee of a company to surreptitiously transmit malware provided by the coconspirators into the company’s computer system, exfiltrate data from the company’s network, and threaten to disclose the data online unless the company paid the coconspirators’ ransom demand.” In this case, the employee agreed but called the FBI to be part of the conversation, deterring the attack on Tesla.
Ransomware attackers want data of value to extort an organization. So, when an organization is planning for data recovery and prioritizing which data is static, focusing on the RTO and backup of that data is crucial. There is a plethora of recovery tools available and sometimes the hardware within an organization doesn’t always match with each device. So, IT professionals recommend using driver injection to allow organizations to find suitable drivers for their target devise. This will ensure the ability to successfully backup the organizations data.
Backup and Recovery Strategy
The backup of data is an agency’s last line of defense during a data breach. It’s important to replicate files because then it allows the agency to fall back on that data if a data breach is successful. People often build their backup solutions around the recovery time it takes to retrieve that data. However, government agencies need to think about the bandwidth that’s available. Is there enough bandwidth to get all that data back?
After figuring this out, a disaster recovery plan can be built around that information and data. With that being said, before agencies can successfully perform the recovery process, they have to have a backup. Once everything is backed up, it’s recommended to be mindful of who has access to these files. If this is overlooked, people have the potential to leverage their access to prevent others in the organization from using it. There might be a disgruntled former employee that has this access or someone within the agency connects to a public internet connection— creating the risk of these files to be tampered with.
This is why it’s important to render the data immutable. Doing this makes it so that the backed-up data can’t be deleted, changed, or modified, and the recovery of this data stays possible.
Most IT professionals would recommend creating a subnet for this immutable data and putting the repository for the data within that subnet. This creates a separate network where this data isn’t publicly available and is then stored within the repository. This data that’s at rest and in motion can then be encrypted to protect it from ransomware attacks.
Testing your plan
Testing the data recovery plan is the most common step that government agencies miss. However, this is essential for success and protection. There could be a new hire, people being promoted to new roles, or people leaving the agency. The cyber threats to that organization may have also changed. Government agencies are urged to practice this plan frequently. This way, everyone is prepared to act if a cyberattack happens.
Having a plan for different types of data is also recommended, because not everything can be backed up the same way. Taking a couple applications and restoring it to practice backing it up is essential to see if that data is correct and restored properly. The worst-case scenario for any government agency is realizing the plan failed during a data breach. So, it’s important to find these issues in the practice testing process of the plan to ensure successful data restoration.
When going through this practice process, deciding who has the authority to implement the data recovery plan is critical. The last thing any government agency wants is to have a data breach and nobody is comfortable acting on the plan—causing all data to be lost because no one was prepared. Therefore, having a quarterly table-top review and practice of this plan is the recommended bare-minimum to ensure success.
Disaster recovery may seem complicated, but it’s quite simple if backups of the domain controllers are created. Once this backup data is created, putting up a firewall is recommended so nobody can access the data. The next step is to install the recovery software that best fits the agency and copy that backed up data over to the other machines that are being utilized for data storage—creating restored data.
Once this process is complete, an isolated network has been created and the organizations DR team can finish the recovery process because the AD is now available to them. Following all four of these steps in the data recovery plan will ensure protection of a government agency’s data and continuity.