How Data Management can become the CSI Lab in Incident Response

During an attack it is essential to quickly understand how attackers or malware were able to successfully breach into the network.

What vulnerabilities were exploited? What controls were circumvented? How did they escalate privileges? How are they maintaining persistence? What sensitive or regulated data has been touched?

It’s often overlooked but data management can play an essential role in helping CISOs and the security operation team answer those questions, all without touching primary data and potentially tipping off the adversary, or creating additional risk.

One simple example is vulnerability scanning; a typical approach is to actively scan production systems across a network. This has performance impacts on production, requires holes to be punched through firewalls to provide access and often leaves access credentials on yet another system. Outlying parts of the network, often the ones that represent “patient zero” in any attack may never get scanned at all. Similarly, in penetration testing, organisations are often hesitant to let testers go “full bore” at their production environments in case they cause an outage or degradation in performance. Breach & Attack Simulation and Continuous Controls Validation platforms add a lot of value, but can also impact production environments.

Another example is data discovery, similar to vulnerability scanning where holes need to be punched through firewalls and system credentials stored in a third-party system, or agents deployed in order to discover where sensitive and regulated data resides.

You already know where your sensitive and regulated data is

Rather than deploy yet another agent that increases the potential attack surface and impacts on performance of production systems, why not scan the backups for sensitive data? Modern backup platforms are already optimised for the searching and retrieval of data within the back-ups. It’s a simple task to extend this capability to discover that data across your entire estate regardless of workload.

Make more of digital twins

There is a superior alternative to vulnerability scanning and penetration testing on the live network, and that is to focus the work on a digital twin of the production environments backup instead. Doing so can help organisations do a more thorough job, reduce overheads on live systems, achieve better, faster detection, and help organisations restore a clean, uncompromised backup if the worst happens.

An organisation can make as many digital twins as needed, which can bring considerable advantages. For example, using a single backup clone running in a virtual machine, many penetration testers can attack in different instances in parallel without affecting each other. Breach & Attack Simulation and Continuous Controls Validation platforms are free to bombard multiple copies of production to identify weaknesses and the strength of deployed controls. With many tests running simultaneously. Results are delivered faster, intrusion potential known about earlier, and fixes can be applied to live systems at speed.

Focus on executables

There’s another reason why working in the backup environment has a major advantage. Executable files are a favourite of bad actors. They can sit on a system for weeks or longer undetected, where they can replicate themselves, encrypt files, send data out to third parties, and more.

By the time a ransomware attack is known about, bad actors could already be in possession of crucial information which they can threaten to publish if the victim doesn’t pay up.

If working with primary data, it is very likely that any work to remove the executable files will alert the attacker, who will then rush into action to lock or delete data. Moreover, the executables will have been backed up along with everything else, so any restores simply go back to a state where either the executable or vulnerability is still there – meaning the attack can get going again.

Working with backups means it is possible to look back in time, see when the executable file first appeared, grab it, and remove it. If the executable has begun doing its work and is replicating but hidden, relevant activity can be identified and remedial action taken. With a backup free of the ransomware actor’s payload, a CISO can authorise a restore knowing that the ransomware attack can’t simply kick in again.

Backups as a time series

This hints at another key reason that it is better to address system security via backups, and that is because they provide a highly valuable time series. An organisation only has one version of its live data, but its backups can stretch back in time to last week, last month, or even last year.

Without snapshots of backups over time, organisations only have access to what the file system looked like after an attack when the forensic image is made. This means that efforts to restore the system to its pre-attack state are severely hampered because the organisation is relying on assumptions and guesswork to work out how the system was attacked, when any executables were put in place, how privilege was escalated, how persistence is maintained and what parts of the system were affected. With time series, this type of information can be known and understood. Data that has been compromised can be surgically restored to an earlier, uncompromised state.

Organisations used to think of backups as their insurance policy against loss, theft or damage of data. Cyber-attacks have changed that forever, and backups are now the ultimate insurance policy against cyber-attack, but they are so much more. They are also the logical place to put vulnerability scanning and penetration testing, because of the toll these take on live systems. CISOs can use backups to help meet the two crucial tasks that define their jobs: protecting organisational data and systems, and restoring clean systems after any attack. They are also a font of knowledge assisting data governance and security operations.

About the Author

James Blake is EMEA CSO at Cohesity. We’re on a mission to radically simplify how organizations secure and manage their data, while unlocking limitlessvalue. As a leader in data security and management, we make it easy to secure, protect, manage, and derive valuefrom data—across the data center, edge, and cloud.


Featured image: ©Janews