In this podcast, we look at ransomware and data storage with Chris McKean, a solutions specialist at NetApp.
He talks about what storage suppliers can build into storage products that can help protect and remediate against the effects of ransomware attacks. These include detection, protection of data and locking data against unauthorised attempts to change it.
McKean also talks about how storage anti-ransomware functionality fits into the bigger picture of anti-ransomware strategy in the datacentre.
What does ransomware do – in its various forms; encryption, exfiltration, and so on – that impacts data storage?
McKean: Ransomware can almost cripple storage completely, because that’s the target with ransomware attacks.
You’ve already said there is encryption and exfiltration. Usually, an attacker will get access to a company or an organisation network, and one of the first things once they have found the way around is they will look to exfiltrate the data.
They will copy off as much important data as they can, because at that point, they already have a bargaining chip to say to a company, “If you don’t pay us the ransom, we will release these records onto the dark web for sale or into the public domain,” however they’re going to do that.
There’s usually a two-pronged attack – and also, as well as having access to the data, they will then try to encrypt all the data on the data storage. At that point, unless your organisation can cope with having no digital ability to function, you’re going to be in a bad way.
You probably can’t operate whatever services that your business offers because everything needs data. You know, a user or an application, even if what they’re accessing directly doesn’t have much data, that will probably have a dependency on something further down the line, a database or a data lake. At some point, it’s going to need to access that data.
If that data is encrypted and the attacker, the ransomware gang, have the encryption key and only they have it, you’re not in a good place.
What features can storage vendors build in to combat ransomware?
McKean: I’d say there are a few sort of key features. The first one is detection – spotting something happening at the storage layer.
As we’ve already said, if data is being encrypted, can that be spotted? Can you say, “Right, I can see the encryption levels on this storage area have started creeping up”? Or are we seeing new file types appear that we’ve never seen before with, you know, strange file extensions? You can do that on the data layer. That’s a brilliant way of saying, “I think there’s some ransomware happening. We can see all of a sudden this volume of data has gone from 2% encryption to 14% encryption.”
Now, going a step beyond that, you probably ideally at the storage layer want to pin that encryption or that attack onto an area. For instance, if you’ve got a volume and the encryption starts flying up, that’s really good information. And a company can act on that and look to put steps in place to restore the data, and so on.
But, you know, where did that attack come in from? And that’s where user and entity behavioural analytics, or UEBA [comes in]. I think that’s another step that storage vendors can include.
If I have access to a small percentage of the [total] storage, let’s say 100 terabytes of data, and I actually only have access to 1% or less, I can go and encrypt [what would be] a lot of data for me. But the storage as a whole, that 100 terabytes, is only going to see a very, very small increase in encryption.
However, if something is monitoring my behaviour, then although as a proportion, [of] the total storage, it’s a very small percentage, for me, it’s a massive uptick. And that’s a potential flag to say, “What is Chris McKean doing? Has his account been compromised? We can see it’s all of a sudden copying off lots of data, encrypting lots of data.”
That’s the UEBA piece, as well as just looking at general encryption and file types and things like that. There are some of the things that storage vendors can do to spot attacks happening. Now, that’s great, but also you do need to do stuff at the protect function as well. It’s even better if you can stop it happening in the first place. That’s where standard things like RBAC [role-based access control] and a zero-trust sort of approach – giving people access to only what they need – come in.
It’s not just users’ laptops and devices that are going to be doing the encryption or they’re going to be the infected devices. It could be a compromised user account. You see all the time lots of users’ accounts get compromised.
You could introduce a feature maybe like multi-admin verification where you cannot perform certain destructive commands on storage without someone else approving it.
What are the limitations to what storage vendors can do? What part of the overall strategy does storage fulfil?
McKean: The limitation, obviously, is that it’s just at the storage layer. Now, that layer is as vital as any other layer. Having protection and detection at the storage layer is as important as having it on somebody’s laptop or something running at the edge of the network.
But that is just one layer. The storage layer can’t stop someone’s device being infected by malware because they’ve clicked a phishing link. But that’s not to say you can’t do lots and lots at the storage layer to hopefully be that last line of defence should someone have got right through the network and then have access to the storage.
If your storage can stop attacks or spot attacks, that’s vital, but also you should always have a way to lock in certain amounts of data. It’s about that “assuming breach” part of the zero-trust architecture.
There should be a way on storage to say, “OK, we’re going to take a copy of this data and we’re going to lock it away for two months, five years, however long that is.”
And that way, even if all those other steps and the protection measures you’ve put in place are breached, you have a copy of data that is good from five weeks ago, five months, a year, and so on. So, I think there are limitations, and it’s basically that it’s just at the storage layer.
However, there can still be a lot that you can do at that storage layer that could potentially be a real saving grace for a company that has had its network infected by malware.
What I take from that is that storage, in a sense, is like a backstop. Would you agree with that?
McKean: I always think of it as the goalkeeper in a football team. If you get past the attackers and dribble through the midfield, and even if you get past the defence, you’ve got that last line of defence.
You’ve got that goalkeeper that’s stopping the attacker getting access to the thing they really want access to, because it’s with the data that an attacker can best monetise an attack.