The Best Defense is a Good Defense: Another Look at Secure Isolated Recovery Environments and Ransomware

It’s no secret that the frequency and severity of ransomware attacks has grown dramatically in the past few years. When attacked, about 80% of businesses pay the ransom, but over a fifth of those never get their data back. A large percentage even find themselves having to pay ransoms over and over again because they are never able to completely repair systems that are compromised.  Most companies should expect to be down for about 24 days with a ransomware infection, and cases of system impacts over several months are becoming more commonplace. (Triple Extortion Ransomware is now a thing too.)

Preparing for a Ransomware Attack

Obviously, an ounce of prevention is worth a pound of cure when it comes to dealing with ransomware. You are always going to be better off never getting compromised. However, many security experts are saying that It’s better if businesses come to the realization that it’s not a matter of if they’re going to get compromised by a ransomware attack, it’s more a matter of when. 

 “There is no good in arguing with the inevitable. The only argument available with an east wind is to put on your overcoat.”

James Russel Lowell, American Poet

Secure Isolated Recovery Environments (SIRE)

Presuming that everyone is going to eventually get infected by ransomware, the most prudent course of action then is to prepare for recovering from that attack when it comes. A method of systems recovery that has been getting a lot of attention  lately is the idea of having a Secure Isolated Recovery Environment (SIRE) available. Being able to deploy the SIRE, recover your systems into it, and test functionality and prevent reinfection is a winning strategy that lets you deploy recovered systems safely and more rapidly.

Looking at traditional Disaster Recovery (DR) planning, there are some real shortcomings in recovering from a ransomware attack. In a traditional DR you tend to pull in your most recent backup of a system and bring it online, which works fine in a situation where you have a multi- server outage, loss of a facility, or other “traditional” sort of disaster. If plans are up to date, backups are working, and the processes are well-tested, this can be a viable solution If you suffer a physical impact to your environment. But, in a ransomware attack, recovered systems might get attacked and reinfected as soon as they are put back online. Depending on the nature of the attack, your backup and recovery infrastructure may also be compromised by ransomware. If you aren’t isolating your systems, you may find you are unable to restore some servers because the backups are corrupted, and you can’t deploy any recoverable servers because they become instantly infected. To make things worse, nearly all ransomware attacks target your backups. Traditional DR simply can’t keep pace with ransomware.

 “Change before you have to.”

Jack Welch

So, what’s the solution?  To make sure that you have clean data to restore, you need to have some sort of immutable copy of the data to restore from. To make sure that your redeployed systems don’t get instantly reinfected, you need to have a secure and isolated environment to recover them into.  Once recovered, you can perform testing and configuration operations on the recovered systems in preparation for eventual redeployment.  If you find yourself wondering when your systems were actually compromised, you can recover servers from backup into that secure environment one at a time, checking each one for infections as you go. 

In addition to being a viable recovery strategy from a ransomware attack, there are also some strategic benefits to implementing SIRE in your environment.  The simple process of creating a secure environment to store your immutable backups adds an additional layer of security to your environment overall.  If your backup environments are isolated from your production environment, obviously it’s going to be more difficult for your backups to get corrupted in the event of our ransomware attack. SIRE can also reduce downtime by enabling faster recovery times– if you’re in a position where you need to restore systems quickly you can do so without the fear of interrupting production systems. A secure isolated recovery environment can also simplify compliance by helping businesses meet regulatory requirements for data protection more easily. Disaster recovery testing is also significantly easier in a secure isolated recovery environment, because not only do you not have to worry about potentially impacting production by restoring systems, you also have the ability to run restoration exercises in an isolated environment anytime you like.

There are a number of products in the marketplace that can help set up and administer a SIRE environment, especially for companies with cloud and/or hybrid cloud environments.  Some cloud providers have built-in tools to help with data restore, but more importantly, there are several solutions out there that can automate the process.  There are even tools out there that can restore your virtual servers to the cloud, spool them up, and run scripts to validate that they’ve restored correctly – all automatically, and as often as you want.  If SIRE is good, SIRE that automatically does DR testing in the background as your backups run is even better. While this all might seem a little bewildering at first, the benefits far outweigh the downsides and the initial up- front engineering effort. If you would like some help figuring out more about this approach to data protection, Sayers is here to help.  We have dozens of companies we have helped gain the benefits of a secure isolated recovery environment, and we would be happy to help you set one up too.