3 steps to build your ransomware and cyber attack readiness playbook

Celeste Kinswood, Director, Product Marketing - Cyber Resilience & Data Governance

How to get critical insights into backup security posture and data risks.

Developing a ransomware and cyber attack readiness playbook helps you to prepare for cyber attacks, keep your backup data safe, and automate the process of recovering your data. As cyber attackers are increasingly targeting backups, IT and security teams commonly experience a lack of visibility into their backup environment, making them vulnerable to data anomalies and malicious access attempts. Eliminating these blind spots by improving your Security Posture and Observability is just one of the best practices we recommend for a comprehensive three-step ransomware playbook.

Step 1: Protect your data

The first step in your ransomware playbook starts well before an attack. Make sure that a clean, safe copy of your critical data exists that’s isolated from your backup environment. Backups are useless if they’re encrypted by ransomware, which is why cyber attackers love them.

5 ways to guarantee you’ll always have a clean copy of data to restore:

  • Ensure data integrity and availability
    The first step to protect backup data is making sure attackers can’t access where it’s stored. Do this by storing immutable copies of backup data on an air-gapped system, protected by strong access controls and security protocols.
  • Air-gap your data
    Ransomware requires a persistent network connection to reach the command and control servers, so air-gapping is critical to stopping ransomware in its tracks.
  • Employ access controls with strong security protocols
    Implementing RBAC to limit access to critical backup operations, MFA (Multi-Factor Authentication),  and SSO (Single Sign-On) to shore up access security should be non-negotiable table stakes.
  • Make your data immutable
    Your backup solution should give you the option to mark specific data sets as immutable. This means that these data sets can’t be changed, even using administrative credentials.
  • Keep up with operational security
    It’s no shocker that keeping up with vulnerability scans, patching, and upgrades is a struggle. Attackers know that secondary environments are often a second priority when it comes to security and target your backup systems.

Step 2: Stay cyber attack ready

How do you know if you’re actually ready for an attack? Protecting your data just isn’t enough anymore. Security and IT teams need ongoing visibility into the security posture and data risks within their backup environments to spot anomalies and suspicious activities.

6 ways to quickly identify security issues before they cause major damage.

  • Improve posture and observability
    You need the ability to evaluate and improve your security posture and guarantee clear visibility into your data, wherever it resides. This includes a centralized, security dashboard with alerts to suspicious activities.
  • Detect data anomalies
    Ransomware attacks produce anomalies at the data level. Quickly identifying anomalous data sets help you choose the right course of action during the recovery process, while detecting ransomware attacks.
  • Identify malicious access attempts
    Situational awareness of activity in your backup environment can help identify malicious actions, like unauthorized access or deletions. Observing actions by users or APIs before and during an attack provides important insights.
  • Apply continuous monitoring
    Continually monitor your backup environment to pinpoint out-of-the-ordinary issues.
  • Implement rollback actions feature
    Because credential compromise is common and attackers can access both sides of your MFA, it’s important to be able to get data back, despite it being deleted using “authorized” admin credentials.
  • Get full visibility
    You need complete visibility into backup security posture, data anomalies, and access attempts to protect your data, prepare for threats, and recover quickly.

Step 3: Recovery

After a ransomware attack, you need to recover data across all users and workloads as quickly as possible. Even though it’s a ton of manual work for your IT Team, that labor rarely restores complete data, and doesn’t take into account issues with reinfection due to contaminated data.

5 ways to address these challenges with a 100% SaaS platform and automation.

  • Accelerate ransomware response and recovery
    Druva’s 100% SaaS platform provides Accelerated Ransomware Recovery to automatically, quickly, and cleanly recover from a ransomware attack.
  • Detect access attempts and anomalies
    Access Insights gives admins a way to understand the location and identity for all access attempts, while Anomaly Detection provides data-level insights on file changes, creation, recovery, and deletion, helping identify the timeframe of an attack.
  • Quarantine infected backup snapshots
    Quarantine any infected snapshots so they can’t accidentally be restored.
  • Find the last-known-good version of the files
    Curated Recovery alleviates the manual process of finding the last clean version of a file, looking at the file history within a defined time period and creating a single, known good recovery point.
  • Make sure you don’t reinfect yourself
    The Recovery Scans feature filters out malicious files that match an AV scan, imported file Indicators of Compromise (IOCs), and files that were encrypted by ransomware so you don’t reinfect yourself.

Most backup providers can’t guarantee recovery from ransomware variants targeting your backups. Druva’s 100% SaaS platform not only protects your data, but also helps you assess your security posture and threats to your data. Automation and orchestration make the recovery process even faster and easier.

Explore Druva’s Cyber Resilience Solutions page to learn more about how Druva can prepare you for cyber attacks with protection, visibility, and availability for your data. Plus, see how our unified security command center provides customized, security posture insights based on your unique deployment, plus a centralized view of data and access anomalies, to protect, prepare, and recover from cyber attacks. 

Ready to Learn More?

Protect, Prepare, Recover – A Blueprint for Making Data Resilient to Cyber Attacks Whitepaper