Cyber security in light of the Ukrainian invasion

W. Curtis Preston, Chief Technology Evangelist

Stephen and Curtis discuss how customers should react to the invasion of Ukraine from a cyber security perspective. They review a series of articles from Krebs on Security that talk specifically about the Conti ransomware group, and how they are responding to this crisis. Conti is a Russia-based group that is known for targeting the backups of its victims. This episode gives solid advice on how you can be better prepared for this new threat.

W. Curtis Preston: This week on No Hardware Required, we’ll be talking about what’s going on in the Ukraine and Russia and how that plays into our world. Joining me this week is Stephen Manley. Our CTO. Thanks for joining.

Hi, and welcome to Druva’s no hardware required podcast.

I’m your host, W. Curtis Preston, AKA Mr. Backup. And I have with me none other than Stephen Manley, fresh back from his time at the multi-cloud summit.

Stephen Manley: Absolutely.

W. Curtis Preston: I wanted to talk about this, I dunno, this mess. That’s going on over in Europe right now with Russia’s invasion of the Ukraine and mainly how it is potentially impacting the rest of the world. There has been a lot of chatter on the news channels, amongst people like you and me, that this could potentially result in, cyber attacks.

W. Curtis Preston: We know that there are several large cyber attack-type organizations in Russia. And the worry is that Russia, would sponsor this even as a way of getting back at the US and other, countries for being on the other side of this war. Is this one of these things where are we Henny penny? And we’re saying the sky is falling. Is it. Because obviously we, when we talk about it, we’re telling people, you need to make sure that you have a good data protection strategy and be ready for ransomware. And so some might accuse us as being ambulance chasers, and we’re making this up just to, just to sell more software. So what are your thoughts on that?

Stephen Manley: So a couple of things. I think you were a little gentle. I think a lot of these. cyber attack groups. I think they are fully state-sponsored. And I think there are a handful of nation-states that, to whom they’re directly tied. And so I don’t think there’s necessarily a big leap to say, Russia would have to go work with them.

Russia is in charge of these groups. they would set them against us. and then I think the second part as this invasion goes on and, frankly probably not the way that Putin imagined it was going to go. I think we’re going to see increasingly desperate lashing out.

especially given that in what we’re trying to do is tighten up and put the screws on the Russian economy. So I would not be at all surprised to see lashing out in that way, because I think all of us look at this and say everything short of potentially nuclear launches are on the table for them and cyber attacks.

Stephen Manley: They’ve proven to work. we talk about how often people are hit. It’s not a big leap to say that there’s going to be an increasing rash of them.

W. Curtis Preston: When I was researching for this episode, I found this blog. it’s called Krebs on security. All he does is blog on cybersecurity and things like that. And he actually did a four-part series. He’s calling it the Conti ransomware group diaries. Now, for those of you that are not familiar with the Conti ransomware group, they are a really big, cybercrime group in Russia.

And they are well known. It’s interesting. I didn’t specifically seek out Conti. This article was sent to me by somebody, but they are definitely known as one of the ransomware groups that are specifically targeting backups. They are the organization that we point to when we say people are coming for your backups.

But what was interesting here was a Ukrainian security researcher, published years of the internal chat logs of this organization. And, there’s this big thing they got published saying, as a response to Western fearmongering and American threats to cyber warfare against the citizens of the Russian Federation, the content team is officially announcing that we will use our full capacity to deliver retaliatory measures.

That does not sound good.

Stephen Manley: Yeah.

W. Curtis Preston: That does not sound good, nor does this sound like us making it up, This is an organization that believes in what Russia is doing. Actually, I’m going to take that back. It’s not necessarily that they believe in what Russia’s doing. They believe in their need to do what they do, and that us disrupting the infrastructure over there would disrupt what they do, which is, rob people have money. They need the infrastructure that we’re messing with.

Stephen Manley: And there’s a word that they used in there that’s interesting, and a little bit scary to me is retaliatory because when I’m just looking for profit, there’s certain boundaries I’m going to follow. I, I want to make the money. Let’s say you don’t get your backups back. I’m still gonna find a way for you to get your data back.

Retaliatory to me may mean, maybe we’ll ask you for money. Maybe we won’t because, and we’re just going to start launching and carpet bomb all of these businesses. So that’s a little bit scarier to me because when you’re launching for money, there are stages you go through, there are people that are monitoring, you’re trying to maximize your profit potential.

If you’re just going for retaliation, it could be a lot more damaging and a lot more widespread.

W. Curtis Preston: Yeah. that it’s funny. I didn’t even really think about that, but, but I completely agree with you in that if they do, they could be doing it for financial reasons. But if all they’re trying to do is inflict pain and they don’t necessarily have to get financial gain for it. Because they’re thinking of it as retaliatory because we, in their mind if we strike out against their infrastructure, which we almost assuredly will do that they have to retaliate against us. I agree with you with that. It’s an incredibly scary situation indeed. And this worry of since, especially the Conti ransomware group.

and I think it’s very, it’s apropos that it was sent to me because, obviously it was sent to me because somebody knew that I care about cybersecurity and backups and things like that, but it is interesting that specifically, the Conti ransomware group is one of the organizations that, what they do is they tend to exfiltrate backups first and then delete them and then give you the ransomware demand. And it’s, this is why we talk so much about air gapping your backups. And why, when we hear other vendors using the term air gap to refer to a server that is sitting in the data center.

Stephen Manley: Right.

W. Curtis Preston: It’s why we struggle with that. Why don’t you talk about that a little bit.

Stephen Manley: I get why people do it. You’ve got an infrastructure in place and you’ve been told to add an air gap and you look and you say, given the infrastructure I’ve got, the best I could do is again, get another server on the network, but I’ll have it off the network most of the time.

And at quote-unquote random times, I’ll reconnect it to the network so I can get the backups over there. And at least that’s reducing my risk window because there’s only online for the amount of time. It takes me to copy my backups. So how scary could that be? And the answer is pretty darn scary because when you’re talking about software monitoring for these things, this isn’t like you’re sneaking behind the back of Barney Fife and the Andy Griffith show. And now there are six people in the world who understood that reference. Cause we’re both old, but we had a Gary Cooper reference in the last one, so it’s okay.

W. Curtis Preston: Oh, here we go. we’re modernizing, we’ve at least gotten to color TV, Andy Griffith kinda split between the two, but, anyway, the point being that you’re hoping your sort of homemade makeshift air gap is going to work. And it’s just, it’s not a great strategy.

You contrast that with what I consider a true air gap, which is not just you’re on a separate network, but you’re on a completely separate location under a different administrative domain, separate passwords, separate access, separate monitoring, the more separation you get, the safer you are.

Stephen Manley: And again, I think everybody intuitively gets it, I think the challenge everybody faces right now is. But I’ve got to get something done. My boss told me I had two weeks or, this has gotta be done by end of the quarter. This is the best I can do. And so a lot of it is talking to people and saying, you can do better.

And it’s actually not that hard to do it. if you switch your mindset to, I’m going to, I’m going to bring some people on board.

W. Curtis Preston: went somewhere completely different than where I was thinking. But I like where you went. What I was thinking was about products that are appliances that are sitting in the data center and they refer to their storage as air-gapped when it’s sitting in there and there is no disconnection, like what you were talking about.

And there are reasons that they say that they will say that they have an append-only file system, or they have the immutable flag turned on in Linux, but the thing is, all of those are defeatable if you become root. All of them. And the thing is. It’s not like Linux is impervious to hacking I just saw the news today, for example, that there’s a new Linux vulnerability known as dirty pipe, and it allows local users to gain root privileges through publicly available exploits.

And what it has to do is it allows any user to modify any file. And to put it even with special bits, setuid bits and things like that. And then from there, you can easily become root. one of the examples I gave was modifying the /etc/passwd file and deleting the password for root. Suddenly your root.

And then when you’re root, you can become any other privileged user that can do things like delete your backups and things like that. That’s why I don’t consider that an air gap in any way, because all it takes is physical access number one, or a privilege escalation attack, and your air gap, as I make quotes in the air, is gone.

Stephen Manley: I’m with you. In fact, in my mind that’s so not credibly air-gapped that I just immediately dismissed it and went to, oh, if you want to make it like homemade air gaps to a second system, but yeah, the first one, no serious security professional. No serious security professionals are like that seems totally reasonable. That’s going to protect you that’s not even, that’s not even hoping at that point. That’s simply deluding yourself

W. Curtis Preston: Hope is not a strategy. I’ve heard that before.

Stephen Manley: Yeah. and I will tell you, putting on a blindfold and the, and pretending that there are no bad guys out there: also not a strategy, the bad guys are out there.

They’re going to come. You got to figure a way around it. and to me, going back to the Conti problem again, the bad guys now are just a little bit more motivated or maybe a lot more motivated. And that means that you’ve got to up your game that much more because they’re coming. And so this is the other part I think we talk about a lot is: this isn’t the sort of thing where you can just set it and forget it. This is a constantly evolving set of threats. And so you need a constantly evolving way to protect yourself from it, or you’re gonna wake up in six months and when you’re compromised, you’re going to tell your bosses, your CEO.

We set this up six months ago. Oh, the world. Changed in 16. I have no idea, right? You don’t want to be that person. That’s a very unpleasant conversation.

W. Curtis Preston: Yeah, the world has changed in a matter of a week or so. I would say the world is a very different place than it was in February. And so I guess the question is what would we be advising? our customers. And certainly, if you’re not a customer, our advice is easy: become a customer and you get all of this protection and we have built-in ransomware protection, built-in, all of the things that you talked about, actually air-gapped, so that the worst thing could possibly happen in your infrastructure, and it wouldn’t be able to spread to your backups. and we also have specific ransomware features that are built in to protect you.

so for me, it’s three things. and the first one is something, we’re doing internally, which is, is going out and warning people about phishing and text phishing and all those sorts of things. Because at some point you as a huge security professional.

Stephen Manley: You say, it’s falling on deaf ears. How often can I bring it up? But again, this is one of those moments when people are a little bit more sensitive to listening and learning and saying, maybe I should be safer. This isn’t just a security team or a backup team problem. This is something we all need to come together on.

So that’s one is, really work with your users and make sure they understand that this is a period of higher risk.

The second thing I would do is, frankly be just a little bit more proactive in terms of, watching your backup console. And the truth is most of our customers, again, they deploy and they say, Druva’s a SaaS

So, we are taking care of security and patching and capacity management, all those things for them, and it’s awesome. but we do also generate alerts and we show them what’s happening with their data and trending. and this is a good time to say, I really should just check in on that a little bit more often to make sure that Druva’s not saying something that it wants to tell me about.

and then the third one, that we’re telling all of our customers is, just again, look at your infrastructure and make sure you didn’t miss some. So is there a patch of VMs that you kept thinking? Yeah, I really should get around to backing those up, but you just haven’t configured it yet.

Or are there some end points or, your Microsoft 365, have you been thinking to yourself, should I protect 365 or Salesforce? This is that moment to say, I should probably use this as that forcing function to actually take care of that, being on my to-do list that let’s get that thing

W. Curtis Preston:  Yeah, I like the one, uh, about, you know, about the idea of monitoring, what Druva is doing on your behalf. We do notice things, right? I, you know, I’m aware of a very large attack that we noticed on a customer of ours just recently. And we were able to notice it. We notified the customer what was going on and they said, yeah, we’re under attack.

And then we were able to help them remediate that. But what if they hadn’t noticed right. Druva can do a lot of things and can monitor a lot of things. And we use a lot of machine learning to detect patterns. Perhaps you have, or you haven’t tied Druva into any of your reporting and management and SIEM/SOAR tools.

If you haven’t, it’s definitely the time to be looking at the Druva interface to make sure that any alerts that we provide are being noticed by someone. I would add one additional thing. And that is make sure that you have multiple cloud administrator accounts. Because if you get locked out of those, that is, you know, that is not a situation that you want to be in. Those are the keys to the kingdom. This is again my personal preference and that is, I like for. It’s a log-in as important as what you use for logging into the Druva console. Not to be part of something like Active Directory I would like it to be separate. I would like it to be in a password manager with password history, by the way, that way, if you accidentally change your own password to something that you don’t know, you can go back to your previous password, but I don’t like it being part of Active Directory because that can be compromised and, or anything like Active Directory. If you’re using the same username and password everywhere, I would consider changing that. This would be the time that I would do that is to segregate your backup system as much as you can from the primary environment.

Stephen Manley: It’s a good point. And it’s this constant tension I have with customers when they configure is yeah, but one password, one authentication mechanism. It just makes everything so much easier. And the answer is if it’s easier for you, it’s easier for the bad guys when something bad happens. So I get it. And, we give both options, but, but I am with you that my recommendation to customers is. Deal with that little bit of extra inconvenience, because it might save you, you know when something really awful happens.

W. Curtis Preston: yeah, I’ve been a backup person for coming up on three. I almost said three centuries, on three decades.

Stephen Manley: Well, you don’t look a day over someone has been doing it for two and a half.

W. Curtis Preston: Thanks. Um, and I remember being at war with the security folks. I remember thinking that they were my enemies almost because I was just trying to get my job done and they were just trying to secure everything and, and we both jointly hated each other. You know, security has always been a challenge. No one in information security ever made anybody’s life easier.

It’s always harder to do the right thing from a security perspective. So the key, like you said is to find that balance. And that’s why I do like a password management system for other things. Uh, partly because it’s outside of your infrastructure. It’s one of my hobby horses is password managers. So anyway, I wish all our customers the best, in this difficult time. And, I also wish those in Ukraine and the countries around them right now, and the things that they’re dealing with the best as well. So thanks for taking the time to talk.

Stephen Manley: Thanks. Be well, everybody.

W. Curtis Preston: Thanks for listening everybody. And don’t forget to subscribe to the podcast so that you never miss an episode and remember here at Druva there’s no hardware required.