Just had the incredible opportunity to do a session on stage at VeeamON 2023 in Miami and introduce Monaco Cyber! Still pretty cool to see a full house! We shared what happens during a ransomware attack and our best practices to react faster with efficiency. By sharing our combined experiences in France and Monaco, and the tips we’ve learned along the way, our hope to help you avoid these kind of cyberattacks from happening to you and your company and if they do, what you can do to quickly recover. Grateful for the chance and filled with a sense of accomplishment! Big thanks to Rick Vanover, Nikola Pejková, Madalina Cristil and Julia Furst Morgado for the great opportunity and thanks to my mates Julien Mousqueton and Eric Machabert for the great performance!
Session title: Feedback: Hit by a ransomware, what’s next?
Session description: France is one of the top five countries hit by a ransomware in 2022. Healthcare has been one of the most impacted sectors. All three speakers for this session, Eric as a CISO/CTO in a healthcare solution provider, Julien as a CTO Cybersecurity in an ICT company, and Christopher as a CTO in an ICT and Security Services Provider company work for healthcare. In the past few years, they have all been involved with their customers in several cyberattacks via intrusion, data theft, ransomware, and many others. Unsolved, these attacks can have major consequences on your company. Based on the speakers’ experience, they’ll share with you what happens during a ransomware attack and their best practices to react faster with efficiency. They hope their experiences and tips will ensure that this kind of incident is in the past for you.
Download: Ben Young has written an “archive” application to store the sessions. He scraped all of the session into a summary set of markdown documents. Each session markdown gives you detailed information such as abstract, speakers, and downloadable resources. Here’s our session (presentation PDF.)
It’s no secret that as time has passed, the data landscape we all live in has grown exponentially, and with each day that goes by, protecting your business-critical data from ransomware has become an increasingly complex process. It’s no secret that as time has passed, the data landscape we all live in has grown exponentially, and with each day that goes by, protecting your business-critical data from ransomware has become an increasingly complex process.
So, I just explained a couple things about the time to rebuild the Information System. We talked a little bit about the aspects of the trust side of it with risk and security obviously elements tied into that, through one question “How to build a resilient architecture against Ransomware?” Basically, we are talking about circumstance because at this step, we are always in crisis. But also beyond because the new achitecture should respect the security by desin approach.
First 48 hours are crucial for the rebuild step. First of all we need to identify the safe assets. Ransomware analysis works by identifying the state of data: production and backup. Let’s take a concrete actions: Data have been destroyed or deleted manually by the attacker? Data have been cryptolocked by the ransomware? Then, we need to help understanding the way of the cyber-attack by exporting and analyzing the logs. And finally give the results to the forensic stream, this work will help the analysts and play for time. Its very challennging to work in synergy in the crisis response team.
Basically, we need to build a new infrastructure that allows respect the security by design approach. For that, we need spare stuff such as servers, storage and others. Basically, the existing hardware is often frozen as long as the crisis response team needs it, especially for the investigation. But we can began to start some services and applications. For example, Microsoft Active Directory and backup. It’s very important to backup new production data as soon as possible. We are talking about backup of circumstance because we often use existing or spare hardware.
My tips: We need Data Protection experts still a hard ressource to find. Best data protection people do who know they feel intimately enough to be able to analyze the data: Production and backup as well. So what can we do? We can use Veeam Explorer for Active Directory to analyse the state of the Active Directory and of his objects and items on the last backup and others. Very usefull for the investigation.
Next, Active Directory is still a weak point when it comes to security. Following our Security Operations Center statistics, 100% of attacks exploit weaknesses in Active Directory to gain access to critical systems and data. It’s the nerve center of any enterprise. During a crisis, Active Directory is the first service that will be start and it must respect some best practices of security. So what can we do? Let’s see what we need to make it secure anyway.
A tiering model is a best practice for securing Active Directory that involves segmenting the environment into different tiers based on the level of sensitivity of the data or systems. This allows you to apply the appropriate level of security controls to each tier, such as restricting access to sensitive data to only authorized users.
The principle of least privilege is a security best practice that involves giving users and systems only the minimum level of access necessary to perform their required tasks. This helps to reduce the risk of unauthorized access or malicious activity, as users and systems are restricted to only the resources they need to perform their jobs.
Network segmentation is a best practice for securing Active Directory that involves separating the environment into different network segments based on the level of sensitivity of the data or systems. This allows you to apply the appropriate level of security controls to each segment, such as restricting access to sensitive data to only authorized users. By segmenting your network, you can also limit the impact of a security breach or cyberattack, as it will be contained to a specific segment rather than spreading throughout the entire environment.
My tips: Monitor your Active Directory in real time in order to be alerted to lateral movements, privilege escalations, group changes and others. There are many interesting solutions on the market.
Security by design is an approach that involves building security into the design and architecture of a system from the very beginning.
This ensures that security is a fundamental part of the system from the begenning. By incorporating security into the design process, you can identify and address potential security vulnerabilities early on, before they become more difficult and expensive to fix. This approach can help to reduce the risk of cyberattacks and data breaches, as well as improve the overall security and reliability of the system.
By the way,
•Do a segmentation of network and authentication,
•Use password vault not based on AD authentication for admins
•Implement bastion host with 2FA for admins
•Use dedicated admin workstations in an admin enclave
•Collect secuirity events, analyze and trigger alerts. We recommend monitoring the IS through a Security Operation Center of circumstance, for 3 to 6 months, goal is to check the potential persistence left by the hacker. And the best and important part is it can detect new threats those new mutations
•Do a backup with offsite copy and immutability and an offline backup
My tips, secure Backup is your last line of defense. Don’t neglect this point and respect the 3-2-1-1 rule! 3 different copies of data, on 2 differents medias, 1 offsite backup and 1 offline and/or immutable backup.
But look what’s happening today an expontential growth in number of attacks in the sophistication of the attacks. So how do these new attacks look like on backup environnment, let me show you a very vicious kind of attack so that you will get a better intuittive understanding of that.
What we san in 2022, this is not a speculation:
- Backup data encryption on OFF DOMAIN backup environment,
- Focusing on Password Vault or Password Management tools such as KeyPass for example to find Local Accounts,
- Removing Backup data since Management/Administration interface via an AD domain account or Local account (targeted attack on Management/Administration interfaces),
- Change to the handling of NTP time sources (clock) then exploiting immutability,
- Skills to empty the headers of backup hardware and appliances (knowledge for each vendor),
- Enabling others protocols on Backup hardware and appliances (CIFS/NFS) in order to bypass proprietary and secure protocols and for all storage manufacturers. Then mapping a network drive to the share, mtree, etc.,
- Lateral Movement,
- Erasing data on tapes (in the library) and installing another Backup software to do it directly on the Backup server if the first backup software is protected (a Tape library is connected with FC or SAS on a physical server).
Thank you to the #vCommunity and those who attended.
High Veeam Backup & Replication Vulnerability – CVE-2023-27532: Blog Post
New Veeam v12 Platform Overview: Blog Post
Veeam B&R v12 New Features Overview: Blog Post
Step by Step Guide Veeam B&R 12 Upgrade: Blog Post
Ransomware & Cybersecurity with Veeam v12: Blog Post
Hardened Repository in Veeam v12: Blog Post
Kerberos Authentication with Veeam v12: Blog Post
VeeaMover in v12: Blog Post
Veeam v12 Linux Without SSH And SUDO: Blog Post
Why backup directly to Object Storage? Blog Post
Wasabi Object Storage Usage with Veeam B&R v12: Blog Post
[REPLAY] Webinar Veeam v12 New features (Fr): Replay