Deep MFA: A Smarter Way to Protect Backups from Ransomware Attacks

Even with the use of immutable data repositories, there is no perfect cybersecurity defense against all malware and ransomware. As a result, many organizations have a false sense of security that their backup and recovery infrastructure will protect them in the event of a ransomware attack on their primary IT environment. Eran Farajun, Executive Vice President, Asigra recommends Step-up or Deep MFA to secure backup system access.

There is no perfect cybersecurity defense against all malware and ransomware. Security professionals have known for years that the best cyber defense is layered, making it harder for cybercriminals to penetrate the IT organization. It has been an ongoing race of offense versus defense. The goal is to make it so hard to penetrate that attackers will pick an easier target. Ransomware has been changing this game. 

Ransomware is big business today, with the average ransom now more than $178K as of the second quarter in 2020. That’s up 60% from the first quarter. Some ransoms reach into the $USD millions. It’s a very lucrative business. So lucrative that there is significant research and development into making ransomware more effective at overcoming cybersecurity defenses.

The last line of ransomware defense has been the backup. When ransomware has encrypted the data, applications, and systems, recovery from backup has been the solution for many organizations. The cyber-criminals recognized that and the threat to their revenue streams. They started attacking the backups. Simply by scrutinizing backup user communities on the web, it becomes clear that ransomware went after backups by deleting them before they detonated. They deleted replicas, backups, snapshots, everything they could find, and then detonated. It can be quite disturbing to be hit by a massive ransomware attack and then find that all the backups are simply gone.

Backup and storage vendors have been getting wise to this attack and have been implementing storage immutability, sometimes referred to as write once, read many or WORM. The immutability is tied to the retention period of the data being stored. As long as that data is within its retention period of days, weeks, months, or years, it cannot be changed, erased, or encrypted in any way. They thought this would stop the ransomware attack of deleting the backups. For a very brief period of time, it did.

Learn More: 5 Ways Hackers Can Get Around Your MFA Solution

Stealing Backup Administrator Privileges

After some research and development by the ransomware cybercriminals, they have modified their attack. Now they use targeted phishing aimed at the backup administrator and operators and support teams with access to the backup software. They steal the credentials and change the retention period without anyone being the wiser. Instead of a 30-day, 60-day, six months, etc., retention period, they change it to hours or just long enough for the software to report a successful backup. And then the data disappears. The ransomware detonates and there are no backups to recover from.

There is a twist to this new ransomware variation — the use of those privileged credentials to also steal valuable data. It is not that difficult to copy or redirect a backup to another location if the cybercriminals have the right credentials. Remember, one of the most appealing applications is the backup because all of the organization’s most valuable data resides in the backups. 

Stealing that data increases the probability and size of the attacker’s payout by using that valuable data three ways:

1. Apply pressure by threatening the attacked organization to pay the ransom to release damaging data to the public and/or regulatory agencies 
2. Further, apply pressure by releasing some of this sensitive data to the general public 
3. Sell that valuable data on the dark web, whether the organization victim pays the ransom or not  

This new form of ransomware attack requires better backup defenses. Security pros have been clamoring for “step-up” multi-factor authentication – a.k.a. “privileged access management” – in all mission-critical applications for some time. It is common knowledge that application admins are premium targets for cybercriminals. 

There have been calls to add step-up MFA to backups for years. Step-up MFA means adding MFA to every single backup task that affects the data. Tasks such as backup schedules, retention time, backup location, replicating the backups, etc. 

Learn More: Everything You Need to Know About Advanced Persistent Threats (APTs)

Why Step-Up MFA is Rarely Implemented  

There are problems implementing step-up MFA in the backup world. The first is simply terminology. Step-up MFA is referred to as “Deep MFA” in the backup ecosystem. Not a big problem, but it can lead to misunderstandings. The bigger problems are that most backup admins have neither the time nor ability to add Deep MFA. And that security pros generally don’t know the backup applications or where to implement deep MFA. The backup applications are not considered business critical within the organization and as a result, do not get prioritized. Adding deep MFA gets put off and commonly does not get done. 

Another little acknowledged factor that limits Deep MFA use is that it adds annoying inconvenience to the admin. Every time they want to make a change, add, move, or whatever, they have additional steps in their process. They have to take out their phone, log in to their phone, read the code that was sent to their phone, and then enter it in the MFA application before they can apply their change. They tend to resist implementing deep MFA and when it exists, they turn it off.

Industry experts and backup software leaders have recognized the problems of Deep MFA and have done something about it in the last 12 months. First, Deep MFA was added for any task that could affect the data – it’s built into the software. None of the data affecting tasks can be done without MFA. 

They’ve gone much further by making that MFA convenient with passwordless authentication by utilizing the biometric facial recognition or thumb print identification already built-into smartphones. So for the first time, the industry has access to backup software with built-in passwordless, deep multi-factor authentication which is very hard to bypass and easy to use.

Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!