Category: Blog

Reinforcing Data Resilience Eliteparadigm LLC

Reinforcing Data Resilience

Posted on

Last year, many organizations stopped talking about when the workforce would be back full-time in the office. Instead, they focused on how we build a hybrid work model for the future. 2021 was active and interesting – for lack of a better word. There’s a lot to say in terms of cyber crime in general and ransomware specifically.

As we progress further into 2022, we wanted to pause to reflect on 2021. What’s in store going forward? We spoke with Camille Singleton, a threat intelligence expert within IBM Security X-Force, to get her thoughts. See how we can prepare for what’s ahead.

Question: What Did 2021 Bring?

Singleton: We’ve seen a number of new trends in 2021, including an uptick in triple extortion. We began seeing double extortion in 2019 and 2020, during which gangs either leak or threaten to leak stolen data, which puts more pressure on victims to pay the ransom than if their data was only encrypted. Now we are seeing some groups threaten triple extortion, adding distributed denial-of-service attacks when a victim doesn’t pay after the group encrypts, steals and then leaks the data. This technique is still in its infancy, but it may become more prevalent if ransomware gangs figure out how to use it to their advantage.

On a positive note, 2021 was also the year of a crackdown on ransomware. We’ve seen a flurry of arrests worldwide, including that of Clop ransomware actors and members of the REvil/Sodinokibi ransomware group. We also saw many groups, such as REvil/Sodinokibi, DarkSide, Black Matter and Avaddon, shut down, although I expect some will come back next year. But at least for now, the tempo of attacks may be a little slower.

What Are Your 2022 Predictions for Ransomware?

First, I don’t think ransomware is going away – even with the shutdowns and government crackdowns. Ransomware actors are earning a ton of money, billions of dollars every year from ransomware attacks, which continues to attract cyber criminals to the ransomware space.

Second, I think a lot of the big groups that were shut down will rebuild and come back. I don’t know what their new names or focus will be, but they will learn from their experience to develop new ransomware and continue their operations. While I can’t predict the number of new groups, I think it may be somewhat comparable to the number shut down in 2021.

Finally, I am hopeful we will see more arrests of ransomware actors in 2022 than we did in 2021. Ideally, these arrests will eventually have a lasting effect on the ransomware landscape. For example, in 2016, hacktivism was huge, and the group Anonymous was extremely active with a high level of hacktivist attacks. But the strong law enforcement crackdown from 2016 to 2018 dramatically changed the hacktivist threat landscape, decreasing the level of hacktivist activity. There may be some hope that we will see a similar threat landscape change with ransomware over time.

What Can Organizations Do to Prevent Ransomware Attacks in 2022?

After reviewing numerous ransomware attacks spanning most geographies and industries, X-Force has found that many ransomware attackers are using similar tactics, tools and techniques. Cyber criminals are figuring out what works and communicating that to one another. In particular, X-Force has identified five stages of a ransomware attack that threat actors are using again and again. Recently, we’ve seen some changes in the details of these attacks, such as the frequent exploitation of Active Directory to steal credentials and to move laterally within the network. If organizations pay more attention to Active Directory, monitor it closely and know what suspicious activity to look for, they might be able to catch ransomware actors before they execute their objectives. We’ve also noticed that 88% of ransomware attacks used the tool Adfind, which wasn’t the case even three years ago.

Organizations should also focus on domain controllers. Almost every single ransomware attack today involves the attackers trying to get access to domain controllers and domain administrator accounts and deploy the ransomware from there. Previously, many ransomware strains “wormed around,” such as with WannaCry, self-propagating from computer to computer through the network. Now, attackers are using domain controllers to deploy ransomware on all or as many devices as possible within an enterprise network simultaneously.

In terms of how ransomware attackers are initially getting in, phishing and vulnerability exploitation are the two infection vectors we are commonly observing. Ransomware attackers are cooperating with QakBot, Emotet and Trickbot operators who gain initial access through phishing emails and drop malicious attachments. They then deploy their malware, and the ransomware affiliates continue the attack from there. Organizations should continue to protect against phishing through user awareness training, behavior-based anti-malware detection and phishing email software solutions. Organizations should also use a robust vulnerability management program to address relevant vulnerabilities quickly.

While there is no way to 100% prevent ransomware, understanding the techniques threat actors are using today can help organizations know where to focus to prevent attackers from getting into the network and then finding them once they breach the network.

What Should Organizations Do to Prepare for an Attack?

On a certain level, organizations should expect that a ransomware attack will happen. They should prepare for an attack beforehand by planning their response, considering how to diminish the impact on their network and putting backup plans and redundancy in place so they can get up and running quickly. Organizations should also consider how to handle the public relations aspect of a massive ransomware attack. Everyone from the CEO to the lowest level security operations center analyst needs to know what they are going to do next in a response scenario. The goal is to prevent attacks as much as possible but be ready in case one happens, whether that’s in 2022 or beyond.

Speeding Threat Detection

Speeding Threat Detection

Posted on

Today, we’re announcing new data resilience capabilities for the IBM FlashSystem family of all-flash arrays to help you better detect and recover quickly from ransomware and other cyberattacks. We’re also announcing new members of the FlashSystem family with higher levels of performance to help accommodate these new cyber resilience capabilities alongside production workloads.

Cybercrime continues to be a major concern for business. Almost every day we see reports of new attacks. The average cost is $4.24 million, and recovery can take days or weeks.1 Cyberattacks have both an immediate impact on business but can also have a lasting reputational impact if the business is unavailable for a long time.1

How Cyber Vault Can Help Businesses Recover Rapidly

Even with the best cyberattack defense strategy, it’s possible that an attack could bypass those defenses. That’s why it’s essential for businesses to have both defense and recovery strategies in place. Storage plays a central role in recovering from an attack.

IBM Safeguarded Copy, announced last year, automatically creates point-in-time snapshots according to an administrator-defined schedule. These snapshots are designed to be immutable (snapshots cannot be changed) and protected (snapshots cannot be deleted except by specially defined users). These characteristics help protect the snapshots from malware or ransomware and from disgruntled employees. The snapshots can be used to quickly recover production data following an attack.

Recovery from an attack involves three major phases: detection that an attack has occurred, preparing a response to the attack, and recovery from the attack. Each of these phases can take hours or longer, contributing to the overall business impact of an attack.

An offering implemented by IBM Lab Services, IBM FlashSystem Cyber Vault is designed to help speed all phases of this process. Cyber Vault runs continuously and monitors snapshots as they are created by Safeguarded Copy. Using standard database tools and other software, Cyber Vault checks Safeguarded Copy snapshots for corruption. If Cyber Vault finds such changes, that is an immediate sign an attack may be occurring. IBM FlashSystem Cyber Vault is based on a proven solution already used by more than 100 customers worldwide with IBM DS8000 storage.

When preparing a response, knowing the last snapshots with no evidence of an attack speeds determining which snapshot to use. And since Safeguarded Copy snapshots are on the same FlashSystem storage as operational data, recovery is fast using the same snapshot technology. Cyber Vault automation helps speed the process of recovery further. With these advantages, FlashSystem Cyber Vault is designed to help reduce cyberattack recovery time from days to just hours.

IBM FlashSystem Cyber Vault is part of IBM’s comprehensive approach to data resilience: high availability and remote replication for disaster recovery in IBM FlashSystem. Backup, recovery, and copy management using IBM Spectrum Protect Suite. Ultra-low-cost long term storage with physical air gap protection with IBM tape storage. Early attack detection through IBM QRadar and IBM Guardium. And proactive attack protection using IBM Safeguarded Copy.

High Performance Hybrid Cloud Storage Systems

To ensure cyber security does not have to come at the expense of production workload efficiency, IBM is introducing new storage systems with greater performance than previous systems.

Built for growing enterprises needing the highest capability and resilience, IBM FlashSystem 9500 offers twice the performance, connectivity, and capacity of FlashSystem 9200 and up to 50% more cache (3TB). The system supports twice as many (48) high-performance NVMe drives. Likewise,FlashSystem 9500 supports up to forty-eight 32Gbps Fibre Channel ports with planned support for 64Gbps Fibre Channel ports.2 There’s also an extensive range of Ethernet options, including 100GbE RoCEv2.

speeding-threat-detectionm-1.jpg

Supported drives include new IBM FlashCore Modules (FCM 3) with improved hardware compression capability, Storage Class Memory drives for ultra-low latency workloads, or industry standard NVMe flash drives. FCMs allow 2.3PB effective capacity with DRAID6 per control enclosure and 4.5PB effective capacity with forty-eight 38TB FCMs in a planned future update. These new FCM 3 drives help reduce operational cost with a maximum of 116TB per drive and an impressive 18PB of effective capacity in only 16U of rack space with FlashSystem 9500.3 FCM 3 drives are self-encrypting and are designed to support FIPS 140-3 Level 2 certification, demonstrating that they meet rigorous security standards as defined by US government.

FlashSystem 9500 also provides rock solid data resilience with numerous safeguards including multi-factor authentication designed to validate users and secure boot to help ensure only IBM authorized software runs on the system. Additionally, IBM FlashSystem family offers two- and three-site replication plus plus configuration options that can include an optional 100% data availability guarantee to help ensure business continuity.4

“In our beta testing, FlashSystem 9500 with FlashCore Module compression enabled showed the lowest latency we have seen together with the efficiency benefit of compression. FlashSystem 9500 delivers the most IOPS and throughput of any dual controller system we have tested and even beat some four-controller systems.”

— Technical Storage Leader at a major European Bank.

New IBM FlashSystem 7300 offers about 25% better performance than FlashSystem 7200, supports FCM 3 with improved compression, and supports 100GbE ROCEv2. With 24 NVMe drives, it supports up to 2.2PB effective capacity per control enclosure.

speeding-threat-detectionm-2.png

For customers seeking a storage virtualization system, new IBM SAN Volume Controller engines are based on the same technology as IBM FlashSystem 9500 and so deliver about double the performance and connectivity of the previous SVC engine. SAN Volume Controller is designed for storage virtualization and so does not include storage capacity but is capable of virtualizing over 500 different storage systems from IBM and other vendors.

speeding-threat-detectionm-3.png

Like all members of the IBM FlashSystem family, these new systems are designed to be simple to use in environments with mixed deployments that may require multiple different systems at the core, cloud, or at the edge. They deliver a common set of comprehensive storage data services using a single software platform provided by IBM Spectrum Virtualize. Hybrid cloud capability consistent with on-prem systems is available for IBM Cloud, AWS, and Microsoft Azure with IBM Spectrum Virtualize for Public Cloud. These systems also form the foundation of IBM Storage as a Service.

For more information about these new offerings, watch our webcast or explore IBM FlashSystem.
[1] Source: IBM Institute for Business Value 2021 Cost of a Data Breach report, https://www.ibm.com/security/data-breach [2] Statements by IBM regarding its plans, directions, and intent are subject to change or withdrawal without notice at the sole discretion of IBM. Information regarding potential future products is intended to outline general product direction and should not be relied on in making a purchasing decision. [3] Effective capacity is based on compressibility of data, which will vary among data types. Some data (already compressed or encrypted) will not compress at all. Refer to IBM compression estimator tools. [4] Available only for HyperSwap configurations deployed by IBM Lab Services.