Malware nowadays is getting sophisticated – has small footprint, evade sandbox & detection, determine platform to inject the applicable payload, some even change account password, disable all network interfaces to completely lock you out.
Backup is one of the mitigation means for recovery of the pre-victim state at cost of losing certain application data.
The challenge is that malware might have already existed in the previous state in dormant form and the backup carries it.
What should best be done? In extreme case, no Internet and even standalone with communication, no removable media and all I/O ports sealed, zero-trust of any users with all system privileges locked down, application white-listed, use kiosk mode.
Imagine you are working in an organization like this. You won’t be working long as the business will soon cease in such environment. And after all, who should be appointed to maintain the system that this inevitably requires root privileges.
This is a risk taking consideration. Therefore systematic approach:
- Establish the business value of data
- Determine maximum outage tolerance
- Identify risks
- Understand consequence
- Prioritize protection to key asset
- Setup detection mechanism
- Formulate respond strategy
- Validate recovery readiness
Pick ransomware threat as example, have multiple backup copies of critical configuration and business data, log all source data and activities between backup for rebuild on top of system journal, authenticate key transaction and verify information update, establish data consistency check application level to reduce loss of data to minimal level.