The 3-2-1-1 Strategy & Ransomware Recovery Actions

Ransomware is on the rise.

Cybersecurity Ventures predicts that by 2031, ransomware will cost victims $265 billion annually, up from $20 billion in 2021, and it will attack one business every 2 seconds, up from every 11 seconds in 2021.
What’s worse, ransomware attacks are targeting businesses of all sizes across more and more industries, from finance and healthcare to manufacturing, transportation, and government. In fact, cybersecurity researchers have warned that all industries are at risk from attacks.

How do you plan to tackle it?

As a global cyber threat, ransomware can cause huge financial and reputational damage to organizations. To better prepare ourselves in the fight against it, we should learn what to do before, during, and after a ransomware attack.

In the articles “Understanding Hidden Ransomware and Strategies to Detect It” and “Under Attack: Understanding the Stages and Response to a Ransomware Attack“, my colleagues have discussed the actions to take before and during an attack. Today, let’s look at how to recover after an attack has occurred.

Actions to take after a ransomware attack

According to the cyber defense-in-depth framework developed by Northrop Grumman, there are five layers of defense against ransomware attacks.
The network and application layers are responsible for defense in the ransomware detection, intrusion, and spreading phases. When ransomware reaches the data layer, storage plays a critical role in forming the last line of defense.

We need to develop and implement effective measures to recover any functionality or service that has been compromised as a result of a cybersecurity incident. For example:

• If data is damaged, select the latest secure data copy, such as a snapshot copy or WORM file system to restore the data as soon as possible.
• If the production center has been attacked, use the backup storage for recovery.
• If the backup storage has also been attacked, restore data from the physically isolated zone.

In addition to the preceding measures, the following actions are worth your consideration:

1. Confirm what types of data and who have been affected, so that you can determine the right measures to take later.
2. Check whether data access rights are properly assigned. Should any users’ access rights be limited or canceled?
3. Communicate with relevant departments to determine priorities and schedules for application recovery.
4. Ensure that employees and service providers take necessary measures to eliminate vulnerabilities.
5. Reply to partners, customers, and any other stakeholders in a clear, concise, and well-organized manner to alleviate their concerns.

3-2-1-1 strategy

If a data security team wants to effectively cope with ransomware attacks and minimize risk and loss, they should establish a comprehensive data protection system, considering both network and storage security. At the data storage layer, we strongly recommend the 3-2-1-1 strategy.
The 3-2-1 rule has long been a standard for data backup in commercial organizations. To upgrade data security protection, Huawei uses the 3-2-1-1 strategy, which is an enhancement of 3-2-1.

• 3: Store 3 copies of data — 1 original plus 2 backups.
• 2: Store data on at least 2 types of storage media.
• 1: Store 1 copy of data remotely.
• 1: Store 1 copy of data in an air-gap isolation zone.

By implementing the 3-2-1-1 strategy, you can retain the last clean copy of data for rapid recovery after data is damaged by a ransomware attack.

Why is an isolation zone so important?

There are three reasons an isolation zone is important.

A ransomware attack may delete all valid copies of data.
The isolation zone uses air-gap technology to protect data.

• When data does not need to be replicated, the isolation zone is completely offline. As a result, ransomware cannot detect data in the isolation zone, minimizing the possibility of malicious data encryption or deletion.
• When data needs to be replicated, the storage device in the isolation zone only enables the replication ports and only allows one-way data replication, thereby ensuring data security.

Threats don’t just come from the outside. People inside an organization may also be a contributing factor to data loss. Analyst firms say that over the next 3 years, most cyber threats are likely to come from enterprises’ employees. However, the isolation zone is invisible on the network and can only be managed by dedicated personnel, meaning it is unlikely to be exposed to or attacked by internal members of staff.

The isolation zone ensures faster data recovery after ransomware attacks. Although traditional tape libraries can store data offline, their recovery speeds are inadequate. By contrast, both production and backup storage products have evolved to the all-flash architecture, with recovery speeds of more than 100 times that of a tape library. This minimizes the service recovery period to reduce the loss caused by service downtime in a ransomware attack.

Building the last line of defense for data security

To help customers build the last line of defense for data security, Huawei provides an industry-leading ransomware protection solution at the storage layer. It delivers comprehensive protection, accurate detection, and rapid recovery with primary and backup storage.
In addition to a 99.9% ransomware detection and interception rate, the solution achieves backup recovery at 172 TB/hour, which is five times faster than that of competing products. This helps you quickly recover your systems following a ransomware attack.

Learn more about Huawei Ransomware Protection Storage Solution and how you can build reliable data protection for your business.

Disclaimer: Any views and/or opinions expressed in this post by individual authors or contributors are their personal views and/or opinions and do not necessarily reflect the views and/or opinions of Huawei Technologies.