Transcript
sort of digital fingerprints for threats that have evaded detection. You know, they can act as a record of threats that other security solutions have missed. So example, a threat that is embedded in, you know, a hypervisor. Those things are backed up, but traditional EDR solutions often lack visibility into those. So what we've found is that threat actors understand this. They've sort of conducted a proof of concept for the threat vector. And so it's something that we expect to be a lot more going forward. But just in general, we see it as another source of telemetry that, as you rightly point out, is too often overlooked. Give us a rating. Let us know what you think about the show. It really helps us reach more listeners like you who are trying to improve the resilience of their business. And it helps me know what content you want to hear more about. So today I had a really great conversation with Kyle Feeler, a transformation analyst at Rubrik Xero Labs. He has expertise across AI and info security, cybersecurity and geopolitics, cyber resilience and IT leadership. He works closely with CXOs at G2K Enterprise Organizations on matters of zero trust and secure digital transformation. We'll talk about backups being a snapshot into failed attempts at stopping bad actors. A really interesting conversation and a really refreshing take. Let's get into it. Well, to get into the media conversation. So we're here to talk about backups, which is not something that a lot of security teams tend to spend a lot of time with, but it seems like you believe that they should. So what are some things that backups reveal that traditional security telemetry often misses? Yeah. So since secure backups can't be altered or encrypted or deleted, a lot of times they are the source of sort of digital fingerprints for threats that have evaded detection. They can act as a record of threats that other security solutions have missed. So example, a threat that is embedded in a hypervisor, those things are backed up, but traditional EDR solutions often lack visibility into those. So what we've found is that threat actors understand this. They've sort of conducted a proof of concept for the threat factor. And so it's something that we expect to see a lot more going forward. But just in general, we see it as another source of telemetry that, as you rightly point out, is too often overlooked because it is another source. And I think if you're in charge of defending a company from the myriad of threats facing any large organization today, you want all the information that's available to make the best decisions possible. Right. Absolutely. And when you're analyzing these compromised backups, where are most organizations going wrong? Are you noticing any patterns throughout all the different organizations that you're kind of analyzing and working with? Well, I'd say, I mean, the biggest thing is just companies not recognizing that their backup data is that additional source of telemetry, like I mentioned. So it's often just completely overlooked. I think that in general, there is an opportunity for security teams to be scanning backups for, you know, indicators of compromise, using YARA rules, hashes, to be searching for threat actors in their backup data, especially ones who have the utmost motivation to not be found. So these are typically state-backed actors who are interested in establishing persistence, evading detection, so that they can conduct these long-term operations. Right, right. And so if backups are showing repeated failure patterns over time, who owns fixing that? Is it the CISO? Is it the CIO? Is it the board? Is it a combination of all of these folks? Who kind of owns addressing this issue? Yeah. So I think it's different. It's different by organization. And, you know, in general, there is this issue in managing backups about ownership. Who owns it? You know, is it IT or security? And I think more and more, it will need to become a security function as we notice groups that are financially motivated threat actors who recognize the importance or the opportunity, I should say, in targeting backups specifically. So Evil Corp is a Russian-based ransomware group that has figured this out very well. They know that they can delete, you know, recovery routines, delete the backups themselves, and by doing so, they've maximized their leverage over whoever their target may be. So I think it's increasingly becoming a security concern as we see more and more financially motivated threat actors who are interested in achieving the payday as soon as possible. They actually want to trip that wire. They want to trigger a response from a security team because that's the quickest way to get the engagement going. Right, right. Absolutely. And I'd like to talk a little bit about backups, best friend, and that is recovery. You know, oftentimes we're talking about backup and recovery. And another theme that you and your team talk a lot about is MTTR or mean time to response. So how should security leaders think about mean time to response or MTTR? And what should they be doing to reduce that? Yeah, so stepping back a little bit, what some interesting data we've found is that, you know, in conducting year after year surveys, we've found among our respondents who are IT and security leaders all over the globe, large organizations, confidence in recovery times tends to be falling. And, you know, I think the numbers are something like barely a quarter of IT and security leaders feel that they could respond in 12 hours or less to a security incident, whereas a year ago, that number was over 40%. So what are the reasons for that? I suspect one of them is the deliberate targeting of backup data. And then another I would say is identity infrastructure is often compromised as a part of these attacks. And this is where too many organizations are still relying on manual processes to recover their identity infrastructure, because oftentimes threat actors will escalate privileges in order to get something done. I mentioned the deleting of recovery routines. You know, oftentimes you need elevated privileges to do that. But what happens when threat actors start to compromise identity infrastructure is almost no access or authorization processes can be trusted. And so it's so important to restore identity infrastructure to a clean state if you're going to take that power away from the threat actor. In terms of NTTR, what we talk a lot about at Rubrik Zero Labs is how do we turn that from a course metric of, okay, you know, my mean time to recover, we were aiming for four hours and it took us six. That doesn't tell you why. So a lot of what we've focused on is how can we use the data that we have, break that process down into discrete phases. So is the problem that it took you a long time to determine the scope of the compromise? Is the problem that it took you a long time to validate that you recovered to a clean state? Or is it some other phase in there? So we often talk about how understanding the phased recovery process points you to potential areas for improvement where you can cut that overall NTTR. And then, of course, these are things, you know, you'll hear from security leaders all the time that you cannot go into an incident, that's not the time to be testing your recovery. So these things have to be drilled continuously as sort of a, you know, lifecycle management of recovery capabilities. Right. I want to go back to something else that you mentioned at the top of that question. And you talked a little bit about how identity-based attacks kind of operate and the challenges facing attacks that operate in that aspect. But you also mentioned that threat actors are targeting backups. And so we talked about how backups can be used as this unique security telemetry tool, but I kind of want to talk about it from the threat actor perspective. I understand why an organization, you know, a nation-state group or some hacktivist group is targeting a backup system. But what can organizations do about that if, you know, they're thinking of their backups as their last line of defense? How can they prepare against those kind of attacks? Yeah, so it starts with, you know, things like isolated clean room recovery environments, air gapping. You have to be able to limit your access to the backup environments themselves. And so that's why a lot of threat actors today are targeting cloud-based backup, cloud-native backups specifically, is because there's not that, you know, there's not that barrier there. So I mentioned Evil Corp. There's another group that Microsoft is following closely called Storm 0501 that I think is sort of the proof that this has become a pure leverage play. So this group is known to deliberately target and delete backups to the point where they're no longer deploying traditional malware with their ransomware threats. They're just exfiltrating the data, deleting the backups, and saying, you know, and then delivering ransom without, you know, what we would consider a traditional piece of ransomware. This group used to deploy, you know, things like LockBit or Hive, BlackCat, but they've just completely left that off the, you know, the attack chain now because it's just, it's not necessary for them. They've already compromised the target to such a degree that the leverage is there. So going back to how organizations can really leverage their backup data and start, you know, maximizing their value there, what are the three actionable steps that security and IT teams can take today to start getting that full value from their backup data? Well, I mean, one is starting to scan the environment. You know, you have to be conducting the scans to get any real benefit from them. You want to be monitoring for things like configuration drift. So any suspicious activity in logs that you wouldn't expect to see in places like VPNs or appliances that are not, you know, the quote-unquote boxes that are not typically scanned by, you know, an ADR tool or, you know, other security solutions. And then finally, I would say the hardening and recoverability of that identity infrastructure is critical, especially if, you know, you're in a position where you're relying on cloud-native identity infrastructures like the Entrez IDs and things like that. Great things for everyone listening to start considering about their own organization if they're not already. But Kyle, thank you so much. Is there anything else that you want to leave the listeners with that we haven't already covered already? Um, no, I think I would just, you know, reiterate that because secure backups are not, you know, can't be altered, encrypted, or deleted, they often act as a de facto record of what your other security solutions have missed. So there's really no reason not to be probing them for that valuable threat intelligence. Right, absolutely. That's a really interesting and different perspective than we've heard before. So thank you so much for joining us again. And, you know, until next time. This has been a wrap-down designed by Elliot Peltzman, audio mixing by Elliot Peltzman and Trey Hester, video production support by Bridget Kricke-Wilde and Sorel Joppe. Until next time, stay resilient.