Backups obviously play a critical role in recovering from hacking/ransomware events. But they’re not the only thing that matters. In fact, organizations who suffer a hacking and ransomware attack often have to do multiple things:
- Recover their systems from backup.
- Investigate to find the security hole that enabled the attack, and to remediate that hole to make sure it doesn’t happen again.
- Lodge a cyber insurance claim if appropriate.
- Report any applicable data breaches to the appropriate authorities.
- Report the incident to law enforcement, if necessary.
So in effect, backup and recovery will assist in getting the organization running again from a technology viewpoint – the first item in that list.
But equally as important are the other items on the list – especially conducting a thorough investigation to determine what happened. This investigation will then form the basis of remediation (important to prevent a repeat attack) and for a possible cyber insurance claim.
Can backup software play a role in helping here?
The problem is, investigations are made more difficult if the right forensic evidence is not available. And the problem that SMEs face is that there’s simply no mainstream system that can collect the evidence for this “just in case” scenario.
That is, of course, until now!
At BackupAssist, we’re really proud to be the first mainstream backup software vendor to include a Cyber Black Box in our backup software to capture forensic data and logs.
Much like the black box flight recorder, Cyber Black Box™ is a go-to resource that investigators can rely upon to see important diagnostics leading up to a cyber incident.
There are so many benefits that Cyber Black Box™ can deliver – check out our Cyber Black Box marketing page for more details.
In this blog, I’d like to give you a behind the scenes look at how this feature was conceived, and some background as to why this new feature will be valuable for SMEs.
Understanding the challenges faced by digital forensics investigators
When forensic investigators try to piece together a timeline of events, they need to see how system activities change over time. That means understanding historic activities, such as network connections, registry, disk snapshots, and so on.
There’s a real art to doing this – it takes skill and a lot of patience. I’ve done my fair share of forensics courses at Black Hat, so I know how much patience is required… (certainly more patience than I have! Plus, I find software development far more enjoyable.)
But while in theory, a forensics investigation can uncover a lot, I didn’t realize some of the practical challenges faced by investigators until recently.
In 2018, I attended the Australian Cyber Security Centre Conference, which is Australia’s premier cyber conference, with security experts from Australia and abroad discussing the latest threats, mitigations and advances in cybersecurity.
One presentation of particular interest to me was given by the Australian Federal Police (roughly, Australia’s equivalent of the FBI) on forensic investigations after a cybercrime had taken place. He noted that hacks of SMBs were rampant – exactly the same feedback I’d received through our resellers and partners.
The presenter made a few points that stuck in my mind:
- Investigations are expensive, and law enforcement agencies are stretched.
- The biggest frustration in his job was often having a lack of evidence. Not having the evidence readily available would either increase the time taken to conduct an investigation, or result in an inconclusive diagnosis, or both.
- Often, valuable evidence was never logged in the first place – this includes transient information such as a list of open network connections. Alternatively, evidence that was logged might have been deleted as the hacker covered his or her tracks.
- It’s very useful to have historic information as well – for example, to see what network connections were open a day, week or month ago, so that it’s possible to see changes in activity.
In the time since then, I’ve spoken to multiple forensic investigators in different countries, including those that handle insurance claims. The message has been consistent – having more relevant forensic information readily at hand will only assist their investigation.
More relevant evidence = faster and more accurate investigation = faster resolutions, better remediations.
How does this affect the Small to Medium Enterprise?
SMEs tend to have limited budgets, yet are popular targets for attack, because they are often perceived as easy targets. They lack the deep pockets that enterprises have when it comes to purchasing cyber security products. And they also lack the deep pockets to employ a team to maintain those cyber security products.
So while enterprises are served well with advanced real-time threat monitoring and logging, most SMEs I talk to think they’re doing well with a firewall, backup software, anti-virus / anti-malware and email filtering.
Without those expensive tools performing network monitoring, real time anomaly detection, and immutable logging, if an SME is hacked, the lack of forensics data means any investigation is already on the back foot.
So getting back to the main point, what ultimately matters to SMEs are:
- Fast resolution to get back to normal operations.
- Discover and remediate the root vulnerability so a repeat attack cannot occur.
- Lodge the cyber insurance claim and get paid.
Anything that we can do to help expedite the investigation process would keep costs low and speed up the outcome. And even though cyber insurance usually makes provision for these costs, they do come with caps, above which the victim has to pay.
Why are backups the perfect place to put the information?
I soon realized that at BackupAssist, we’re in the perfect position to help. Backups are actually the perfect place to capture and store such forensic information, for multiple reasons:
- Good attackers try to conceal their tracks. It’s common for an attacker to delete logs as the last act of cybercrime. Guess where deleted data can be recovered from? The backups.
- Some hacks are staged over time, so historical logs might be required in order to see changes spread over days or weeks. However, many log systems have a limited buffer, so the desired logs may not be available. Or perhaps the current logs have been deleted. Guess where historical data can be recovered from? The backups.
- The average SME doesn’t have a dedicated logging or anomaly detection system. But what does the average SME have? Backups.
- We already have our CryptoSafeGuard shielding technology built into BackupAssist, so it’s particularly appropriate to use it to shield the forensics information from corruption.
What does Cyber Black Box™ do?
As the name implies, it acts much like an aircraft “black box” recorder. It will capture data from various inputs, and store copies of them in a safe place…
In our case, the safe place is a directory protected by CryptoSafeGuard (our proprietary shielding technology, which blocks unauthorized accesses), and included in the regular backups. This means that the latest version of the forensics data can be obtained from the live system or the last backup, while historical copies are automatically stored with the backups.
Cyber Black Box data is automatically included in BackupAssist backups – including system drive images, and also file backups to the cloud. This gives you onsite, offsite and offline backups of this data, depending on your setup. Because the data logs are compressed, they take up hardly any space.
What information does Cyber Black Box™ capture?
Fortunately, the presentation from the Australian Federal Police included a shortlist of the most valuable and useful pieces of forensic information. So for our first release of Cyber Black Box, we’re including logging from these sources:
- Basic system and software version info
- Detailed system info via WMI (including storage, features, hotfixes, drivers)
- Disks and volumes – critical volumes, partitions information
- Network connections and activity – current connections, port listeners, routing table, network statistics
- Process list
- Volume Shadow Storage details – providers, snapshots, volumes, writers and writer states.
Of course, we’ll add more data points to our black box system as we continue the development of it, consulting with digital forensics investigators and law enforcement to continually improve the usefulness of what’s collected.
Where to from here?
For us, Cyber Black Box is a continuation of the cyber-aware features in BackupAssist, building upon our CryptoSafeGuard features. It’s a commitment from us to our clients to evolve and stay on top of their cyber-resilience needs. I’m proud of our team who developed this feature, so we can now share it with the world.
We have plans to continue enhancing Cyber Black Box by expanding the logging functionality, which will further assist investigators. We’ll also look at additional retention rules. And also, working with law enforcement to further improving the effectiveness of our Cyber Black Box.
How do I get Cyber Black Box™?
This great new feature is available in BackupAssist Classic v11, and will be included into BackupAssist ER in early 2021.
If you have any questions, please reach out to our Client Success team, and we’d be delighted to have a chat!