Don't Be Held Ransom: Why MSP's Need a Modern Backup Platform to Protect Their Clients

As cyberattacks globally continue to grow, Managed Service Providers (MSPs) and their customers are a big target for ransomware groups. The Cybersecurity & Infrastructure Security Agency (CISA) began issuing advisories on the threat to MSPs back in 2022 providing what they call "Tactical actions for MSPs" to help safeguard themselves, and customers. They were right to release this advisory, since then there have been several public cases where an MSP or one of their managed clients have been ransomed.  

The latest public event is an MSP based in California. A law firm is suing them (for over $1M in damages), for allegedly failing to protect them from a ransomware attack. The lawsuit alleges that they did not adequately monitor the firm's systems or take steps to prevent the attack, which resulted in significant downtime and data loss.

What went wrong?

Data backups have long been the cornerstone of disaster recovery. In the event of a system failure, accidental deletion or even a ransomware attack, a solid backup strategy ensures business continuity.

In this instance, the law firm did have backups which were outsourced to the MSP as a managed service. When the firm requested a data recovery of their systems following the system outage it revealed a critical issue - their backups had been deleted by the cyberattackers! Leaving the firm with almost zero options in terms of recovery - other than to pay the ransom.  

Unfortunately, this is becoming very common among ransomware groups. A recent market survey on ransomware trends found that:

• 93% of cyberattacks target backup data first
• 75% report losing at least some of their backup data during a cyberattack
• 39% report a total loss of backup data

This highlights a critical blind spot in traditional backup strategies, MSPs and organizations need to shift tactics and ensure they are implementing modern backup principles. And what are those?

Modern backup principals

Traditionally, security and backups operated in separate silos. Security focused on preventing attacks, while backups aimed at recovering from them. However, with the rise of targeted backup attacks, these lines are blurring. Security needs to inform backup strategies, and backups need to be integrated with security measures for a holistic defense.

The National Cyber Security Centre released some principles for ransomware-resistance backups which provides sound advice to help MSPs design resilient managed backup services that are fit for the current threat landscape.  

Principle 1. Backups should be resilient to destructive actions

This principle focuses on ensuring your backups are resilient against attacks such as ransomware, specifically by making them difficult or impossible to destroy. The key points are:

• Backups should be difficult to delete or alter.
• One way to achieve this is by using "soft-delete" where data is flagged as deleted but still recoverable for a set period.
• Another method is to delay deletion requests for a set time to allow for verification by the owner.
• Ideally, true immutable storage is used for backups that prevents backup deletion even if multiple credentials are compromised.
• Finally, some systems completely forbid deletion requests from user accounts and require a separate approval process to ensure legitimacy.

Principle 2. A backup system should be configured so that it isn’t possible to deny all customer access

This principle emphasizes protecting customer access to backups even during an attack. An attacker might try to prevent access by deleting accounts. To prevent this, backups should be configured so an attacker can't block all access. Two suggestions are: 1) agree on a separate way for customers to access backups even if main systems are down and 2) avoid giving any one account full control over backups.

Principle 3. The service allows a customer to restore from a backup version, even if later versions become compromised

This principle describes how a service should protect backups from being corrupted by attackers. The key idea is that any backup service should allow restoring from older backups, even if newer ones are compromised, corrupted, or potentially contain malware or ransomware. This can be achieved by:  

• Let users test restoring from backups regularly.
• Store backups for a set amount of time, not just a specific number.
• Keep a history of backups so users can choose which version to restore from.
• Offer options for how many backups to keep for different lengths of time.
• Using modern AI-based techniques to mark well-known high-integrity backups for faster restores after cyberattacks.

Principle 4. Robust key management for data-at-rest protection is in use

This principle describes how to protect data at rest using encryption and key management. Even if data is encrypted, attackers could steal the encryption key to decrypt and access the data. To prevent this, organizations should follow best practices for key management, such as using cloud key management services or storing a backup key offline in a secure location.

Principle 5. Alerts are triggered if significant changes are made, or privileged actions are attempted

This principle suggests using alerts to detect potential attacks on cloud backups. Attackers might target backups before going after an organization's main systems, such as in this case between the MSP and law firm. By catching suspicious activity early, you can prevent a major attack.

The backup service should have sufficient audit logging and alerting capability. If someone tries to make significant changes or perform actions that require high-level permissions such as deleting data.

How can Alcion assist MSPs with this topical issue?

Alcion takes its security-first AI-driven backup-as-a-service platform and blends this with a modern set of core functionalities among many others to give an MSP backup and recovery foundational building block for MSPs to build services upon.  

Delayed Delete and Backup Immutability

Alcion has a cool-off period for destructive actions such as backup deletions. Deletions are delayed by 2 weeks and can be canceled from the Activity page. Further, even if an attacker attempts to delete users or remove licenses, their backups are not immediately removed. Finally, Alcion, by leveraging storage-level immutability, can ensure that backups can't be deleted even if an Alcion admin account or system is compromised.

AI-driven Ransomware Detection & Security Integrations

Alcion trains a set of AI models specific for every user based on several characteristics such as data access patterns. If signs of abnormal or suspicious activity are detected by the models which could be indicative of ransomware, Alcion will create an incident on the incidents page and notify the administrator via email.

Alcion uses multiple independent machine learning models to detect different ransomware strains that exhibit very different behavior (e.g., encrypting in place or replacing files with encrypted files, full vs. partial file encryption, etc.).

Alcion boosts its threat detection abilities by integrating with external security systems called XDR (Extended Detection & Response). The first of these integrations can leverage signals from Microsoft 365 Defender suite so that if ransomware is detected on endpoints or cloud applications, Alcion can take proactive backups before ransomware spreads widely.

Multi-tiered Retention

Alcion has a very strong stance on backup data retention. Alcion’s security tier retains three backups per day for 30 days, one daily backup for 90 days, one weekly backup for 26 weeks, and then monthly backups forever (for the life of the account).  

Activity Logging & Compliance

Alcion provides an activity dashboard to track all account activity, past and present. This covers a range of system and user signals such as backup events, restores, exports, deletions, and even changes to backup policies. You can easily see the status and details of any of these operations. These operations can be easily filtered by operation types and timeframes of interest for quick investigation.

Alcion also assigns a compliance score to show how well-protected each resource type is. The score considers whether a protection policy is assigned and if there's been a successful backup within the last day. Alcion also flags customer resources that show high usage but aren’t protected by a backup policy to show potential gaps in data protection.

Backup Data Encryption  

Alcion uses per-tenant encryption keys for client-side data encryption. These keys are independent of the underlying object storage, providing an additional layer of security. Where a customer requires it for compliance purposes Alcion provides customers the ability to provide their own encryption keys. Operationally, all backup is data encrypted in transit (using SSL/TLS) and at rest (using AES-256).  

Summary

In today's threat landscape, where ransomware attacks are constantly evolving and MSPs and their customer backups are key targets, traditional data protection solutions simply aren't enough. Alcion is a modern data protection platform designed from the ground up to combat these threats. By leveraging AI and a security-first approach, Alcion offers a powerful MSP backup solution for MSPs to build upon and deliver robust data protection services to their clients.

‍