Banking Trends 2022: Cyber vault and Ransomware

Ransomware, a malicious software that is designed to disrupt, damage, and/or gain unauthorized access to a computer system and its data, has been on the rise. As per Sophos, 34% of financial services organizations that were surveyed indicated that they had been hit by ransomware in 2020. Moreover, 51% of those attacks succeeded in encrypting the data, and 62% of those whose data was encrypted used backups to restore data.

Although there are various regulations, such as FINRA, SOX, KYC, GDPR, and MiFID 2, that require a financial institution to implement the compliance archiving of data, there are no direct regulatory requirements to deal with ransomware. Recently though, due to the rising threat of ransomware attacks and other cyber threats, the FDIC along with the Federal reserve board and the OCC have issued a Final rule – Computer-Security Incident Notification Final Rule. This includes guidelines for a supervised banking institution to notify the FDIC in case of any cyber-related events, including ransomware attacks. In another effort, the Sheltered Harbor organization, with the help of experts from the U.S. Financial Services industry, has developed a Sheltered Harbor standard which comprises the best practices and materials for all of the participating organizations to deal with a cyber incident, such as a ransomware attack.

Preventing and limiting the impact of ransomware

There are various steps that an organization can take to prepare and protect themselves against a ransomware attack. To get started, they should 1, Create a cyber vault environment (an isolated recovery environment for critical business functions) and back up data frequently into this environment. 2, Make sure that all software that touches this platform is up-to-date on the latest releases and security patches. 3, Maintain disaster recovery and operations contingency plans that are frequently tested for integrity and recoverability. 4, Maintain least-privilege practice by restricting access for users, and processes to only those resources absolutely required. And 5, Educate employees regarding cyber security and make sure that they follow best practices for online behavior and privacy.

Building a cyber vault environment involves first building a data vault. A cyber data vault protects the mission critical data of an organization in a separate high security area. The data is copied periodically from the source, scanned for malware and anomalies, and finally stored in a WORM (write once, read many) compliant storage. Air-gapping is a common technique used to isolate the data vault network from the production environment network and the internet. The connectivity between both of the environments is maintained using network controls and/or access controls. In this case, the data vault is kept isolated and mostly unreachable from the outside using next gen firewalls and zero trust frameworks. Furthermore, data is pulled into the data vault from various sources rather than pushed into the vault.

A cyber vault recovery solution takes the data vault one step further and helps organizations recover the services and infrastructure needed to run the critical business services in an environment that is separate from the current production environment. The cyber vault solution includes all of the common infrastructure services, such as compute, network, and database, and it’s generally operable within a predefined recovery time.

Cyber vault solution on AWS

Our customers generally adopt two different approaches to deploy their cyber vault solution on AWS Cloud: 1, Production application in one AWS region and the cyber vault solution in a different AWS region, and 2, Production application in their on-premises environment and cyber vault solution in AWS. Regardless of the approach that they take, they use AWS Cloud as their trusted partner for their cyber vault solution as it provides three distinct benefits: 1, Agility – Utilize the various services and features that AWS offers to build a secure and compliant service, with the ability to make changes quickly when the threat landscape changes. 2, Speed – Ability to implement a cyber vault solution on AWS much faster than on-premises. And 3, Better cost performance – Implement a cost-effective solution by only paying for what you use and scaling as the data volume increases.

Customers leverage multiple services on AWS to accelerate the creation of their cyber vault platform. They use services such Amazon Simple Storage Service (Amazon S3) to store immutable copies of the data using the S3 Object lock feature, and also store multiple copies of the data using object versioning (compliant with SEC Rule 17a-4(f)). They use purpose-built machine learning (ML) services such as Amazon Macie to scan data at rest to identify anomalies and check for changes in data. They can also track unauthorized access (and changes) to the data and the cyber vault environment by leveraging services such as AWS Audit Manager and AWS Config rules. And finally, they can build a secure platform by leveraging various services, such as AWS Identity and Access Management (IAM) to better manage least-privileged access to the data and the platform, Amazon GuardDuty to continuously monitor the environment for malicious activity and unauthorized behavior, and AWS Network Firewall to monitor and protect network and web traffic within the environment. A full list of all of the services that can be leveraged to build the cyber vault solution can be found in the whitepaper Ransomware Risk Management on AWS Using the NIST Cyber Security Framework (CSF) here.

The best way to recover from a ransomware attack is to have a reliable and fast backup process. It often involves restoring to a previous point-in-time just before the attack occurred. AWS services, such as AWS Backup and AWS Elastic Disaster Recovery (AWS DRS), can be used to recover data to a certain point-in-time across various AWS services in a very short period of time.

AWS also has a large partner ecosystem that offers products and solutions in the space. The Dell EMC PowerProtect Cyber Recovery for AWS or Cohesity’s Solutions for Air-Gap Data Protection are two of these solutions that offer a secure AWS Cloud vault for critical data from ransomware.

How are our customers implementing Cyber event recovery solutions on AWS?

Ingress zone: The raw data from the input source is first copied and stored in this zone. This zone contains different ways of sourcing data and storing it in an encrypted S3 bucket with the right security controls using IAM. This zone is ephemeral in nature so as to provide a digital air gap to the vault architecture.

Analytics zone: The raw data must be analyzed to make sure that the corrupt data isn’t transmitted to the cyber vault. You can use services such as Macie to identify corrupt data, or write your own custom logic using AWS Lambda functions.

Vault zone: Data once analyzed to make sure that it isn’t corrupt is then stored in a WORM compliant storage where the data once written can’t be modified by anyone. This data is safe to be consumed in the event of a ransomware incident.

Forensics zone: In the event of a ransomware incident, data from the Vault zone can be further analyzed for anomalies before being used for recovery purposes. This is an optional step for organizations that are looking to do more due diligence prior to the recovery process.

Egress zone: The recovery process can recover the data from the vault through the Egress zone. By having a separate Ingress and Egress zone, we’re securing the Vault from any outside access and making sure that only the services that need access to the data have the access. This zone, similar to the ingress zone, is ephemeral in nature so as to provide a digital air gap to the vault architecture.

Management Interface zone: The main interface layer with the data vault, used to authenticate access requests, management actions, and provide the relevant status and reporting information.