Could You Recover From a Destructive Cyber-Attack?

By Stefan Voss, Dell EMC

Destructive cyber-attacks have become part of our daily lives. A few lines of code can take down an entire enterprise and cyber-attacks are growing in sophistication.

A Changing Threat Landscape

Lloyd’s of London estimated that that a serious cyber-attack could cost the global economy more than $120 billion – as much as catastrophic natural disasters such as Hurricanes Katrina and Sandy.[i]

Most cyber-attacks are financially motivated and Ransomware continues to be a major threat. However, Ransomware isn’t the only type of attack companies are worried about since data corruption can stem from different  attacks including insiders and wiper-ware (e.g. NotPetya).

Organizations are not confident in their ability to detect and investigate breaches quickly, in part because of the explosive growth in the amount of malware variants.

While investment in prevention and detection will (and should) continue, organizations realize that effective strategies to respond and recover are just as important. Most believe that isolation and recovery from backups are effective strategies to respond to destructive cyber-attacks.

Data recovery should be done in the context of overall incident response, however, that can prove easier said than done. According to ESG[ii], 73% of organizations believe that the relationship between IT security and business risk can be difficult to coordinate. This is why security professionals like Chief Information Security Officers (CISOs) are more involved in the data recovery strategies of an organization.

Cyber-Attacks Impact the Bottom Line

Equating the cost of a destructive malware attack to the amount of ransom demanded is a bad assumption. Estimates in of the average cost of a malware attack vary. Accenture[iii] estimates the average cost to be $2.4 million but the study also reveals that the cost varies by organizational size and vertical (Financial Services being #1). Regardless, the average cost is worsening year over year, with a 27.4% increase from 2016 to 2017 alone.

In all cases, the cost of a cyber-attack will increase as the complexity of the attack and the recovery time increases. The top three attack types in terms of response times are malicious code, malicious insiders, and ransomware. Most sophisticated attacks use a combination.

Consider a large retail company that was one of the 60 organizations impacted by the NotPetya attack. In business terms the impact of the cyber-attack can be summarized as follows:

  • Attack vectors: supply-side malicious code injection, wiper ware disguised as Ransomware
  • Velocity of Attack: minutes for the malware to compromise the organization.
  • Revenue Impact: 17 factories came to standstill resulting in $15 million in lost revenue daily. Total Revenue Loss: >$65 million (it took over 4 days to restore business critical systems).
  • Ransom Demand: $300 per computer with a total of $1.5 million across 5,000 machines. NOTE: paying ransom would have been ineffective since no means of decryption was built into the NotPetya wiper ware. Ransom was not paid.
  • Productivity Impact: 5,000 Windows systems down, 17,000 employees impacted. Financial impact not disclosed.
  • Recovery Costs: hundreds of emergency beds, multiple recovery teams. Data recovery 4.5 days from Dell EMC Data Domain system compared to 4-5 weeks projected if recovery were done from tape directly. Financial impact not disclosed.
  • Brand Damage: cyber-attack publicized in major news outlets (online, print). Financial impact not disclosed.

Dell Cyber Recovery – A Key Component of Your Security Posture

Dell Cyber Recovery gives organizations an effective strategy to improve the maturity of their security posture. According to Gartner[iv], traditional backup services are not designed for recovery from cyber-attacks. Gartner along with several other analysts and government agencies recommend making backup images or gold copies inaccessible from the network through air-gapped media.

This is the central tenet of Dell Cyber Recovery. The technical solution assumes that a hardened backup and disaster recovery infrastructure is already in place. Organizations today use Dell Cyber Recovery as the last line of defense for business critical data.

The mechanics of Dell Cyber Recovery are actually quite simple:

Step 1: Periodic synchronization of data from the production network to the Cyber Recovery (CR) Vault, a dark site with a dedicated private network. The replication link is only online during the synchronization itself. Note that both backed up data and the metadata of any backup application is synchronized. This adds additional protection from cyber-attacks targeted at the backup infrastructure.

Step 2: Once the data is synchronized into the CR Vault, immutable copies are created to ensure that even administers authorized to access the CR Vault cannot delete them. All the copies in the CR Vault are pointer based and highly efficient.

Step 3: Sandbox copies can be created for purpose of recovery drills of analytics. A future post will dive deeper into built in analytics capabilities to find indicators of compromise (IOCs) in the native backup format.

Under the covers, Dell Cyber Recovery leverages industry leading technology from Dell EMC Data Domain including secure replication, data invulnerability architecture, retention lock, and data efficiency.

For more information check out this video and be sure to visit the Dell Cyber Recovery Site.


[i] The Guardian: https://www.theguardian.com/business/2017/jul/17/lloyds-says-cyber-attack-could-cost-120bn-same-as-hurricane-katrina

[ii] ESG Custom Research: Cybersecurity and Business Risk Survey, March 2018

[iii] Accenture: 2017 Cost of Cyber Crime Study

[iv] Gartner: Backup and Recovery Best Practices for Cyberattacks, Author: Ray Schafer, Published: 22 June 2017