Using Bitlocker to prevent data leaks on case of ransomware?

[RafaelSoaresP]

Hi guys!

I run a couple of Windows servers at work, for network storage.

 

We have daily cloud backups and AV/AR, so data availability /restoration is not an issue, but I'm worried about data leaks in case of ransomware attacks.

 

Does disk encryption (bitlocker, or something similar) help to prevent the data from being read / released by the attacker? Or is it already decrypted when they copy it from my OS to their server?

 

[jaslion]

Sort off but not really. Most are smart enough to be able to decrypt it given enough computing power.

[RafaelSoaresP]

I see three possible vectors:

Attacker gets access to the server itself - This might be the easiest way to the attacker recover and release the data, as it's already accessible from the OS;

Attacker gets access to a client that is connected trough the network storage - might be just as easy to copy the files that the specific user has permissions to access, as they are accessible trough the OS;

Attacker uses some network vulnerability to attack the server - This might be the "least worse" scenario, as the files should be encrypted to non participants of the network share.

 

 

[Eigenvektor]

With full disk encryption, data is encrypted at rest. Meaning if I go into your server rack and take one of those disks, I won't be able to read it after plugging it into my own PC.

 

While the server is running, Windows and/or programs can obviously read the file's contents, encryption/decryption is transparent. So malware running on the server can read anything it has access to.

[Hans Christian | Teri]

19 minutes ago, jaslion said:

Sort off but not really. Most are smart enough to be able to decrypt it given enough computing power.

Eh, it is not in anyway feasible to bruteforce a bitlocker recovery password.

 

13 minutes ago, RafaelSoaresP said:

I see three possible vectors:

Attacker gets access to the server itself - This might be the easiest way to the attacker recover and release the data, as it's already accessible from the OS;

Attacker gets access to a client that is connected trough the network storage - might be just as easy to copy the files that the specific user has permissions to access, as they are accessible trough the OS;

Attacker uses some network vulnerability to attack the server - This might be the "least worse" scenario, as the files should be encrypted to non participants of the network share.

 

 

If the attackers are in any way interested in the data and not just the ransom, they're going to go with option one or two. Option two seems like the most likely thing to happen as well, users are notoriously stupid (even the ones that aren't). It is obviously the job of a sysadmin to minimize the risk of this happening as well as minimizing the impact a compromised client can do. Sane e-mail policies are a good start (given that you have control over your companies email infrastructure).

[RafaelSoaresP]

22 minutes ago, Hans Christian | Teri said:

If the attackers are in any way interested in the data and not just the ransom, they're going to go with option one or two.

23 minutes ago, Eigenvektor said:

While the server is running, Windows and/or programs can obviously read the file's contents, encryption/decryption is transparent. So malware running on the server can read anything it has access to.

That's what I thought

 

Any suggestions to avoid data accessibility to possible attrackers besides not getting infected on the first place? 

 

 

 

[Eigenvektor]

12 minutes ago, RafaelSoaresP said:

Any suggestions to avoid data accessibility to possible attrackers besides not getting infected on the first place?

I suspect the most secure way would be to physically isolate the data and only attach it when needed. Or keep it on another system that requires (different) credentials to access it.

 

Then maybe some form of "manual" encrypt where you have to explicitly decrypt the file before use and then encrypt it again when it was modified. But both of these are not very convenient. Not sure how you'd automate that as much as possible while still keeping it secure. Not really a security expert.

 

Your best bet would be asking in a place like this: https://security.stackexchange.com/

[GoodBytes]

Keep in mind that ransomware will encrypt all data, it doesn't care if it can read it or not. Encrypted files will be encrypted with its own algo.

 

The solution to ransomware is to have hourly  backups (with the possibility to go back in time on data) on an external server that would be protected against ransomware (can do it's backup but can have files deleted). Mix with daily offline backups. So if a ransomware, at worst, will only make you loose a day of work if the hourly backups failed to be secured properly.

 

Your next problem is data to that has been stolen. There is not much you can do other than working with a security expert company, to give you the best advice for your company serup and identify your current issues with the resources you have. We are not security experts here.

 

For a home setup, I suggest to have offline backups, and use Windows File History enabled, where the data us stored on a NAS. The idea is that if your data gets encrypted, you can roll back. If your NAS fails and lost your data, you have your offline backups.

 

You can also enable Windows Defender Personal folder protection feature, to black all apps accessing your personal files, and only allow those you want to be able to access those folders, and / or you can set your system (options in Settings panel) to lock itself to start blocking non Store apps from running that nor already installed. Meaning everything you installed now, will run fine, but all future apps needs to be from the Store (or until you switch back the option to allow all apps from anywhere).

 

Again I am not a security expert, no one here is, so follow the advice at your own risk.

[RafaelSoaresP]

It is in fact a company setup. I'm looking at using encryption based on certificates / keys that are installed to the user based on GPO upon login to our AD. I'm still experimenting with it, but in theory, if someone has the files, but is not logged in our domain, they wouldn't have the key to decrypt it, and the data should be safe if copied to somewhere outside our network.

 

Thanks to everyone for all the input so far.