When, why and how to create a secure backup strategy


When data is compromised, the last line of defense is your backup.

Over the past year, the tactics used by cybercriminals have changed. And that puts large enterprises with legacy backup environments at major risk.

Attackers realize that a backup attack is the most important determining factor in showing whether the victim will pay the ransom.

And it seems to work.

According to a Sophos survey, the average cost to recover from a ransomware attack has more than doubled in one year.

This same report also shows that only 8% of organizations manage to recover all their data after paying the ransom.

If organizations are unable to recover their data, the impact would be devastating – and not just because of the ransom payment.

Damages could include lost revenue, significant business disruption, damage to brand reputation, and regulatory fines if consumer data is compromised.

The fact that so many victims ultimately choose to pay the ransom raises serious concerns about the maturity of market backup security.

Fueled by the vast media coverage and dramatic financial repercussions of data-centric crimes, organizations are in a race to identify and close the gap.

“I have backups, so what could go wrong?”

I hear this question a lot, so I’m going to cut to the chase and tell you exactly what can go wrong!

  1. What if some of the critical data was never backed up? How do you know you back everything up? Do you see it regularly?
  1. Have you tried the restore? What if the data that was backed up cannot be restored successfully (either because the backup job was not scheduled correctly or because an undetected error occurred, or maybe you didn’t back up critical metadata, such as encryption keys, permissions, etc.)
  1. Cybercriminals can compromise or sabotage backups themselves
  1. We don’t back up frequently enough and too much data will be lost when
  1. We can see that the restore process is not documented
  1. We can see that the actual restore time is much longer than expected (waiting for hours, finding out it’s days and weeks – for example tapes have to be shipped from all over the country and restore takes days and days).

“While many CISO efforts are geared toward prevention and detection, insufficient attention is paid to securing backup environments. It’s a glaring blind spot. Organizations need to close this major gap to secure their last line of defense.

George Epen
Group CIO

Backup Attack Horror Stories

To a large extent, the ability to recover data after an attack relies on proper data protection techniques.

Although these are often thought of collectively as “backups”, in most companies they include: mirrors, snapshots, clones, replicas, DR, backups and archives.

At first, ransomware kits only corrupted data. They quickly evolved to also destroy restore points and operating system snapshots. Now they are starting to target backup systems and central storage.

The motivation is obvious. If the recovery mechanisms are destroyed, organizations will have no choice but to pay the ransom or give up hope of recovering their data.

Aside from the evolution of ransomware, many articles indicate that there is a time gap between initial malware penetration and actual damage.

For a business under attack (specifically, financial services organizations, nation states, and organizations with significant restricted intellectual property), cybercriminals may choose to let weeks or even months pass by using that time to research, plan and execute a much more elaborate infiltration, including:

  • Ensure that important parts of the IT environment are compromised (lateral spread)
  • Infect central management and control components (e.g. Active Directory, central logging systems, management consoles, image repositories, source code libraries, etc.)
  • Disable data protection mechanisms, “trap” or “poison” future copies of data (see more details below)
  • Gradually exfiltrate sensitive, proprietary, restricted or other high value data (e.g. personal, financial or medical records, state or trade secrets)


(Based on real events)

Ransomware groups want to do anything to force a bank to pay a ransom.

To do this, they destroy the data of a bank and its backup copies, in order to prevent the recovery of their data.

Cybercriminals compromise a bank employee’s PC and infect it with malware.

Within hours, they infect the devices of other employees and eventually find the login credentials to the bank’s backup systems.

Cybercriminals discover that a large portion of backups can be deleted. However, some of the backups are stored on immutable media, which cannot be deleted.

They now decide to go up a notch, to prevent the bank from recovering their data.

With time on their side, they begin to poison new saves.

They do this by gradually overwriting the saved data with unwanted data.

So far, so good! The backup administrator is not alerted to changes in the store backup.

Cybercriminals are waiting now, as the bank gradually backs up less real data and more junk data.

After a few months, with the immutable backup files now being poisoned, the attackers start deleting the rest of the backup files, stored in normal storage.

They are also starting to encrypt production data.

The infrastructure team tries to restore the data, only to find that most of the backup is gone. And the only remaining copies are 90 days old.

All new records, transactions and customer information are poisoned!

The bank has very little choice but to pay the ransom.

In this scenario, the cybercriminals were successful because the bank had no way to detect configuration changes to their backup and protect against unauthorized changes.

See the video – to see this scenario come to life

Cybercriminals now routinely attempt to encrypt or delete an organization’s backups as part of any attack.

The adversary’s success is key here because without backups, the victim has to pay handsomely to get their data back.

Resilient saves are simply saves that cannot be destroyed by an adversary, even one that has acquired administrative credentials.

At the simplest level, robust resiliency can be achieved by backing up to removable drives or to tapes that are then removed from the tape library.

Although immutability – whether implemented as a single, double or triple immutable approach – is useful in remediating cyber threats, it is only the beginning of a comprehensive protection practice.


It’s time to beef up your storage and backup.

Analyzing data protection backups and security posture is a new skill that IT teams must adopt to address emerging cybersecurity threats.

Here are some questions to help you verify the security of your backups:

  • Do your security policies cover specific backup risks?
  • Do you continuously assess the security of the backup infrastructure?
  • Do you also back up your environment configuration (Active Directory, security settings, FW rules, device configuration, storage and backup configuration, encryption keys, etc.)?
  • Do you have detailed plans and procedures for recovering from a successful attack on a storage or backup system? Do you test such procedures?
  • Are you sure you can recover from a successful ransomware attack?

I recommend evaluating existing internal security processes to determine if they sufficiently cover the backup infrastructure.

My recommended “6 Steps to Success” include:

  1. Assign higher priority to improving storage and backup security
  1. Develop knowledge and skill sets – and improve collaboration between infosec and IT infrastructure teams
  1. Set comprehensive security baselines for all storage and backup components
  1. Use automation to reduce risk exposure and enable greater agility in adapting to changing priorities
  1. Enforce much tighter controls and more comprehensive testing of storage security and ability to recover from an attack. This will not only improve trust, but also help identify key data assets that may not meet the required level of data protection.
  1. Include all aspects of storage and backup management, including often overlooked key components such as Fibre-Channel network devices, management consoles, etc.

The post When, why and how to create a secure backup strategy appeared first on Continuity™.

*** This is a syndicated blog from the Continuity™ Security Bloggers Network written by Doron Pinhas. Read the original post at: https://www.continuitysoftware.com/blog/when-why-and-how-to-create-a-secure-backup-strategy/

Comments are closed.