Increased Needs For Ransomware Backup ProtectionWebinar: Disaster Recovery and Guarding Against Ransomware
Despite numerous cyber security incidents making international news on a regular basis over the last few years, it was specifically the WannaCry ransomware attack in May 2017 that brought renewed and urgent focus on what organizations need to do to protect their businesses and services from ransomware. This attack seriously impacted thousands of organisations worldwide, having hit more than 150 countries and over 200,000 computers.
The frequency of ransomware attacks is set to increase dramatically in 2020 and beyond, with increasing sophistication. For example, some malware already exist that are more sophisticated than WannaCry and which actually looks for weak backup systems and encrypts the backed up data itself.
Data backup and recovery are proven to be an effective and critical protection element against the threat of ransomware. For an enterprise to become sufficiently protected, advance preparation and thought is required. Data protection technology, backup best practices and staff training are critical for mitigating the business threatening disruption that ransomware attacks can inflict on organizations.
One of the best protections against such attacks is to have a data backup solution of correct architecture and best-practice backup strategies, and to ensure any cloud backups are adequately protected and available. That means having up-to-date copies of that data available elsewhere. Bacula Enterprise provides industry unique architectures and tools to implement these requirements and as such, is used by some of the world’s largest security organizations as their primary backup solution – and as a vital part of their business continuity system for a complex, multidivisional business. For any medium to large company, having an enterprise-grade backup solution such as Bacula is essential, because correct data backup, storage and compliance practice can be the main difference between a company’s survival and failure.
Business Continuity: Understand Safeguarding of Data
For any professional directly involved in Business Continuity, it will be useful to be aware of the IT technical factors below ("Ransomware: Defense Fundamentals"), even if a deep technical understanding is not possible. It my also be useful to discuss these points with your organization’s Infrastructure IT manager.
Disaster Recovery for Business Continuity
Disaster Recovery is a broad and deep topic. This paper outlines Disaster Recovery (DR) fundamentals and an introduction to DR. But it also offers links to
Bacula Systems’ comprehensive Guide and Template to Disaster Recovery across an entire organization. This comprehensive document is strongly recommended to organizations that are reviewing their DR strategy.
Protection from Ransomware and other cyber-attacks needs consideration from a holistic view and global level. It includes a lot of factors that involve company
personal, organization strategies and policies. Moving forward in a changing world, the following factors need special consideration.
Growth planning and contingency
As data grows within organizations, their backup and restore systems need to backup data inside time-windows, and meet RTO’s and RPO’s. The backup infrastructure needs to be planned for these growth and performance objectives. This includes the budgetary aspect of the infrastructure, and financial planning/forecasting for ongoing development of these considerations. Bacula uniquely answers this need by providing a modern, modular architecture that provides the flexibility to scale up in a way that fits an individual organization, while utilizing a business model that does not charge by data volume.
Utilizing public cloud
Public cloud infrastructure as a service (IaaS) may be an additional option or even a replacement to off-site tape storage. Public and Hybrid cloud is increasingly being incorporated into disaster recovery strategies where suitable for purpose. Bacula Enterprise facilitates this industry shift by being easily able back up and recover data across an especially wide range of tapes and cloud interfaces. It also uses a unique cloud caching architecture to provide advanced cloud backup interface management options and much more rapid data recovery of cloud backups.
Best-practice safeguarding of the backup repositories
Organizations must implement backup architectures that follow industry best practices and provide multiple layers of defense against data loss from any source, including intentional attacks against data availability. Bacula’s FIPS-compliant solution ensures data privacy and security, and its architecture allows for flexible data storage options including offline data stores to provide recovery-in-depth for the enterprise. This, coupled with built-in threat detection and advanced support services to help guide implementation help enterprises ensure that they can recover from any situation.
Ensure that data is correctly safeguarded, independent of its location or use
As enterprises evolve, new and additional locations are being used to situate data. This is especially true regarding various Cloud destinations and SaaS providers,
with the added factor of many organizations planning and deploying new Edge architectures. Data and applications in these increasingly popular locations need
similar protection. Organizations need to develop their backup and recovery strategy to embrace these changes, and be in prepared for a future IT environment that is more agile, diverse and changeable. Bacula Enterprise provides a ‘single pane of glass’ view over an entire IT environment, spanning Edge, off-site, on-site, cloud, client behind NAT, co-location hosted and other data environments.
Adjusting for new technologies
New technologies, such as deployed container environments, or use of different hypervisors (Proxmox, for example) requires a backup and recovery strategy that takes these new environments into account. Bacula Enterprise is the first and only mainstream vendor that can backup and recover applications and persistent data from Kubernetes Clusters, Docker containers, and natively integrating with many emerging new hypervisors.
Disaster Recovery should be revisited
Disaster recovery is a key method to provide a last resort but final solution to Cyberthreats and Ransomware attacks. Organizations need to check that their Disaster recovery strategy is up to date and thoroughly tested. Bacula Systems provides a comprehensive Disaster Recovery Guide and template to help organizations check through all necessary steps.
The Role of the Cloud in Business Continuity
One strategy adopted to help protect against cyber threat is to backup certain data to public or private cloud. However, certain safety challenges arise again when backup data is stored in the cloud. If a company’s data is hosted by a cloud provider, and it becomes the sole source of data that needs to be recovered, then what guarantees does that hosting service offer you? Is there a liability issue? Is there an time limit for the provider to inform you if your data has been compromised? Do the SLAs work for you? Are you subject to or applying penalties as per your contract? The US has already seen initial class actions against cloud providers who have been hit by malware. End users are claiming against the inability to access their data, with a resulting loss of business, combined with a failure to protect their data.
For these reasons, as well as overall ongoing cost protection to the enterprise, Bacula Enterprise has unique, industry-leading Cloud backup architecture and tools built-in, to provide its users with state of the art control, protection and choice regarding maximizing the security and minimizing the risk of Cloud-based backup. It provides granular control over data that needs to be restored from the cloud, significantly reducing operational exposure to cloud costs and boosting business agility. With Bacula, backing up data to and from cloud providers and keeping local caches of important data ensures that data can be recovered in the event of a loss of any site.
Content separation is necessary. Right now.
Content segregation is critical for dealing with the risks presenting themselves to today’s enterprise. Many organizations are fearful of, or prohibited from, placing data in certain physical servers or cloud storage due to restrictions on data access or compliance with government or industry regulations. These are often referred to as data residency or data sovereignty regulations. For example, in the US, ITAR/EAR regulated data cannot be stored, backed-up or transferred through a server physically located outside of the US. Similarly, European data protection laws prohibit personal data from moving outside of the European Union (EU) or even specific country borders. These regulations are different from the well-known and well understood access control rules. The problem these data owners and security architects are facing is not around access controls, but around physical storage of data when created, caching of data when accessed, and storage of data in transit. Bacula Enterprise has specific customization features, such as multiple Storage Daemons and distinct Pools linked to particular Storage Devices which allow its data backup to be segregated on both on-premises and off-site storage systems. Bacula’s unique modular approach means that each agent’s data can be stored in a separate silo that only it can access, on a separate data store, and even that access can be controlled so that data loss potential can be minimized. Data can be further replicated to secondary storages to add layers of protection. Remember too that the value of tape for offline storage – and Bacula’s advanced tape backup and recovery abilities - should not be underestimated.
Ransomware: Backup Defense Fundamentals
Here are some specific technical considerations for your enterprise IT environment, to protect against future ransomware attacks:
Use different credentials, uniquely for backup storage
This is a basic best practice and with the increasing amount of ransomware attacks, it is as necessary as ever. The user context that is used to access the backup storage should be completely confidential and only used for that purpose. Additionally, other security contexts shouldn’t be able to access the backup storage except for the account(s) needed for the actual backup operations. Avoid working as root or Administrator. Use service accounts that are restricted as much as possible, whenever possible. By default, Bacula builds authentication in the design and enables the user to implement as much separation as possible from production workloads. For example, its default installation ensures that its daemons run with dedicated service accounts.
Make offline storage part of the backup strategy
Offline storage is one of the best defenses against propagation of ransomware encryption to the backup storage. There are a number of offline (and semi-offline)
storage options that can be employed:
|Media Type||What’s Important|
|Cloud target backups||These use a different authentication mechanism. Are not directly connected to the backup system.|
|Primary storage Snapshots||Better that they have a different authentication framework. These snapshots can be used for recovery.|
|Replicated VMs||Best when controlled by a different authentication framework, such as using different domains for say, vSphere and Hyper-V hosts, and Powered off.|
|Hard drives/SSD||Detached, unmounted, or offline unless they are being read from, or written to.|
|Tape||You can’t get more offline than with tapes which have been unloaded from a tape library. These are also convenient for off-site storage. Tapes should be encrypted.|
|Appliances||Appliances, being black boxes, need to be properly secured against unauthorized access. Stricter network security than with regular file servers is advisable, as appliances may have more unexpected vulnerabilities than regular operating systems.|
Use Backup Copy Jobs to help mitigate risk
The Backup Copy Job is a great mechanism to have restore points created on different storage and with different retention rules than the regular backup job.
When the previous points above are incorporated, the backup copy job can be a valuable mechanism in a ransomware situation because there are different restore points in use with the Backup Copy Job.
Do not rely on different file systems to protect backup storage
Although having different protocols involved can be another way to prevent ransomware propagation, be aware that this is certainly no guarantee against ransomware attacks. Even if today’s ransomware or viruses could not work on, say, ext4 file systems, tomorrow’s will be able to. So, rely instead on proper security: backup storage should be inaccessible as far as possible, and hopefully follow Bacula’s example where there’s only one service account on known machines that needs to access them. File system locations used to store backup data should be accessible only by the relevant service accounts. There is no reason why end users from different systems should ever have permission to access them. Bacula does not require to allow remote access to its storage, and our best practices recommend dedicated file systems or shares, well protected.
Using another set of credentials to allow access to shared file systems, for example for snapshots, offline shares, or cloud storage is an inherently insecure approach - all those should be restricted exclusively to the backup service account.
Be sure to use the 3-2-1-1 rule
Following the 3-2-1 rule means having three different copies of your data, on two different media, one of which is off-site. The power of this approach is that it can address nearly any failure scenario and doesn’t require any specific technology. In the ransomware era, Bacula recommends adding another “1” to the rule where one of the media is offline. The offline storage options listed above highlighted a number of options where you can implement an offline or semi-offline copy of the data. In practice, whenever you backup to non file system targets, you’re already close to achieving this rule. So, tapes and cloud object storage targets are helpful to you. Putting tapes in a vault after they are written is a long-standing best practice, fully supported by Bacula with a variety of special tools to give you as many options as possible.
Cloud storage targets can act as semi-offline storage from a backup perspective. The data is not on-site, and access to it requires custom protocols and secondary authentication. Some cloud providers allow object to be set in an immutable state, which would satisfy the requirement to prevent them from being damaged by an attacker. As with any cloud implementation, a certain amount of reliability and security risk is accepted by trusting the cloud provider with critical data, but as a secondary backup source the cloud is very compelling and fully supported as part of a secure Bacula Enterprise implementation.
Beware of using storage snapshots on backup storage
Storage snapshots are useful to recover deleted files to a point in time, but aren’t backup in the true sense. Storage snapshots tend to lack advanced retention management, reporting, and all the data is still stored on the same system and is therefore may be vulnerable to any attack that affects the primary data.
Ensure you can recover all systems from bare metal
Bacula Enterprise provides Enterprise-grade Bare Metal Recovery capabilities. Although Bacula Systems also provides provides advanced, comprehensive Linux Bare Metal recovery, this section introduces Bacula Systems’ approach to do Bare Metal Recovery of Windows operating systems as an example of an effective response to ransomware damage in certain situations. It touches on how to prepare the Bare Metal Recovery Procedures, how to create a custom emergency boot media, and how to test a Bare Metal Recovery situation. It focuses on Intel based Windows systems, from XP up to Windows Server 2016 that have been installed using a standard procedure.
Bare Metal Recovery as part of a Disaster Recovery strategy
Bare metal recovery is accomplished in many different ways. Many enterprises simply deploy a standard image, provision software, and then restore data and/or user preferences. In many cases, all data is already stored remotely and the system itself is largely unimportant. However, in many cases this is not a practical approach and the ability to completely restore a machine to a point in time is a critical function of the disaster recovery implementation. The ability to restore a ransomware-encrypted computer to a recent point in time, including any user data stored locally, may be a necessary part of a layered defense. The same approach can be applied to virtualized systems, although there are usually preferable options available at the hypervisorlevel that Bacula can leverage for system-level recovery.
File-Based or Image-Based
For any sort of Bare Metal Recovery, a complete backup of the original system is required. This is usually accomplished either by a filesystem-level backup of all files, partitions, and data, or by a block-level image backup of the disk(s). While both approaches have their pros and cons, we focus on the file based approach here.
Regarding image level backups, additional information can be found in the Bacula Systems whitepaper “VMware Virtual Machine Backup with Bacula Enterprise”. File based backups are typically smaller, and allow an easy capture of differential and incremental backups. Correspondingly, it’s easily possible to restore individual files (which, for many organizations, is still the most common scenario requiring restore operations).
Bacula Enterprise Director and Storage daemon components, used in the backup and restore of your Windows system, can run on any supported platform. Note that you will need to modify the Bacula Director configuration, so it may be reasonable to set up a test installation in your network and use that until you are satisfied that your production backup system will not be negatively affected by your work.
Users should already have Bacula Enterprise installed, including the required network connectivity, i.e. all routers and firewalls involved should allow Bacula traffic as needed. In particular, this means that you may need to allow connections from all machines you consider valid targets for BMR to the Bacula Director.
Since Bare Metal Recovery is used as a means to get critical systems up and running quickly, it is important to ensure that the procedures planned actually work. A good deal of this testing and fine-tuning today can be done in virtualized environments; however, Bacula Systems recommends to test on your physical hardware as well – only then can you be sure of your procedures. Full solution installation details are available with a Bacula Systems Subscription.
How the WinBMR Works
During backup, the WinBMR plugin analyzes host disks and partitions. It creates the directory C:/Bacula/winbmr and copies certain files and directories needed at restore time to that location (only a few MB). If a “Recovery” or a “System Reserved” partition is found, the plugin assigns an unused drive letter (usually the first free letter starting at T:) to it for the time of the backup. This letter is released at the end of the backup. If the system is EFI-enabled, the EFI partition is automatically mounted, its contents copied to C:/Bacula/winbmr/partitions/EFI, and the partition then unmounted. The BMR feature adds all static volumes that have a drive letters to the backed-up File Set. As mentioned above you may exclude some drive letters using the “exclude” option, but be careful to not exclude an important drive or an unused letter (like T:) that the plugin might use for the “hidden” partitions.
Bacula’s Bare Metal Recovery tool provides both a CDROM and an ISO image. For testing purposes, on physical servers, the CD-ROM is the best choice, while
in virtual machines, the ISO image should be used. It is also possible to create a bootable USB flash drive from the ISO.
Creating a bootable USB flash disk
If you need a bootable USB device, this is quite straightforward. To create a bootable USB device from the ISO, you must first prepare your USB key using
diskpart. You must create a single partition and activate it to make it bootable, then format the partition as FAT32 and assign it a drive letter, to copy the content of the CDROM on it.
Doing the Recovery
Bacula’s Bare Metal Recovery tool allows for rapid and easy data recovery, via a comprehensive GUI that allows review and modification of the configuration stored on the recovery media, network configuration, client selection, and where to restore to. You are able to manage disk drives, create partitions, format them and select to which of them the data will be restored. Disk Matching, manual portioning and Volume Matching functions are all provided. After working through the restore wizard, the restore can be started. Using the wizard, you can “Cancel” the process and go back to make further changes, or simply start a new restore process. When restore is completed, the screen shows the status of the restore and the status of the process making the host bootable.
If your setup includes dynamic disks, you must import them in the freshly restored system after the reboot. This can be done via Bacula’s inbuilt tools.
Disaster Recovery Planning – an Overview
Approaches outlined above, such as Bare Metal Recovery, are important individual technical measures an IT department can utilize to protect an organization against Ransomware attacks. However, they need to be part of a wider, deeper contingency plan that spans the entire organization – Disaster Recovery.
Having a sound Disaster Recovery Plan is one of the cornerstones of cyber security, and one of the best ways to effectively protect your organization as a last resort. This is equally true when it comes to implementing ransomware protection strategies, and must not be ignored.
Developing an IT disaster recovery plan involves choosing the right people to be involved, assigning appropriate roles, selecting the technologies to use, as well as
developing, implementing, testing, and documenting the recovery process.
What is an IT Disaster Recovery Plan?
An IT disaster recovery plan documents:
- the company’s leadership’s objectives for disaster recovery
- members of the recovery team and their roles and responsibilities
- detailed procedures for protecting and recovering required technical services after a disruptive event such as a flood or fire
An IT disaster recovery plan aims to:
- provide critical IT services after an incident.
- ensure that critical business functions continue within a sufficient period of time.
Who Is Involved in IT Disaster Recovery Planning?
The company’s IT manager should lead the planning. He or she usually works with the IT department to determine specific steps within the disaster recovery process and to develop and test the resulting recovery plan.
In addition, it is also important to involve other stakeholders outside of the IT department, including senior leaders, CTO and CEO office representatives, and
board members (if applicable) to ensure the entire organization’s needs are met.
The Disaster Recovery Planning Process
Disaster recovery planning is an ongoing and iterative process. Each step includes several activities to be performed. During initial development of the disaster recovery plan, certain stages are repeated several times, each time focusing on developing and testing recovery plans for a different service or a set of services.
After obtaining leadership commitment to the disaster recovery planning program in stage 1, stages 2 through 5 are repeated periodically. IT services are dynamic: new services are created and obsolete services are retired. Remember that priorities and disaster recovery plans must be reviewed and revised periodically to ensure that they are current.
Bacula Systems offers a comprehensive Disaster Recovery Guide and Template available here, that shows you how to create a simple disaster recovery plan for your company that can be further expanded, based on your company’s needs. The document contains two sections:
- IT Disaster Recovery Planning Guide – Walks you through the process of obtaining the required authorization, establishing planning priorities, determining the technical approach, as well as developing, implementing, and testing the disaster recovery plan.
- IT Disaster Recovery Plan Template – Provides sample content that you can use while developing a disaster recovery plan for your organization.
The Bacula Disaster Recovery Guide documents the following planning factors in great detail:
- Obtaining Authorization and Commitment
- Gathering Background Information
- Determining how to proceed
- Defining Priorities
- Identifying Critical Services
- Assessing Impact of Service Outage
- Risk Assessment
- Deciding extent of action
- Deciding on Technical Methodology
- Determining a technical methodology for each service
- Developing Facility and Infrastructure Plan
- Estimating Costs and Developing a Schedule
- Developing and Implementing the Plan
- Roles and Responsibilities
- Determining disaster response process
- Developing detailed service recovery plans
- How to Test
- Policies and Administrative Regulation
- Services and Their Priorities
- Services List
- Assessing Impact of Service Outage
- Assessing Risks
- Set Scope
- Facility and Infrastructure Plan
- Determining technical approach for each service
- Facility Plan
- Infrastructure Plan
- Estimating Costs and Developing a Schedule
- Plan Implementation
- Roles and Responsibilities
- Disaster Response Processes
- IT Services Recovery Plans
- Testing the DR Plan
The above strategic factors are Bacula’s recommended approach to organization-wide DR planning. Download the Bacula Systems Disaster Recovery Guide and Template here.
Bacula Enterprise offers a modern, modular, high-value solution for backing up and recovering data fast and effectively after a Ransomware attack. Its common
interface and policy engine gives the required level of safety, speed and control needed for correctly protecting today’s - and tomorrow’s IT environments.
For maximum protection against ransomware and similar threats, Bacula Systems’ strong advice is that your organization fully complies with data backup and recovery best practices. Bacula Systems offers professional and advanced level professional training to provide exactly this.
The methods and tools outlined in this paper - and other Bacula Enterprise features - are used by Bacula Systems’ customers on a regular basis. For companies without advanced-level data backup solutions, Bacula Systems urges these organizations to conduct a full review of their backup strategy, and their Disaster Recovery strategy, and evaluate a modern backup and recovery solution such as Bacula Enterprise.