Increased Needs For Ransomware Backup Protection
Despite numerous cyber security incidents making international news on a regular basis over the last few years, it was specifically the WannaCry ransomware attack in May 2017 that brought renewed and urgent focus on what organizations need to do to protect their businesses and services from ransomware. This attack seriously impacted thousands of organizations worldwide, having hit more than 150 countries and over 200,000 computers.
The frequency of ransomware attacks is set to increase dramatically in 2021 and beyond, with increasing sophistication. For example, some malware already exist that are more sophisticated than WannaCry and which actually looks for weak backup systems and encrypts the backed up data itself.
Data backup and recovery are proven to be an effective and critical protection element against the threat of ransomware. For an enterprise to sufficiently protect backups from ransomware, advance preparation and thought is required. Data protection technology, backup best practices and staff training are critical for mitigating the business threatening disruption that ransomware attacks can inflict on an organization's backup servers.
One of the best protections against such attacks is to have a data backup solution of correct architecture and best-practice backup strategies, and to ensure any cloud backups are adequately protected and available. That means having up-to-date copies of that data available elsewhere. For any medium to large company, having an enterprise-grade backup solution is essential, because correct data backup, storage and compliance practice can be the main difference between a company’s survival and failure because of ransomware attacks.
Top 7 Ransomware Backup Strategies
Here are some specific technical considerations for your enterprise IT environment, to protect your backup server against future ransomware attacks:
1. Use different credentials, uniquely for backup storage
This is a basic best practice and with the increasing amount of ransomware attacks on backup servers, it is as necessary as ever. The user context that is used to access the backup storage should be completely confidential and only used for that purpose. Additionally, other security contexts shouldn’t be able to access the backup storage except for the account(s) needed for the actual backup operations. Avoid working as root or Administrator. Use service accounts that are restricted as much as possible, whenever possible. By default, Bacula builds authentication in the design and enables the user to implement as much separation as possible from production workloads. For example, its default installation ensures that its daemons run with dedicated service accounts.
2. Make offline storage part of the backup strategy
Offline storage is one of the best defenses against propagation of ransomware encryption to the backup storage. There are a number of offline (and semi-offline) storage options that can be employed:
|Media Type||What’s Important|
|Cloud target backups||These use a different authentication mechanism. Are not directly connected to the backup system.|
|Primary storage Snapshots||Better that they have a different authentication framework. These snapshots can be used for recovery.|
|Replicated VMs||Best when controlled by a different authentication framework, such as using different domains for say, vSphere and Hyper-V hosts, and Powered off.|
|Hard drives/SSD||Detached, unmounted, or offline unless they are being read from, or written to.|
|Tape||You can’t get more offline than with tapes which have been unloaded from a tape library. These are also convenient for off-site storage. Tapes should be encrypted.|
|Appliances||Appliances, being black boxes, need to be properly secured against unauthorized access. Stricter network security than with regular file servers is advisable, as appliances may have more unexpected vulnerabilities than regular operating systems.|
3. Use Backup Copy Jobs to help mitigate risk
The Backup Copy Job is a great mechanism to have restore points created on different storage and with different retention rules than the regular backup job. When the previous points above are incorporated, the backup copy job can be a valuable mechanism in a ransomware situation because there are different restore points in use with the Backup Copy Job.
4. Do not rely on different file systems to protect backup storage
Although having different protocols involved can be another way to prevent ransomware propagation, be aware that this is certainly no guarantee against ransomware backup attacks. Even if today’s ransomware or viruses could not work on, say, ext4 file systems, tomorrow’s will be able to. So, rely instead on proper security: backup storage should be inaccessible as far as possible, and there should be only one service account on known machines that needs to access them. File system locations used to store backup data should be accessible only by the relevant service accounts. There is no reason why end users from different systems should ever have permission to access them. Using another set of credentials to allow access to shared file systems, for example for snapshots, offline shares, or cloud storage is an inherently insecure approach - all those should be restricted exclusively to the backup service account.
5. Be sure to use the 3-2-1-1 rule
Following the 3-2-1 rule means having three different copies of your data, on two different media, one of which is off-site. The power of this approach is that it can address nearly any failure scenario and doesn’t require any specific technology. In the ransomware era, Bacula recommends adding another “1” to the rule where one of the media is offline. The offline storage options listed above highlighted a number of options where you can implement an offline or semi-offline copy of the data. In practice, whenever you backup to non file system targets, you’re already close to achieving this rule. So, tapes and cloud object storage targets are helpful to you. Putting tapes in a vault after they are written is a long-standing best practice.
Cloud storage targets can act as semi-offline storage from a backup perspective. The data is not on-site, and access to it requires custom protocols and secondary authentication. Some cloud providers allow object to be set in an immutable state, which would satisfy the requirement to prevent them from being damaged by an attacker. As with any cloud implementation, a certain amount of reliability and security risk is accepted by trusting the cloud provider with critical data, but as a secondary backup source the cloud is very compelling.
6. Beware of using storage snapshots on backup storage
Storage snapshots are useful to recover deleted files to a point in time, but aren’t backup in the true sense. Storage snapshots tend to lack advanced retention management, reporting, and all the data is still stored on the same system and is therefore may be vulnerable to any attack that affects the primary data.
7. Ensure you can recover all systems from bare metal
Bare metal recovery is accomplished in many different ways. Many enterprises simply deploy a standard image, provision software, and then restore data and/or user preferences. In many cases, all data is already stored remotely and the system itself is largely unimportant. However, in many cases this is not a practical approach and the ability to completely restore a machine to a point in time is a critical function of the disaster recovery implementation. The ability to restore a ransomware-encrypted computer to a recent point in time, including any user data stored locally, may be a necessary part of a layered defense. The same approach can be applied to virtualized systems, although there are usually preferable options available at the hypervisor.
For maximum protection of your backup against ransomware and similar threats, Bacula Systems’ strong advice is that your organization fully complies with data backup and recovery best practices listed above. The methods and tools outlined in this blog post are used by Bacula Systems’ customers on a regular basis. For companies without advanced-level data backup solutions, Bacula Systems urges these organizations to conduct a full review of their backup strategy and evaluate a modern backup and recovery solution.