Ransomware Backup Protection with Bacula Enterprise
Ransomware has seriously impacted thousands of organizations worldwide, in over 150 countries. The frequency of ransomware attacks increased over 900% in 2020 and this unhappy trend is proving to continue through 2021 and 2022 – and with increasing sophistication. For example, some malware already exist that actually looks for weak backup systems and encrypts the backed up data itself.
A complete cybersecurity strategy can only be confidently achieved using a backup and recovery system that has the capability to be properly secured. That means Bacula Enterprise.
For an enterprise to sufficiently protect its backups from ransomware, advance preparation and thought is required. Data protection technology, backup best practices and staff training are critical for mitigating the business threatening disruption that ransomware attacks can inflict on an organization’s backup servers and computers.
One of the best protections against such attacks is to have an enterprise-grade backup solution of correct architecture and use best-practice backup strategies, and to ensure any cloud backups are adequately protected and available. That means having up-to-date copies of that data available elsewhere. Correct data backup, storage and compliance practice can be the main difference between a targeted company’s survival and failure. Below are Bacula System’s Top 7 Ransomware Protection Strategies for Backup Servers:
Top 7 Ransomware Protection Strategies for Backup Servers
Important: Bacula’s main components run on Linux. Please do not underestimate the significance of this when it comes to security. In addition, here are some other specific technical considerations for your enterprise IT environment, to protect your backup server against future ransomware attacks:
1. Use different credentials, uniquely for backup storage
This is a basic best practice and with the increasing amount of ransomware attacks on backup servers, it is as necessary as ever. The user context that is used to access the backup storage should be completely confidential and only used for that purpose. Additionally, other security contexts shouldn’t be able to access the backup storage except for the account(s) needed for the actual backup operations.
Avoid working as root or Administrator. Use service accounts that are restricted as much as possible, whenever possible. By default, Bacula builds authentication in the design and enables the user to implement as much separation as possible from production workloads. For example, its default installation ensures that its daemons run with dedicated service accounts.
2. Make offline storage part of the backup strategy
Offline storage is one of the best defenses against propagation of ransomware encryption to the backup storage. There are a number of offline (and semi-offline) storage options that can be employed:
|Media Type||What’s Important|
|Cloud target backups||These use a different authentication mechanism. Are not directly connected to the backup system.|
|Primary storage Snapshots||Better that they have a different authentication framework. These snapshots can be used for recovery.|
|Replicated VMs||Best when controlled by a different authentication framework, such as using different domains for say, vSphere and Hyper-V hosts, and Powered off.|
|Hard drives/SSD||Detached, unmounted, or offline unless they are being read from, or written to.|
|Tape||You can’t get more offline than with tapes which have been unloaded from a tape library. These are also convenient for off-site storage. Tapes should be encrypted.|
|Appliances||Appliances, being black boxes, need to be properly secured against unauthorized access. Stricter network security than with regular file servers is advisable, as appliances may have more unexpected vulnerabilities than regular operating systems.|
3. Use Backup Copy Jobs to help mitigate risk
The Backup Copy Job is a great mechanism to have restore points created on different storage and with different retention rules than the regular backup job. When the previous points above are incorporated, the backup copy job can be a valuable mechanism in a ransomware situation because there are different restore points in use with the Backup Copy Job.
4. Do not rely on different file systems to protect backup storage
Although having different protocols involved can be another way to prevent ransomware propagation, be aware that this is certainly no guarantee against ransomware backup attacks. Even if today’s ransomware or viruses could not work on, say, ext4 file systems, tomorrow’s will be able to. So, rely instead on proper security: backup storage should be inaccessible as far as possible, and there should be only one service account on known machines that needs to access them. File system locations used to store backup data should be accessible only by the relevant service accounts. There is no reason why end users from different systems should ever have permission to access them. Using another set of credentials to allow access to shared file systems, for example for snapshots, offline shares, or cloud storage is an inherently insecure approach – all those should be restricted exclusively to the backup service account.
5. Be sure to use the 3-2-1-1 rule
Following the 3-2-1 rule means having three different copies of your data, on two different media, one of which is off-site. The power of this approach is that it can address nearly any failure scenario and doesn’t require any specific technology. In the ransomware era, Bacula recommends adding another “1” to the rule where one of the media is offline. The offline storage options listed above highlighted a number of options where you can implement an offline or semi-offline copy of the data. In practice, whenever you backup to non file system targets, you’re already close to achieving this rule. So, tapes and cloud object storage targets are helpful to you. Putting tapes in a vault after they are written is a long-standing best practice.
Cloud storage targets can act as semi-offline storage from a backup perspective. The data is not on-site, and access to it requires custom protocols and secondary authentication. Some cloud providers allow object to be set in an immutable state, which would satisfy the requirement to prevent them from being damaged by an attacker. As with any cloud implementation, a certain amount of reliability and security risk is accepted by trusting the cloud provider with critical data, but as a secondary backup source the cloud is very compelling.
6. Beware of using storage snapshots on backup storage
Storage snapshots are useful to recover deleted files to a point in time, but aren’t backup in the true sense. Storage snapshots tend to lack advanced retention management, reporting, and all the data is still stored on the same system and is therefore may be vulnerable to any attack that affects the primary data.
7. Ensure you can recover all systems from bare metal
Bare metal recovery is accomplished in many different ways. Many enterprises simply deploy a standard image, provision software, and then restore data and/or user preferences. In many cases, all data is already stored remotely and the system itself is largely unimportant. However, in many cases this is not a practical approach and the ability to completely restore a machine to a point in time is a critical function of the disaster recovery implementation. The ability to restore a ransomware-encrypted computer to a recent point in time, including any user data stored locally, may be a necessary part of a layered defense. The same approach can be applied to virtualized systems, although there are usually preferable options available at the hypervisor.
For maximum protection of your backup against ransomware and similar threats, Bacula Systems’ strong advice is that your organization fully complies with data backup and recovery best practices listed above. The methods and tools outlined above are used by Bacula Systems’ customers on a regular basis.
Bacula is unique in the backup and recovery industry in providing for extremely high security levels, and one especially important factor in Bacula’s resistance to attacks is its superior security architecture. This high security architecture consists of some major secure-design elements of which a few are listed below:
◾ Bacula’s core module runs on Linux, unlike many other vendors
◾ The client to be backed up is never aware of storage targets and has no credentials for accessing them
◾ Storage and Storage Deamon hosts are dedicated systems, strictly secured, only allowing Bacula-related traffic and admin access – nothing else.
◾ Bacula’s “Director” (core management module), is a dedicated system with same restrictive access
◾ Bacula’s Director initiates all activity and, in particular, hands out one-time access credentials to clients and along with this only allow Bacula-related activity
◾ Bacula Enterprise provides no direct access from clients to storage; it is not in the protocol. Thus, even a compromised client cannot access any backup data, neither to read, to overwrite, to modify, or to delete it.
◾ Bacula has Multi-factor authentication (MFA).
Here are some additional key factors that our customers have told us make Bacula especially attractive to them, often in the context of ransomware protection:
◾ FIPS 140-2 compliant
◾ Verifying the reliability of existing backed up data
◾ Detection of Silent Data Corruption
◾ Data encryption cipher (AES 128, AES192, AES256 or blowfish) and the digest algorithm
◾ Automatic use of TLS for all network communications (can also be turned off)
◾ Verification of files previously catalogued, permitting a Tripwire-like capability (system break-in detection)
◾ CRAM-MD5 password authentication between each component (daemon)
◾ Configurable TLS(SSL)communications encryption between each component
◾ Configurable Data (on Volume) encryption on a Client by Client basis
◾ Computation of MD5 or SHA1 signatures of the file data if requested
◾ Windows Encrypting File System (EFS)
◾ Immutable Disk Volume feature for added protection against ransomware
◾ Core architecture LDAP directory integration option for extra protection
◾ Supports nearly all kinds of tape storage
◾ Storage Daemon Encryption
◾ SIEM Integration
◾ Security module dedicated to Windows
◾ Automatic malware protection (backup, restore, verify)
◾ Improved & enriched security metrics
◾ SNMP Monitoring integration module
◾ NFS Immutability support (Netapp SnapLock)
Bacula Enterprise also answers the important ‘3-2-1-1 Rule’ by offering especially broad compatibility with different tape technology, cloud and other off-site storage media. In addition, Bacula’s bare metal recovery tool is available for both Linux and Windows Servers, and enables an organization to perform safe, reliable disaster recovery.
For companies without advanced-level data backup solutions, Bacula Systems urges these organizations to conduct a full review of their backup strategy and evaluate a modern backup and recovery solution. Contact us now to find out how Bacula can help you.