Backup security is a topic of increasing concern to large accounts, often as part of initiatives to improve their cyber-resilience. When all the protection, detection and response measures have not been sufficient: the information system must be restored quickly from the backups. Backups are indeed the last resort in the event of a cyber-attack.
Attackers have understood this issue and we are seeing more and more cyber-attacks affecting backups. As highlighted in the 2021 benchmark of cyber-attacks in France, in 21% of ransomware attacks, backup systems were targeted until they were rendered unusable.
What is the attackers’ modus operandi for reaching backups?
First, backups can be affected as collateral damage. This was the case a few years ago during a cyber-attack at one of CERT-Wavestone’s clients. In this, the backup management infrastructure was itself encrypted by the ransomware and had to be rebuilt before backups could be restored.
In ransomware attacks, attackers can also directly target backups to force their target to pay the ransom. For example, less than a year ago during a CERT-Wavestone incident response, the attacker took care to destroy all backups before encrypting the customer’s information system. The attacker was able to do this because the backup management infrastructure was administered through an account in the Active Directory. The attacker was able to elevate its privileges to the highest level and was able to easily connect to the backup infrastructure and delete all the backed up data.
Some initial protective measures can significantly reduce the risk
In 100% of the ransomware crises managed by CERT-Wavestone, the attacker had Active Directory domain administration accounts. To prevent the attacker from reaching the backups by this mean, it is therefore necessary to separate the backup infrastructure from the Active Directory. To do this, make sure that the backup administration accounts as well as the backup servers are outside the Active Directory (NB: this will not prevent this infrastructure from backing up the resources managed in the Active Directory).
To further reduce the risk of an administration account being compromised, backup administration access should also be strengthened, for example with multi-factor authentication (MFA).
Furthermore, since ransomware attacks often propagate on the same operating system, it may be worthwhile to adopt a different operating system for the backup infrastructure. Alternatively, at the very least, make a copy of the backup catalogue (database containing pointers to backups) on a different operating system. This enables rapid restoration of the backup infrastructure in the event of a compromise.
In addition, it is sometimes possible to apply retention measures to the backup storage technology, such as applying a delay before the actual deletion of the data or keeping a copy (or snapshot) on the storage array. This allows for a delay of one or more days before the data is completely lost in the event of a deletion.
To go further…
Various initiatives are emerging to standardize data protection measures to face the growing threat (e.g. Secure Tertiary Data Backup Guideline by the HKAB – Hong Kong Association of Banks, Sheltered Harbor in the United States…).
In addition, backup vendors are building their solutions with the cyber threat in mind, with ransomware detection features, immutability features (to make backed up data completely unalterable, even for an administrator) or even “offline” backup isolation capabilities.
These solutions can be adopted to replace or complement existing backup solutions. Nevertheless, they often require significant investments. As we have seen, a certain number of initial protection measures can already greatly reduce the risk. It is therefore important to identify the feared threat scenarios and your level of exposure. It is also important to identify any compliance requirements (regulations, standards, etc.), in order to define an appropriate roadmap of maturity improvement.
This article is intended as an introduction to protecting backups against cyber-attacks. We will have the opportunity to go into more detail on this subject in future publications.