Skip to Main Content
All Trimarc services are now delivered through TrustedSec! Learn more
August 28, 2025

Protecting Backup and Recovery in the Age of Ransomware

Written by Mike Owens
Organizational Effectiveness Security Remediation Ransomware

Ransomware attackers frequently target backups and recovery systems to force victims into paying ransoms, making robust protection strategies essential for all organizations. This blog introduces the Defensive Backup Infrastructure Controls framework, a process I've developed from first principals to safeguard backups, harden systems, and maintain recovery capabilities during worst-case data corruption or ransomware incidents.

This may be hard to hear, but:

  • Ransomware attacks aren't going away anytime soon.
  • Attackers specifically target backups once they get into your environment.
  • Most backup systems are designed for site loss and are not prepared for a malicious technical attack like ransomware.

I've worked with dozens of organizations over the past few years—ranging from nonprofits to SMBs to global enterprises—to figure out the critical capabilities that must be achieved so your backups survive a ransomware attack and so you can actually recover the organization and get back on your feet. I emphasize that these controls are designed around capabilities, not tools, so they are just as relevant whether you are a small business with a server in the back room, are completely cloud-native, or have thousands of systems in datacenters around the world. Processes and implementation are what matter—not which brand of blinky-box you plugged into the server rack.

Without further ado, let me present the Defensive Backup Infrastructure Controls framework:

Defensive Backup Infrastructure Controls Framework

The Defensive Backup Infrastructure Controls (DBIC) framework is a customized set of controls developed by TrustedSec. The framework presents a strategy and prescriptive guidance for hardening backups and backup systems against the threat of human-operated ransomware and similar destructive attacks.

The core principle of the framework is that the ability to recover critical data and IT capabilities from backups is the last line of defense against catastrophic business losses due to ransomware and other enterprise-scale destructive cyberattacks.

Successful recovery depends on achieving five (5) strategic objectives prior to any attack:

  • Backups of critical systems are performed
  • Backups are hardened against destruction
  • Backup data is accessible during a full network outage
  • Critical systems can be restored from backups at enterprise scale
  • Supportive controls increase resiliency and prevent variance

The strategic objectives and technical controls in the DBIC are based on threat modeling of the common trends and tactics employed by ransomware attackers. The framework is informed by experiences of the TrustedSec Incident Response and Remediation teams and draws from industry best practice control frameworks including CIS Controls, the NIST Cybersecurity Framework (CSF), and NIST Special Publication (SP) 800-53: Security and Privacy Controls for Information Systems and Organizations. The framework is not a replacement for comprehensive, risk-informed business continuity (BC) and disaster recovery (DR) planning.

DBIC Strategic Objectives

1. Backups of Critical Systems are Performed

Regular backups of critical systems and data are performed in alignment with the organization's recovery requirements. Backups include core infrastructure such as the organization's identity provider (e.g., Active Directory (AD)), DNS, DHCP, and related foundational capabilities in addition to critical business systems.

Control

Control Scope

Critical Information Systems are Identified and Included in Backups

Security Program

Recovery Requirements are Established

Security Program

Backup Capabilities are Aligned With Recovery Requirements

System-Specific

2. Backups are Hardened Against Destruction

Backup data is not vulnerable to modification, corruption, or deletion by technical means within the retention lifecycle defined by the organization. Protections address abuse of administrator deletion capabilities in the backup management interface and deletion or corruption at the file system or data storage level.

The most effective solution is to implement immutable backup storage. When properly installed and configured, immutable storage is nearly certain to protect backups against corruption or deletion.

Additionally, and especially in cases where immutability is not available, backup systems are isolated from the covered environment to prevent malicious access or compromise by an attacker in the covered environment.

Control

Control Scope

Immutable Backup Storage is Used

System-Specific

Independent Identities and Strong Authentication Controls Protect Access to Backup Systems

System-Specific

Backup Infrastructure Management is Independent of Covered Systems

System-Specific

Hardening is Applied to Backup Systems and Infrastructure

System-Specific

3. Backup Data is Accessible During a Full Network Outage

The organization can access backup data when production networks and critical IT infrastructure are down, encrypted, or otherwise inaccessible. Without a validated ability to access backup data during a major infrastructure outage, it is likely the organization will be unable to perform restorations and restore IT and business operations at all or in a timely manner.

Control

Control Scope

Emergency Access Credentials are Maintained

System-Specific

Required Encryption Keys are Identified

System-Specific

Emergency Network Access Methods and Dependencies are Established

System-Specific

Process Documentation for Emergency Access to Backups is Maintained

System-Specific

Important Configuration Files are Maintained Offline

System-Specific

4. Critical Systems can be Restored From Backups at Enterprise Scale

Critical IT systems, capabilities, and datasets can be restored from backups at enterprise scale following a major incident within timeframes acceptable to the organization.

Control

Control Scope

Recovery Processes are Established

System-Specific

Recovery Process Documentation is Maintained

System-Specific

DR Tests are Performed for Enterprise Ransomware Attacks

Security Program

Secondary Personnel can Perform Full Recovery

System-Specific

5. Supportive Controls Increase Resiliency and Prevent Variance

Supportive controls are implemented that increase the effectiveness of DR, monitor for issues in backup infrastructure, and potentially identify and preempt in-progress attacks.

Control

Control Scope

A Secrets Management Strategy is Implemented

Security Program

DR Process Documentation is Consolidated

Security Program

All Necessary Secrets and Documentation are Resilient to Attack

Security Program

Alerting for Backup Systems is Enabled

System-Specific

Security Teams Monitor Backup Process Issues

Security Program

Incident Response Processes Exist for Backup System Issues

Security Program

Download a free guide below.

In Conclusion

Use the Defensive Backup Infrastructure Controls framework to take a hard look at your organization's backup and recovery capabilities. In what ways are you well prepared? Where did you miss the mark? Make a plan to address your critical failure points urgently, then get some quick wins in and start testing on a regular basis. Improve bit by bit. And remember that expensive platforms are not a replacement for effective processes. No matter your organization's size or your team's budget, there's something here you can tackle.

Lastly, if you want some help evaluating the backup and recovery strategy and architecture for your organization (or designing an update), let us know! You can drop us a message through the Contact Us page, call us at 1.877.550.4728, or email [email protected].

Get Your Guide

Download your copy of the Defensive Backup Infrastructure Controls framework guide now!