Protecting Backup and Recovery in the Age of Ransomware
Ransomware attackers frequently target backups and recovery systems to force victims into paying ransoms, making robust protection strategies essential for all organizations. This blog introduces the Defensive Backup Infrastructure Controls framework, a process I've developed from first principals to safeguard backups, harden systems, and maintain recovery capabilities during worst-case data corruption or ransomware incidents.
This may be hard to hear, but:
- Ransomware attacks aren't going away anytime soon.
- Attackers specifically target backups once they get into your environment.
- Most backup systems are designed for site loss and are not prepared for a malicious technical attack like ransomware.
I've worked with dozens of organizations over the past few years—ranging from nonprofits to SMBs to global enterprises—to figure out the critical capabilities that must be achieved so your backups survive a ransomware attack and so you can actually recover the organization and get back on your feet. I emphasize that these controls are designed around capabilities, not tools, so they are just as relevant whether you are a small business with a server in the back room, are completely cloud-native, or have thousands of systems in datacenters around the world. Processes and implementation are what matter—not which brand of blinky-box you plugged into the server rack.
Without further ado, let me present the Defensive Backup Infrastructure Controls framework:
Defensive Backup Infrastructure Controls Framework
The Defensive Backup Infrastructure Controls (DBIC) framework is a customized set of controls developed by TrustedSec. The framework presents a strategy and prescriptive guidance for hardening backups and backup systems against the threat of human-operated ransomware and similar destructive attacks.
The core principle of the framework is that the ability to recover critical data and IT capabilities from backups is the last line of defense against catastrophic business losses due to ransomware and other enterprise-scale destructive cyberattacks.
Successful recovery depends on achieving five (5) strategic objectives prior to any attack:
- Backups of critical systems are performed
- Backups are hardened against destruction
- Backup data is accessible during a full network outage
- Critical systems can be restored from backups at enterprise scale
- Supportive controls increase resiliency and prevent variance
The strategic objectives and technical controls in the DBIC are based on threat modeling of the common trends and tactics employed by ransomware attackers. The framework is informed by experiences of the TrustedSec Incident Response and Remediation teams and draws from industry best practice control frameworks including CIS Controls, the NIST Cybersecurity Framework (CSF), and NIST Special Publication (SP) 800-53: Security and Privacy Controls for Information Systems and Organizations. The framework is not a replacement for comprehensive, risk-informed business continuity (BC) and disaster recovery (DR) planning.
DBIC Strategic Objectives
1. Backups of Critical Systems are Performed
Regular backups of critical systems and data are performed in alignment with the organization's recovery requirements. Backups include core infrastructure such as the organization's identity provider (e.g., Active Directory (AD)), DNS, DHCP, and related foundational capabilities in addition to critical business systems.
Control | Control Scope |
|---|---|
Critical Information Systems are Identified and Included in Backups | Security Program |
Recovery Requirements are Established | Security Program |
Backup Capabilities are Aligned With Recovery Requirements | System-Specific |
2. Backups are Hardened Against Destruction
Backup data is not vulnerable to modification, corruption, or deletion by technical means within the retention lifecycle defined by the organization. Protections address abuse of administrator deletion capabilities in the backup management interface and deletion or corruption at the file system or data storage level.
The most effective solution is to implement immutable backup storage. When properly installed and configured, immutable storage is nearly certain to protect backups against corruption or deletion.
Additionally, and especially in cases where immutability is not available, backup systems are isolated from the covered environment to prevent malicious access or compromise by an attacker in the covered environment.
Control | Control Scope |
|---|---|
Immutable Backup Storage is Used | System-Specific |
Independent Identities and Strong Authentication Controls Protect Access to Backup Systems | System-Specific |
Backup Infrastructure Management is Independent of Covered Systems | System-Specific |
Hardening is Applied to Backup Systems and Infrastructure | System-Specific |
3. Backup Data is Accessible During a Full Network Outage
The organization can access backup data when production networks and critical IT infrastructure are down, encrypted, or otherwise inaccessible. Without a validated ability to access backup data during a major infrastructure outage, it is likely the organization will be unable to perform restorations and restore IT and business operations at all or in a timely manner.
Control | Control Scope |
|---|---|
Emergency Access Credentials are Maintained | System-Specific |
Required Encryption Keys are Identified | System-Specific |
Emergency Network Access Methods and Dependencies are Established | System-Specific |
Process Documentation for Emergency Access to Backups is Maintained | System-Specific |
Important Configuration Files are Maintained Offline | System-Specific |
4. Critical Systems can be Restored From Backups at Enterprise Scale
Critical IT systems, capabilities, and datasets can be restored from backups at enterprise scale following a major incident within timeframes acceptable to the organization.
Control | Control Scope |
|---|---|
Recovery Processes are Established | System-Specific |
Recovery Process Documentation is Maintained | System-Specific |
DR Tests are Performed for Enterprise Ransomware Attacks | Security Program |
Secondary Personnel can Perform Full Recovery | System-Specific |
5. Supportive Controls Increase Resiliency and Prevent Variance
Supportive controls are implemented that increase the effectiveness of DR, monitor for issues in backup infrastructure, and potentially identify and preempt in-progress attacks.
Control | Control Scope |
|---|---|
A Secrets Management Strategy is Implemented | Security Program |
DR Process Documentation is Consolidated | Security Program |
All Necessary Secrets and Documentation are Resilient to Attack | Security Program |
Alerting for Backup Systems is Enabled | System-Specific |
Security Teams Monitor Backup Process Issues | Security Program |
Incident Response Processes Exist for Backup System Issues | Security Program |
Download a free guide below.
In Conclusion
Use the Defensive Backup Infrastructure Controls framework to take a hard look at your organization's backup and recovery capabilities. In what ways are you well prepared? Where did you miss the mark? Make a plan to address your critical failure points urgently, then get some quick wins in and start testing on a regular basis. Improve bit by bit. And remember that expensive platforms are not a replacement for effective processes. No matter your organization's size or your team's budget, there's something here you can tackle.
Lastly, if you want some help evaluating the backup and recovery strategy and architecture for your organization (or designing an update), let us know! You can drop us a message through the Contact Us page, call us at 1.877.550.4728, or email [email protected].
Get Your Guide
Download your copy of the Defensive Backup Infrastructure Controls framework guide now!
