Defending your last line of defence: protecting your backups

In the last twelve months, we’ve seen ransomware continue to wreak havoc on organisations, governments, and individuals across the globe. In May 2021, the Colonial Pipeline ransomware attack brought the gasoline supply on the east coast of America to a standstill for days. In November, millions of Australians came within minutes of losing power to their homes in a ransomware attack on a Queensland power station.

Meanwhile, ransomware attacks on Australian organisations increased 15 per cent in the past financial year, contributing a significant portion of the 67,500 cybercrime reports received by the ACSC. 

Ultimately, ransomware continues to mutate and adapt, with a variety of tactics being specially employed to best exploit targets.

One incredibly effective ploy involves threat actors employing a two-pronged ransomware approach. First observed in 2018, attackers will go after an organisation’s backups before encrypting systems, meaning attackers can strip a business of their last line of defence before their presence is even known.

It’s a cyberattack method that is occurring more frequently and on a larger scale, and highlights the need for organisations to revisit their business continuity and disaster recovery (BCDR) strategy and take measures to ensure their backups are secure.

Backup software requires a high level of access to files, systems, virtual machines, databases, and other aspects of a computing environment, creating additional risk. To minimise this risk, companies need to take a multi-step approach, both on-premises and in the cloud. 

It’s imperative businesses employ a multi-factor authentication (MFA) process for access to both the backup administration portal and for activities that have the potential to manipulate or delete backup data, as this will significantly limit a hacker’s ability to access systems.

Joining the dots, covering all bases

There’s a variety of interconnected factors to be aware of when securing backups. It’s important to consider every endpoint and every application as a potential vulnerability, as any one of them could give hackers access to your most valuable data. 

Be sure connections cannot be made directly to a backup appliance. Heavily restrict local backup appliance remote access on the LAN and implement layers of protection to prevent malicious access. If a remote monitoring and management solution (RMM) is used to manage the backup appliance, then this could be another point of attack and security needs to be heightened on the RMM access controls. In addition, separate the appliance from backups stored in the cloud with independent authentication mechanisms. Never store admin credentials for the appliance or the cloud in a local browser, attackers can access them in seconds.

Backup files are easy targets, because file extensions, such as .bak, are easily located. To keep backups secure, they should be stored in read-only state. If encrypting, follow best practices, such as storing the encryption key on a separate physically secured device and only loading it into memory on the device doing the encryption. In addition, proactively scan backups for ransomware.

Finished backing up? Good, now do it again

It’s best practice to maintain multiple copies of backups in separate secure locations and limit the ability to modify the data or its storage. This is crucial for situations in which a threat actor has managed to encrypt your data. Moving from cyber protection to cyber resilience requires businesses to take an assumed-breach approach to cybersecurity and be ready for anything.

Current backup solutions can provide several point-in-time recovery points, as well as the ability to replicate backups to cloud storage. In addition, protect backups from unauthorized and accidental deletion by creating a delayed delete time window.

When testing backups on a regular basis, make sure testing includes full restoration. Perform bare metal restorations as it would occur in a real disaster situation. Finally, confirm that network connectivity can be re-established, key services (i.e. Active Directory) are properly working, applications can communicate with each other and document everything in a recovery plan.

Backups are an organisation’s last line of defence, and threat actors know it. Many are now modifying their malware to actively track down and eliminate backups, leaving victims at their mercy. 

Take the necessary steps to start 2022 off on the right foot. If necessary, upgrade your systems, and run regular tests to ensure your backups are safe, uncorrupted, and readily available for instant recovery. Adopt an assumed breach model, and work towards a cybersecurity posture that looks past protection to resilience.