5 backup best practices for ransomware
Backup best practices for ransomware, so that you can protect yourself against advanced attacks that target your on-prem and cloud backups.
Our recent webinar shares experiences and insights from our Technical Director, Conor Scolard, who looks at the profile of an attack, and how the impact can be minimised if you’re targeted. The key points from the webinar can be found in this blog.
From a hackers’ perspective, backups are bad news. They give your company a lifeline and a means of recovery, which is why they are a key target during an attack. The harder it is, or the longer it takes, for you to recover, the more likely a hacker is to get their ransom. By encrypting or deleting your backups, your company has no safety net of data to refer to, and the more effective the attack becomes.
For the purpose of this blog, we’ll assume that a hacker already has access to your network. Let’s say they got in through a highly targeted phishing campaign and, over a few weeks, have worked their way towards your data centre environment. At each step, they’ve covered their tracks to avoid detection, gathering more insight into your technical landscape along the way.
Before they alert you to the attack by installing ransomware on every endpoint and server connected to your network, they will look for your backups. Here are the five vulnerabilities that hackers love to exploit to encrypt or delete your backups.
Backup best practices for ransomware
1. Don’t back up data to the same environment
Since a hacker already has access to your data centre environment, storing a copy in the same place as the data is created makes it easy for hackers to delete your backups.
2. Ensure separation between your backup server and the rest of your network
The more that your backup server can communicate with, the easier it is to find from a network scan. For example, if you’re backing up to your hypervisor, there’s no need for your backup server to talk to your domain controller. With proper network separation in place, you’re making life difficult for hackers, slowing them down and therefore increasing the chance of detection.
3. Make sure backup servers don’t share the same Active Directory (AD)
If your backup servers are set on the same AD, hackers can use this shared authentication to access multiple backup servers and delete the data.
4. Don’t use the same SAN for storing backup and production data
We’ve seen cases where a SAN that’s used for replication and disaster recovery (DR) is also storing backup data. Once the SAN’s been found, it’s light work for the hackers to remove your safety net.
5. How long does it take you to recover your network? No, really.
Recovering from an attack isn’t pretty. While the recovery takes place, there’s forensics work happening on top of your ops team frantically checking logs. It’s a stressful and extremely busy time, so recovery will be slower than usual. Make sure you understand how long this takes you, and make sure you’ve got sufficient bandwidth between your backup environment and your hypervisor platform so that you’re not slowed down unnecessarily.
There’s constant chatter in our industry about ransomware, and rightly so. It’s real and it’s affecting businesses of all sizes day in, day out. Last year, our security specialists and incident responders spent over 300 days assisting with ransomware recovery.
Our specialists have the answer