Ransomware is everywhere, and you must accept that your organization is a target of cyber-criminals looking for a payday. You must think about your backups and what you are doing to protect your precious backups from attack.
As a general rule, ransomware attacks are mass attacks, where cyber-criminals are targeting common and relatively soft implementations. Sophisticated targets with knowledgeable administrators are a less attractive target for them, so just a few simple configuration changes and some thoughtful procedures can really limit an attacker’s success.
Here are 10 steps you can perform to help protect your backups during an attack:
- Disable inbound ports – You must understand that backup servers are generally attacked in two ways—by exploiting an unpatched vulnerability or by simply logging in using compromised admin-level credentials. The easiest way to disrupt an attack is to disable all inbound ports except for the essential ports. Only the ports required for the backup software to perform backups and restores should be left open.
- Limit Outbound DNS – Once ransomware hits a device, the first thing it does is attempt to contact its command-and-control server. If you block that communication, it is unable to receive instructions about what to do next and the attack can be stopped before your files are encrypted. Maybe use a local host file or a system with restricted DNS that does not support external queries. Why would a backup server legitimately need the IP address of a random machine on the internet? Limiting access to random internet-based systems will help protect your backup systems from external attack.
- Apply Vendor Patches – One of the most often used ways a cyber-criminal will access systems is to use a disclosed vulnerability that has been unpatched for months. Making sure your backup server is among the first group to receive the latest operating system updates will prevent most of these types of attacks. Make sure you also subscribe to whatever automatic updates your backup software provides, and see if you can get email updates so you are notified if there are any critical issues or alerts so you can keep informed if something needs to be urgently patched.
- Disconnect from LDAP – The backup server should not be connected to lightweight directory access protocol (LDAP) or any other centralized authentication system. These are often the first target of hackers and often compromised as part of a ransomware attack. Using separate accounts and saving the password in a commercial password manager could solve your sign-in issues with minimal risk.
- Complex Passwords – Passwords are the last line of defense, and if you have someone guessing your password the only thing that will prevent unauthorized disclosure is a long and complex password. The password used for backups should be at least 20 characters long (longer passwords are always better), and it should include upper and lowercase letters, numbers, and symbols. A good password manager can help generate a good password, but there are plenty of good online resources to help you select a good password.
- Use Multifactor Authentication – Multifactor Authentication (MFA) can significantly increase the security of your backup servers, but please don’t use SMS or email to get your code. Both SMS and email are frequently targeted and circumvented to steal MFA codes, so consider a third-party authentication application such as Google Authenticator or Microsoft Authenticator.
- Limit Admin-Level Accounts – Your Backup systems should be configured so only a few people can login directly to an administrator or root account. You want your normal admin-level accounts used for standard tasks, and a separate admin-level account just used for backup-related tasks. When used properly and consistently, if a standard admin-level account is compromised, the attacker can’t leverage that compromised account to access your secure backups.
- Consider Cloud Backups – Using a software-as-a-service (SaaS) cloud backup would move your backup server outside your normal on-site enterprise computing environment, offering some features that would potentially simplify your backup maintenance. The traditional method of tape backups and storing tapes off-site has been effectively replaced with simple cloud backups. Setup and maintenance will be easier since you won’t have to continually update the backup server or segment it from the rest of the network with a firewall. Make sure any backup system you select (on-premises or cloud) allows you to configure your data to be securely protected with 256-bit AES encryption.
- Guard Access Carefully – Make sure personnel who need to access the backup system have only those privileges absolutely necessary to accomplish their authorized tasks. You want to specifically protect the ability to delete backups, reduce retention periods, add or delete users, restore backups, and change backup schedules should be limited to a very small group. These risky behaviors should also be heavily logged and monitored closely. If attackers gain unrestricted administrator access to the backup system, they could use restores to transfer all the data they want to an unencrypted location for exfiltration, delete your backups to force you to pay the ransom, or remove all users to lock you out of the ability to execute any restore operations.
- Practice Restores – The process of creating and storing backups is relatively easy. Once you get it working correctly, backups can run for months without much intervention or maintenance. Where the real work comes into play is restoring those backups. Really understanding how and when to do a restore and practicing the actual step-by-step process of restoring your data can be the hardest part of the process. You should practice restoring a few different systems at least once per year to make sure you understand the process and limitations.
Bonus – Investigate if you can implement immutable backups in our environment. An immutable backup can’t be modified, deleted, or encrypted. An immutable backup is read-only, and that makes the backup totally unchangeable. Keeping immutable backups of your critical business data ensures hackers can’t destroy your data. Consult your backup system vendor to see if immutable backups are supported with your backup system.
You should also run updated malware scanning software, intrusion detection, commercial-grade firewalls, and other standard security products to keep your network as secure as possible. Lock down services (such as RDP) where they are not necessary, and enforce authentication for them where they are necessary. Using a SIEM (security information and event management) solution to collect all the logs from your environment, and notify you when unusual events or malicious activity is detected. A properly configured SIEM can also help with clean-up after an attack by determining which systems were compromised and which user accounts were used during the attack.