A Defense In-Depth Approach to Secure Backups

by | Mar 31, 2022

Ransomware attacks have made headlines over the past few years, and these threats aren’t going anywhere any time soon. With the average ransomware attack costing organizations an average of $4.62 million between escalation, lost business, notification, reputational risk, and response costs, the profitability of such attacks is a driver for their exponential growth in popularity. Ransomware groups continue to proliferate in the market that nets billions of dollars on average per year. 

An effective backup strategy is critical to limit the impact of ransomware attacks. Ransomware threat actors make every effort to ensure backup data is completely inaccessible. They aim to prevent any recovery or restoration if an organization refuses to pay the ransom.

Budget or infrastructure limitations often lead organizations to deliver backup strategies that involve on-premise backups that live on the same network as production data. This strategy leaves backups more susceptible to compromise because ransomware will locate and delete file directory entries likely to represent backup data prior to asking for a ransom. Cloud backups can also be susceptible to ransomware if credentials are compromised, and lack the protection of multi-factor authentication (MFA). Mitigating the effectiveness of ransomware includes maintaining clean, segmented, encrypted, and MFA-protected backup data. Implementing multiple layers of protection to secure backups can prevent ransomware from having a significant impact on an organization.

Multiple Layers of Protection

1. Ensure Data Integrity

The first step in protecting backups is to ensure the data is stored on a platform where it cannot be modified. Look for backup vendors who offer object-based storage. This type of storage makes it increasingly difficult for ransomware to modify backup data. It may still be possible to add and delete objects, but changing the data that is already stored in an object will not be possible. This means if a ransomware attempts to exploit the backup environment, it will fail to encrypt data.

2. Employ A Zero Trust Model

Backing up data using an off-site, object-based backup provider is a great step in the right direction. It may still be not enough if ransomware can use compromised credentials to access backups. A second layer of Resilience’s defense in-depth approach is to require separate account access for the backup environment and to reinforce that security by using MFA.

3. Implement Multi-level Resiliency

Backup solutions that offer ransomware protection should include deletion protection. These platforms may also include soft delete options (similar to a recycle bin) which can ensure that even if ransomware manages to delete backup data, there is a backup copy for recovery. Many backup platforms also offer the benefit of write-once, read-many (WORM). The WORM process provides unmodifiable backups that cannot be modified or deleted, even by authorized personnel.

4. Automate Response

Timely detection and response help limit the proliferation of ransomware making for an easier response and recovery process. Ransomware often resides on victim networks for months before a ransom demand is posted. Threat actors specifically instruct ransomware to wait until the organization has time off for a holiday or the weekend before fully executing. A strong security monitoring and response program with dedicated incident detection and incident prevention solutions, as well as backup solutions that monitor for anomalies in access or data patterns, can alert your organization to possible ransomware attacks. Since threat actors typically drop the ransomware note at the most inconvenient time for the victim, organizations should integrate a backup solution with Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), or other automated security monitoring platforms that can assist with response activities, such as quarantining infected systems and snapshots. Anomaly detection can also assist to identify the best snapshot to use for recovery.

5. Recover with Confidence

Although backup copies or snapshots may be adequately preserved, hidden embedded malware can cause reinfection and start the incident response and recovery process over again. To ensure the hygiene of recovery data, it is critical to scan snapshots for malware or indicators of compromise (IOCs) before conducting restoration procedures. It is important to find solutions to run any built-in antivirus/antimalware detection and threat intelligence in support of protecting business data from ransomware attacks.



Organizations must have strong data recovery, ransomware protection, and a business continuity plan to reduce the spread of ransomware attacks.  

Restoration from a recent, clean and encrypted backup is the most effective strategy for recovering from a ransomware incident. Keep multiple iterations of backups, including some offline, in the case backups become infected or maliciously encrypted. In addition: 

  • Review and update corporate backup policies. 
  • Perform a thorough audit of all business data and where it is stored. Too often, data is missed from inclusion in a backup as its location was unknown.
  • Keep at least three copies of critical and production data on two different mediums, one of which should be sent off-site or completely air-gapped. This backup methodology is referenced as a “3-2-1” strategy.
  • Make regular backups and frequently review backup retention to ensure critical data is kept for a sufficient amount of time. During data and systems restoration, numerous generations of backup data may be necessary to properly restore everything.
  • Ensure robust backups using the WORM principle, with comprehensive backup access controls to prevent infection or undesired access by attackers.
  • Maintain and back up logs for a minimum of one year.
  • Scan and/or monitor your backups for anomalous threats. 
  • Perform real-world scenario testing and review of backup plans to understand restoration times and to help prioritize order of the systems to be recovered.

About the Author

Greg Gelman
Senior Security Solutions Engineer

Greg Gelman is a Senior Security Solutions Engineer with Resilience. He has 12 years of experience in engineering Security Operation Center’s detection, prevention, and response capabilities for public and private sector organizations such as the State of New Jersey, Lockheed Martin’s Advanced Technology Laboratories, Willkie Farr & Gallagher, and MUFG Securities. Gelman is a former State Investigator and holds an MS in Cyber Security Engineering and CISSP and Security+ certifications.