Organizations need to build a moat around their backup infrastructure to ensure that malicious actors cannot get to last resort control. The integrity of the backup system and data is essential when all else fails. Here are some key considerations:
- The catalog of the backup server needs to be backed up someplace that is unlikely to be affected by malware.
- If the backup server is Windows-based, it would ideally be virtualized and have offline snapshots for recoverability. Otherwise, there should be some strategy for an air-gapped system clone or an offline bare-metal backup.
- Backup media should be encrypted and protected. If backing up to disks:
- Ensure that the system is hardened
- Administrators are limited and use separate passwords from their normal accounts
- Those backing up to tape should be encrypted, cataloged in a tracking system, and sent to an offsite rotation. Protecting the catalog is essential, so you know what tapes would be needed for recovery, especially if performing incremental backups where several tapes would be necessary for a full restore.
- Ideally, the backup system is segmented from the production network via a firewall or ACLs. The backup should communicate with the target servers, but commonly abused protocols like RDP or SMB should not be open from Windows-based computers on the network (the moat).
- Critical databases may need a multi-layer strategy for backups, with an online component for fast recovery and offline backups for a worst-case scenario.
- A diagram of the backup system and data flows should be maintained. ExtraHop can assist with documenting the backup flows.
- Network Detection and Response should be set up to alert any anonymous traffic to the backup components.
- All dependencies for restoration should be analyzed. The recovery of backups depends on network availability, DNS, Active Directory, connectivity to the backup media. There are a number of things a hacker may target to make recoverability harder.
- A recovery document should be developed and kept offline. This document should outline all steps to get backups operational and systems recovered.
Cybersecurity Awareness Month, now in its 18th year, raises awareness about the importance of cybersecurity across our Nation, ensuring that all Americans have the resources they need to be safer and more secure online.
If you are interested in learning more about our Cybersecurity services, please click here.