Nowadays, ransomware attacks aim for essential data assets, such as production databases and backups. If your backups are encrypted by the malefactors, you have only two choices left: to pay the ransom or to forget about your data. Thankfully, there are a range of tactics to protect your backups from ransomware attacks.In this guide, we will define the top strategies that will make your backups bulletproof.
Use the 3-2-1 Backup Strategy
It is obvious that the more backup copies you store on different storage mediums, the less are the chances that all of them will be damaged by ransomware. But how many storage mediums are enough?
The most popular and one of the most balanced backup strategies out there is called the “3-2-1” backup strategy. Basically, it states that, at any point in time, you should have three copies of a single file – the original file, a backup copy on a local storage medium, and a backup copy on an offsite storage medium. If your original data gets hacked, you can recover from the local storage, since it's faster. If your original data and local backup data are hacked, you can then recover from the cloud storage.
Use Several Cloud Storage Solutions
You will increase the level of protection if you add another cloud storage solution to your existing storage stack. How exactly would this help you?
A different set of credentials. First of all, if malefactors break through your identity policy and attack one storage, the chances are that the second one, with different credentials, will stay safe and you will be able to recover.
Different backup times. Sometimes backups become useless if ransomware hits the original data but this remains unnoticed. What happens then? The backup solution uploads the changed data, thus encrypting the latest backup. If you use a second cloud storage, you typically perform a backup at a different time, thus securing your other set of backups.
Limit Access to Backup Storage and Backup Application
Frankly speaking, no end user should have the right to access backup storage. Moreover, you should also limit the access to only those who really need to access such storage. A carefully designed access policy will allow you to reduce the possibility of your backups being successfully attacked.
On the other hand, there is a second attack vector with regard to backup. It's the backup application or the service itself, since these typically have access to both user data and backup storage. Create a strict security policy and don't give permissions to access your backup console if you use a centrally managed backup solution. If you use standalone backup software, it is a good idea to restrict the ability of end users to access the backup UI.
This type of ransomware backup protection is one of the most robust and, at the same time, one of the most demanding. “Air gap” means that your backup storage is physically disconnected from your premises. Neither is it connected to the cloud infrastructure, local, or any network whatsoever.
In practical terms, air-gap backup is a local storage solution: a hard drive, a NAS device, or a file server that you connect to your premises only when you need to perform a backup.
Why is it robust? Because, in the event of a successful ransomware attack, you still have a valid backup copy. You need to localize the attack, wipe out everything that's been affected and restore the data from your backups.
Sounds like a silver bullet, but there are some limitations to this method:
- More planning and manual actions. To implement air-gapped backups, you need to add a new framework to your backup policy, so it doesn’t interfere with your business activities.
- More storage space is needed. Obviously, air-gapped backup storage is an additional solution to your production storage. You will need to define the architecture of this solution, build it, and support it.
- Does not work for strict recovery time objectives. Strict recovery time and recovery point objectives define the way you store and recover data. Air-gapped backups work for static and non-critical data that you need to recover in a matter of hours. However, if you are running applications or databases that need failover replication, you won’t be able to apply this method, since every time you need to recover, you would need to connect the detached storage to the premises you need to restore.
Air-gap backup is a great way to ensure that your backups are well protected against ransomware. However, this method will not be appropriate for every case. Oftentimes, you create air gaps as the last line of defense against ransomware and store only the most critical data there.
Retention settings are a set of rules and policies that state how many copies of your data are stored at the backup storage and for how long. A well thought through retention policy will allow you to store at least one additional copy of your backups to be sure that, even if your latest backup copy is infected, you can always restore from the one before it.
Further reading Backup Retention and Scheduling Best Practices
For sure, you won’t be able to recover the most recent data and something will be lost. However, in critical situations, a valid yet slightly outdated recovery is still a success.
Monitor Network Access Patterns
Ransomware gets into the network typically either via files that have been downloaded by users by a mistake or via injection by a malefactor with access to your network. To protect yourself from injections, you should keep an eye on suspicious network activity, such as a lot of failed log-ins or log-ins from suspicious locations or at a suspicious time.
To help you with this, there are SIEM-type applications that monitor network activity and can generate reports on the fly. Bear in mind, however, that for smaller businesses, such applications can be overkill from both the feature set point of view and the price point.
Whatever protection methods you use and no matter how advanced your security policy is, your users will find a hole in the defenses. End users are the greatest menace to data security and practically the last line of your defenses. So you should educate them, thus ensuring that they understand what kind of emails and links they shouldn't open, what attachments they shouldn't download, and where to call for help once they've eventually opened such emails and downloaded such files.
Make sure that your company employs a good security awareness program and performs ransomware end user training regularly. Jokes aside, this will significantly reduce the probability of a successful ransomware attack.
Encryption for Compliance
While encryption won't save you from ransomware, since, even when encrypted, your backed-up data still can be re-encrypted and thus made useless, it is still useful to encrypt your data and filenames. Why?
If your company falls under any compliance, a successful data breach becomes more severe if any personal data is leaked. And data, including filenames, typically contains such personal information. So, file and filename encryption help you to avoid costly compliance penalties.
Further reading Backup Encryption Options Demystified
Some say that there is no backup protection policy that is 100% safe from ransomware attacks. And, while this is true, a complex and well thought out set of actions will significantly reduce the chance of getting successfully hit.