Why Immutable Backups Are Essential to Recovering from Ransomware Attacks

It’s time for organizations to have a stronger security and backup solution at their disposal at all times to defeat ransomware attacks. Let’s look at a bulletproof approach for businesses to protect their data and also prevent, detect, and defeat ransomware attacks.

Ransomware attacks continue to plague organizations of all sizes, but especially smaller private and public entities. The last line of defense against these attacks is the restoration of critical data from backups. But what if a ransomware gang encrypts or otherwise makes a backup unusable? What if the needed backup is damaged in some way? Organizations must take steps to protect databases and backups for restoration to a recovery point within the maximum tolerable downtime.

Backups Are Not Always Safe From Ransomware Attacks

Ransomware gangs use malicious software to encrypt all data needed to perform necessary business functions. The gangs demand payment, usually via cryptocurrency, before decrypting the files and databases required to restore critical operations.

In my article Lessons From the Colonial Hack: Law Enforcement Action Isn’t Enough To Defeat Ransomware, I describe ways to prevent falling victim to ransomware attacks. However, no organization can provide 100% protection. Consequently, an adequate response to an attack is needed. Although the most effective response once data is encrypted is the restoration of backups, ransomware gangs have taken steps to prevent this.  

For example, Italy Cohen and Ben Herzog wroteOpens a new window that Ryuk used a .BAT file on Windows systems to delete shadow volumes and backup files. Any accessible backup file was at risk. If the backups are lost, payment is likely the only way to restore functionality.

See More: What’s Your Disaster Recovery Plan To Fight Ransomware Attack?

How to Ensure the Security of Your Backups

When backups were made to tape, it was challenging for a remote threat actor to access them. This changed when organizations began moving to disk and cloud backups. WHenever backups are easily “seen” by threat actors, there is a higher than acceptable risk that backups will also be targeted in a ransomware attack.

There are three ways to manage backup security: mitigating risk associated with current backup technology, moving to immutable backups, or a combination of these.

Protecting existing backup processes

Tape backups are likely inaccessible to threat actors. The only risk is the possibility that backed-up applications or data were affected by an attack before the backup. Managing this requires ensuring backup frequency and retention can return a ransomware-infected environment to an acceptable recovery point.

Backups to disk fall into two categories: backup to dedicated backup storage and backup to server storage. In either case, the backups may be accessible to threat actors. Organizations should isolate backups from day-to-day operational access, and they should grant access only to backup administrators and under controlled conditions. Controlled conditions include the use of a privileged account manager (PAM).

Isolation of resources is not always effective. Consequently, organizations should keep multiple copies of each backup. If possible, one copy should never be accessible via the network unless the primary backup is no longer viable.

Backups must be tested regularly to ensure they can be restored. With tape backups, this was always a challenge, but disk backup has helped mitigate restoration failures. However, no technology is perfect, so testing is needed to ensure restores accomplish what the organization expects.

A traditional approach is the use of the 3-2-1 rule.  

• • 3 – Organizations should have at least three backups taken at three different backup points to ensure a clean restore.
  • 2 – There should be two copies of each backup. Backups cannot always be restored as expected. If using disk backup, the two copies should not be on the same media (for example, the same storage device).
  • 1 – One copy of each backup should be kept offsite. When using cloud backups, the service provider should ensure multiple physical locations for backup copies.

These are general rules. The takeaway is to achieve the objectives of the 3-2-1 rule. 

1. 1. Always have more than one backup taken multiple times that will enable the organization to recover operations within the maximum tolerable downtime, even if one or two of the backups are unusable.
   2. Never keep all backup copies in a way that might result in a single point of backup destruction or damage.
   3. Always have access to backups, even if the data center is destroyed or unreachable.

These controls are essential whether backing up on-premises or to the cloud, but managing these controls is not easy and will never be perfect. Immutable storage can provide additional protection.

See More: World Backup Day: It’s Time to Right-Size Your Data Backup Strategy

Immutable backups

Cloud data management company Rubrik definesOpens a new window an immutable backup as “a backup file that can’t be altered in any way. An immutable backup should be unchangeable and able to deploy to production servers immediately in case of ransomware attacks or other data loss.”

Immutable backups prevent changes to an entire backup or parts, depending on organizational need and the backup solution used. Regardless of approach, immutability prevents threat actors from changing to backed up critical information, including encryption. Immutability solutions, largely provided by cloud services, also enable RBAC-based multifactor access.

Immutable backups are safe from destruction by threat actors, but they also often rely on the information backed up being clean. Immutable databases, however, can stop any changes to critical data during production operations.

Immutable databases

Restoring a backup does not necessarily bring business functions to full operation. Backups are usually performed at a point in time. Organizations must re-enter any transactions entered into a database after that point, as described in the Business Continuity Business Impact AnalysisOpens a new window video. Further, not all organizations can quickly move to immutable backups due to budget or operational constraints. Immutable databases are a good solution for protecting data integrity whether an organization uses immutable backups or not.

In general, immutable databases are log-based instead of record-based. They do not overwrite previous data when updates are made. In other words, previous data cannot be overwritten. Instead, they create linked logs that form the overall data set. Consequently, all historical data and updates are stored together. This enables quick restoration of a data set at a specific point in time. 

Another way database immutability is achieved is via the use of blockchain technology. Blockchains result in a complete set of historical and current data with all written or deleted data immutability.

Direct access to immutable databases, regardless of approach, should include multi factor authentication. Application access should use strong authentication for database access, whether in the cloud or on-premises. This provides strong safeguards against access by ransomware gangs.

Final thoughts

Immutability is one approach for protecting backups and production data, but it is not perfect. Organizations must still take steps to ensure an isolated, clean copy of any data available.  

Immutability is a valuable layer of security, but it is just one layer. Reliance on a single layer as if it was a silver bullet solution is never acceptable due diligence.

Do you think organizations are generally aware about the utility of immutable backups in the aftermath of a successful ransomware attack? Let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!