It’s no secret that many organizations run on skeleton crews to support their infrastructures during holidays. That’s why attackers treat these days as special. With Christmas next week, we can get all the help we can get.
In many attack cycles, restoration of data is usually one of the last steps administrators can take to get their environments back. As a major player in the backup and restore space, Veeam is often used. Here are ten recommendations they recently shared with me to increase the probability of bouncing back after ransomware incidents:
Note:
This list is not intended as the ultimate list to counter ransomware. It serves as a list to go from being scared of anything going wrong to feeling more prepared.
1. Follow the 3-2-1 rule
Ultra-resilient copies are the best line of defense. These include the various Veeam Ready Object immutability solutions, the Veeam Hardened Repository (VHR), Veeam Cloud Connect with Insider Protection, Write Once Read Many (WORM) media, and offline, air-gapped media copies on disk and tape.
Veeam supports backups to tapes, but threat actors erase tapes, when they encounter them. Use Write Once Read Many (WORM) media or don’t forget to eject tapes to prevent malicious erasure.
2. Plan for Restores
When choosing where to store the copies, don’t just take the cost and speed for backups to the repositories into account. When performing massive restores, like in the case of a ransomware incident, you may encounter massive egress costs (when storing backups in cloud repositories. Also, it may take more time than anticipated, when the infrastructure is completely optimized for backups.
3. Implement Separate accounts, permissions
Don’t use domain\administrator for all purposes. Implement separate accounts applying segregation of duties (SoD) and the principle of least administrative privileges.
4. Manage your encryption password
Take care of proper encryption of backups. When using Veeam, you can optionally encrypt backups. This password is stored in Veeam Backup & Replication (VBR) and in Enterprise Manager. When these servers are lost, the encryption password may be lost, unless exported. Without the encryption passwords, you can’t restore from backups.
5. Test you restores
Ransomware recovery is not the time to find out about storage corruption. Veaam's Backup and Replication’s built-in SureBackup feature can help identify this problem, so you may correct backups before actually needing them.
6. Have the DR site ready to drive recovery
Build a Disaster Recovery (DR) site before you want to restore. Make sure all the passwords are set, including the encryption password.
7. Monitor job activity
Threat actors are disabling jobs and deleting jobs. Monitoring detects this activity in its early stages. When you no longer receive notifications or alerts, raise a different alert.
8. Use MFA wherever possible
Requiring multi-factor authentication (MFA) to access the backup host is a prerequisite. MFA is coming in Veeam backup & Replication v12. Use it as an additional measure.
Also, limit PowerShell to IP addresses using Windows Firewall or network firewalls.
9. Identify what to restore first
Have an incident response (IR) plan, so you know where to start. The first 48 hours are crucial. Know who to work with, who to contact and who to work with (law enforcement agencies, insurers, IT partners, forensic experts and the backup vendor). Their contact information needs to be available offline.
The plan might include technical activities like disabling internet connectivity, disabling peer connections, remove network cables, but most likely not powering down servers, as some ransomware will start when rebooted.
10. Restore to cloud requires some preparation
When law enforcement agencies, forensic experts and/or your insurer inspects the current systems, your current hardware cannot be used to restore to. Restoring to the cloud is a built-in feature for Veeam products, but it requires some work beforehand. Take care of networking, security accounts, etc.
Concluding
Enjoy the holidays!
Login