Posey's Tips & Tricks
Why Immutable Backup Storage Isn't Enough Protection Against Ransomware
To truly protect your data from attackers, take some time to follow these additional safeguards.
One of the big backup trends at the moment is to write backups to immutable storage. Immutable storage is widely regarded as one of the best ways to prevent ransomware from destroying your backups. Backups are a favorite target for ransomware gangs because attackers know that there is no reason for a victim to pay to regain access to their data if they can simply restore a backup instead. Immutable storage is seemingly a perfect option since it cannot be altered.
At the same time, though, it may theoretically be possible for ransomware (especially human operated ransomware) to destroy a backup, even if that backup resides on immutable storage. Now in all fairness, I have not heard of an attack like the one that I am about to describe being used in the real world, but I see no reason why such an attack couldn't work.
Security best practices have long stated that you should encrypt your backups. As such, the bad guys know that most organizations probably encrypt their backups. They also know that the encryption is tied to the use of an encryption key. Hopefully an organization maintains its keys in a well-managed vault, but not every organization handles key management in house. This is especially true for smaller organizations that might only need a small number of keys. Such organizations will typically just purchase keys online from a cryptography provider.
If you have ever used such a service, then you know that when you purchase a key the site almost always warns you to back up the key because there is no way to download a copy of the key in the future since the provider does not retain a copy.
All of this is to say that the key that is used to encrypt the backups could be thought of as a single point of failure. If the key is lost or destroyed, then there is no way for the organization to restore the backup. In other words, ransomware does not have to attack the backup itself -- all it has to do is to attack the key that was used to encrypt the backup. Having the backup stored on immutable storage will do nothing to help the situation.
This raises a couple of important questions. First, if ransomware attacks an encryption key then what's to stop the organization from replacing the damaged key with a clean copy? Technically nothing. In fact, this would be the preferred course of action. However, such a recovery would depend on the organization actually having made a backup copy of the key. It would also depend on them being able to locate the backup key and remembering how to install it. That's a tall order when the organization is already dealing with the stress of a ransomware infection.
The second important question is how ransomware (automated or human operated) could attack a backup encryption key in the first place? Quite frankly, it isn't always going to be possible for ransomware to attack an organization's backup encryption key, but there are situations in which it may be possible. For example, an attacker who gains elevated permissions might simply uninstall an encryption key. Similarly, there may be nothing stopping an attacker from deleting the key that was used to encrypt an organization's backups.
So how do you defend against this sort of thing? The best option is to make sure that you have an offline copy of your encryption keys stored in a safe place. It is worth noting, however, that just having copies of the keys is not enough by itself. There are a couple of other things that you are going to need.
Another thing that you will need is instructions for installing the key to your backup hardware or software. You never want to put yourself in a situation in which you are forced to guess as to how to recover from a data loss event. There should always be clearly written instructions that can guide you through procedures such as installing an encryption key.
The other thing that you are going to need, and this is the really important one, is something to protect your offline key copy. The moment that you mount the media containing your backup key copy, the key is put at risk. This is especially true if you have not completely cleaned the ransomware infection or evicted the attackers from your system. As such, it is extremely important that any encryption key copies be stored on write protected media so that those keys cannot be altered or deleted by an attacker. Remember, those backup copies of the encryption key are essentially your last line of defense and so you need to protect them at all costs.
Brien Posey is a 21-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.