Backup Regime for Ransomware Resistance

Resilience

High Redundancy Backup System for Strong Anti-Ransomware Protection

Due to some close calls regarding both a potential data breach and an incident where critical data was nearly locked up via ransomware, we were engaged by a services company to bolster the depth and resiliency of their backup regime.

 

We assisted our client to make their backup regime much more robust, redundant and multifaceted to facilitate a very strong posture resistant to ransomware attacks and similar catastrophic data loss or corruption events.

PROJECT AIMS

Objectives

Securing Data from Access

A main priority in anti-ransomware resistance is prevention from access to the data in the first place as this gives exposure for data exposure, copying, exfiltration, and what is moreso addressed in this project, is the potential for data erasure, corruption and encryption.

Safeguarding Backups from Corruption

When the first layer of data protection may have failed, the key then is to ensure that at least the backups are secure, uncorrupted and unencrypted. This can be achieved via redundancy, locking backups from access, versioning and much more we will get in to in this project.

Simplify the User Experience

Foolproof backup systems involve many layers of settings, configurations and services which add more and more complexity and, ironically, more potential points of failure. The UX of the created system must be made as clear and as easy to use as possible to prevent errors, and also to ensure the system is actually used as intended.

Prove the System

Once the system has been created, it must be tested thoroughly to ensure it is working as intended and is doing so not just once but over time at any time needed in the future. The system should be tested fully by actually restoring data and services from the backups, and the restored data checked for its retained quality. The system should also be stress tested with vulnerability scanning and penetration testing to uncover and repair any deficiencies.

Precision Impacts

The Results

Create a general purpose S3 bucket for storage
Enabling Versioning - a key component in ransomware resistance
Enable Object Locking - another key configuration in ransomware resistance
Create Identity Access Management Policies
Policy using JSON
Create a Policy and use it in Users
Set up a user with the IAM policy created
Use a new group to use the new policy
Set new permissions
Once configured - create user
To generate the access key and secret key, navigate to the created user
Create the Acces Key
Choose a Third Party Service to deliver the backups
Save the generated access key and the secret of the user
Open Source component

Backup System with Kopia

Select a Repository in Kopia with S3 Compatible Storage
Select a Region in AWS S3 Properties
Enter all Details in Kopia
Use a Secure Password for Kopia and Store Securely
Viewing Snapshots in Repository as Fallback Copies
Testing snapshot files are still in repository after other copies mistakely deleted
Can see deleted file is still in repository
Files can still be restored by clicking in repository
Resiliency Delivered

Strategies Implemented for the Anti-Ransomware Backup Regime

SEIRIM sought to deliver an easy to maintain, nearly foolproof, approachable and cost-effective backup regime. It aims to achieve very strong resilience against unauthorized data access and data loss or exposure. Here in the case study we highlight one part among many of the parts - the AWS S3 buckets plus Kopia backup system.

Class 5 - Beyond 3-2-1

SEIRIM recommended and implemented our "Class 5" backup paradigm in this regime, which aims to add more backup copies and locations than the standard 3-2-1 recommendation.

 

In Class 5, we recommend to have 2 cloud versions, in this case the most hardened solution is the deployment of Kopia working with AWS S3 buckets, with iDrive corporate accounts alongside it as a more baseline, off the shelf standard solution.

 

C - Cloud 1 - In our case here, AWS S3 + Kopia

L - Cloud 2 - iDrive Enterprise

A - Attached external - In this client case a Networked Attached Storage (NAS)

S - Separate external 1 - Longer timeframe of rotation, and offsite, in this case a synced duplicate of the above NAS

S - Separate external 2 - External drives rotated at time intervals

System Testing - TRIP

Testing of the system was conducted along with the client for all backup versions, with vulnerability scans of the system and penetration testing against it. Testing backup systems is very important to do regularly, it is all too common to believe you are taking backups regularly and effectively only to learn after an incident that there was an error in the system and that the backups are incomplete, corrupted, too difficult to access or worse inaccessible or also affected by the incident.

 

The SEIRIM concept of Class 5 "TRIP" applied here:

 

- Throw the kitchen sink at it to make it fail!

- Restore the system from backups

- Inspect the restored systems for errors and improvements

- Prove the system works to stakeholders