jackprabha's Blog

Reading thus far, you might be thinking, “Wait we already have a backup and recovery plan.” Maybe restoration speeds and frequency of backups were considered when implementing – and it’s likely out of all of the organizations out there, some of them have considered this. However, remember, backups are attractive to more than just disaster recover/business continuity planners, historically take the authors of:

SamSam: which gained access through remote desktop protocol (RDP), exploited other vulnerabilities identified to gain further network access, deleted backup files, and then started encrypting files.
WannaCry, Locky, and Cryptolocker: which searched for and deleted Microsoft built-in Windows Volume Shadow Copy, often used by home users and/or SMEs.

Must know: NOC data center

More recently:

DoppelPaymer: initially compromising a target through things such as Phishing or insecure remote desktop services, then traversed the network to identify privileged user accounts. Specifically, they were looking for domain administrative credentials to gain administrative access to cloud backup deployments and to delete an organization’s final option for non-payment recovery.
How can organizations protect themselves? For one, proper configuration of backups is a must, along with the principle of least privilege, i.e. all access required to do a job but absolutely no more. What about the backups themselves, can they limit what DoppelPaymer authors did?

You may have read about immutable backups, i.e. configured to protect against change or deletion, but what if the domain administrator account is used? FlashBlade has something called SafeMode snapshots to address this. Where DoppelPaymer used administrative credentials to delete the backup, SafeMode snapshots do not allow for deletion. Protecting both the data within the backup and its metadata.