Zero Trust concept in a backup solution from the cyber attacker’s point of view
The goal of the vast majority of cyber criminals is simple enrichment. To successfully blackmail their victims, they must be sure that they have no choice but to pay the ransom. I'm sure almost everyone backs up their data these days. Even attackers are aware of this, so backups become their first target. They try to attack and damage backups, ideally before the victim even notice that an attack is happening.
What should a backup solution meet to be resistant to a ransomware attack? Modern backup solutions provide a variety of features to protect the data in the backup, such as protecting data from unauthorized modification or air-separated copies. But what about their effectiveness in an actual deployment?
A wise man learns from the mistakes of others, and as ransomware attacks continue to increase, we have an excellent opportunity to use real recent cases to show where the mistake was made and not repeat it again. Let's look at this issue through the eyes of the attacker. How does such an attack work? What are the attacker's options, and how can he overcome the various defences? And is it even possible to build a 100% resilient solution?
The attacker is not necessarily an external hacker in a darkened basement with a hood on his head. Still, it can also be an internal employee who has all the necessary permissions, and the attack is not necessarily malicious. If the protection is to withstand an external attack, it must be designed so that even an internal admin can't overcome it, whether by design or simply human error.
A well-designed backup solution that respects the Zero Trust principle is capable of withstanding even the most sophisticated attack. But having intact backups is only half the battle. The much more challenging part is the subsequent restoration. Regular recovery testing is an integral part of any backup plan. But what about restoring a complete environment?
Recovery from an attack often cannot happen immediately back to the original location. This is most often due to the investigation and identification of the attack vector so that the situation does not repeat itself. So we need to have an alternative solution, an isolated recovery environment. But we often use this very rarely, maybe never at all. This is where the public cloud comes in as an ideal option. A good DR plan should thus include the possibility of automated bulk recovery to an alternative location.
He studied software engineering at the Czech Technical University. He has held consulting positions specializing in data protection and high availability solutions and cyber security. He currently works as a Senior Technology Consultant at Veritas Technologies for the Czech Republic, Slovakia and the Baltic States. He has extensive experience in data center and cloud technologies. He designs security and disaster recovery solutions for customers of all sizes and industries.