We’ve got the fundamentals down: ransomware is a major concern, and threat actors target backups to encrypt or delete them. On the bright side, It appears there’s increasing awareness for the latter, as we have seen more organizations with viable backups during ransomware incidents. This means that fewer end up being forced to pay the ransom to restore their data.
What can we learn from these companies? First, they had backups of all their critical systems. While that won’t be the focus of this blog post, the significance of that cannot be overstated - know your critical systems and back them up. In addition to knowing their environment and backing up critical systems, they followed best practices to ensure their backups were protected from threat actors. They all utilized the 3-2-1 backup strategy, which we’ll explore below, and take one step further. Let’s do this.
What Is a 3-2-1 Backup Plan?
An effective security strategy is a layered approach that has backstops and catchalls (I’ll spare everyone the onion analogy). It should be no surprise that the most effective backup strategy is about layers. Enter the 3-2-1 backup strategy, an approach that is as simplistic as it is effective. It goes:
3 Copies of the Data
The first layer is to have at least three copies of the data. I emphasize “at least” because I encourage going above this, especially with how existing backup technology makes it so easy to automate the process. When thinking about copies of data, take into consideration the following recommended configuration. There are best practices throughout that apply to all copies of the data.
Production Data (Copy 1, Media 1)
While the data in use every day is the first copy, it’s a free giveaway for the count.
- This is a primary reason why you shouldn’t stick to just three copies since a disaster recovery plan exists because of this first line getting impacted.
On-site Backups (Copy 2, Media 2)
An on-site backup solution is the heavy lifter in backups and should be heavily protected.
Offsite Backups (Copy 3, Media 3)
These are backups that are off of your network.
- Most commonly this includes two mediums. First, is tape backups where data is written to a cassette tape and then stored offline. Second, is cloud backups where data is sent to the cloud.
2 Different Media Types
The media types were scattered throughout the prior section. To summarize, here are various media types that are routinely seen in the 3-2-1 backup strategy:
Storage Area Networks (SAN), Network Attached Storage (NAS), dedicated backup appliances
Object-based storage or long term cold storage
Managed service provider or backup service
1 Offsite Copy
At this point, the offsite storage should be fairly straightforward. Two main options exist:
- Physical media provides more of a logistics challenge but many vendors exist who will securely store your backups and work with you to quickly return them when needed.
- While still requiring an active Internet connection, cloud backups offer an easy-to-setup and maintain solution for off-site backups. Layering in the best practices above will help ensure they are stored safely.
Go Beyond 3-2-1
Let’s not stop at 3-2-1. We’re going to take this a step further to maximize your backup strategy. Enter the 3-2-1-1-0 rule being popularized by backup provider Veeam.
1 Air-gapped or Immutable Copy
There’s a reason immutable copies were a best practice. It helps ensure that a backup copy can’t be deleted (whether accidentally or on purpose) or encrypted during a ransomware event. If done well, that immutable copy will be the backstop for you.
0 Errors after Testing and Recovery Verification
Test, test, test! It doesn’t matter what you do if you can’t confirm it actually works. This is a step that so many organizations fail to do and they only realize that something is broken when it is too late. You don’t have to be one of those companies! Many backup solutions have automated backup verification to ensure your data is viable. Go even deeper. Put time on the calendar at least once a year to walk through the recovery procedure and test that the systems and applications work. It’s not enough to restore systems if the applications and services on those systems do not function after restoration.
What Are the 8 Best Practices for Backups?
With the heavy virtualization of environments, you get a built-in second copy through virtual snapshots.
- This can be through the hypervisor itself or through storage appliances that will provide snapshots of the data. Be cognizant of where your snapshots are stored. In traditional disaster recovery situations of failed disks, if snapshots are stored on the same storage as the production data you risk losing both.
Remove the Backup Servers From the Windows Domain
The backup server and storage repository should have unique credentials and not be joined to a Windows domain.
Require MFA for Access
Backups are critical to your success, and there is no reason not to enforce MFA for access to the backup console.
Leverage an Immutable Data Repository
This restricts the ability to delete or modify backups leaving an extra layer of protection.
- To take this further, leverage a backup appliance that has additional snapshot capabilities.
Enforce the Principle of Least Privilege
Allowing broad access to backups increases the attack surface.
- Limit access to these systems to only those accounts that are needed for functionality and management. This same concept applies to the accounts used to manage the backup process itself.
While this will not help with redundancy of data, it does protect in situations where an unauthorized user obtains a backup and is able to extract sensitive data.
Leverage Long-Term Cold Storage
Cloud providers can offer longer-term, cost-effective, storage that is stored “off” the cloud.
- While it is not instantly accessible through the cloud, cloud storage can serve as another layer of offline storage and has the ability to be immutable.
Putting it All Together
An effective backup strategy doesn’t have to be complex, you’ll find that sticking to the basics will work wonders for you. If you follow this simple recipe, the chances of success will multiply. The layers exist to help you mitigate risk and the likelihood of an attacker destroying your entire backup stack. Just like in security, layers of backups provide additional risk mitigation. And just like in life, don’t make assumptions that what you’re doing is actually effective. Test, confirm, and sleep easier.