Skip to main content

An attacker can not immediately delete or change backup files located on Hardened Repositories. But with more time the attacker can do some damage. So it is important to keep a regular eye on it. A efficient way is to monitor Hardened Repository with Veeam ONE v11a. In this version some enhancements have been added which we will now take a look at.

 

Monitoring immutability enabled

When Veeam hardened repository is setup correctly, immutability is enabled and a appropriate number of days is chosen. When an attacker has access to the backup server, he could try to disable immutability. After some time all backups would be free to delete or modify. Therefore it is important to keep it enabled.

In Veeam ONE v11a there is a new alarm for checking the state of immutability: Immutability state. Alarm is assigned by default to whole Backup Infrastructure. When Immutability state becomes disabled, alarm will trigger. Use this to be notified by mail.

 

If you prefer reports for notification, Backup Objects Change Tracking and Backup Infrastructure Audit are available for this. The first one shows more details.

 

Monitoring days of immutability

In the last section we saw how to monitor state of immutability. Which is great, but a hacker could do make life difficult for us just by reducing the number of days of immutability. The minimum is 7 by the way. Fortunately there is also an alarm for this in v11a: Immutability change tracking

Alarm can be configured to be triggered by increase and/or decrease of days. When a warning is generated, the change can be directly seen there.

 

Monitoring backup encryption

Not just for hardened repositories, monitoring backup encryption is also very important. How to do this in Veeam ONE v11a, see my post here:

 

Conclusion

A modern data protection strategy should include immutable backup data. Because attacker are able to spend a lot of time before they strike, they will try to disable immutability in advance. It is therefore essential to recognize such attempts as soon as possible. The new alarms and improved reports of Veeam ONE v11a helps a lot here. Use them to increase availability of your backup data!

 

For more information see my full featured blog post here: 

https://vnote42.net/2022/02/09/monitor-hardened-repository-with-veeam-one-v11a/

Thank you @vNote42 for sharing this with us “In Veeam ONE v11a there is a new alarm for checking the state of immutability: Immutability state“ and its use-cases.


Thanks for feedback @BertrandFR, @marcofabbri! My thoughts here:

  • Ransomware Alert
    I have often heard from customers that the default settings trigger this message a few times a day. So it needs to be adjusted, otherwise they tend to be disabled. For other customers defaults works fine.
  • Send Notification
    Mail-notification is widely used, from my perspective. But I heard from at least one company that get hacked and the hacker faked the no-problem-mails from Veeam ONE! Quite scary! I think this could happen with SNMP too. 
     

Thanks for sharing this @vNote42

I don’t like email for notifications, it can be easily not read etc. I prefer to send a snmp traps to a monitoring tools to centralize it (Veeam One and VBR). Monitoring operator can trigger an escalation with special instructions to security or system team (on call if during night).

Obviously you can send email or/and push notification (teams, riot matrx, slack….)

@marcofabbri I had set up the ransomware alert, it was too verbose. Restrict the usage to a specific area (Internet exposure). I will prefer an edr to block or alert from this kind of breach.


Just to add some consideration to this extremely good piece: hackers do involve “clearing track” step that could be final step or initial step of ther activity. As @vNote42 mentioned, instant notification via mail is foundamental to avoid missing some logs because they cleaned them.

Obviously using same credentials for Veeam One and VBR, or installing Veeam One on the same server as VBR could lead to a serious problem in security.

And just a final thing: there’s an option inside Veeam One to alarm if there’s more activity on a server on CPU and/or write operations than its usual behavior.


Thank you for this article :)


This is such a great feature of VONE.


Comment