With multiple reports what seems to be about every week of ransomware attacks, especially the recent big one here in the States on the Colonial Pipeline, I thought it would be a great idea to start a continuing discussion on how best to protect your environment from ransomware. What are ways you can implement ‘security-in-layers’ and configure your backup environment to provide you and your company the best possible recovery scenario in the event of a ransomware attack?
I will not provide an exhaustive list, but will instead just begin this discussion off with a few configuration options for your BU/DR environment which can help protect you in the event of a ransomware attack. First, if you’re not aware, Veeam has transitioned from its “3-2-1 rule” to a more wholistic “3-2-1-1-0 rule” > 3 copies of data, 2 media types, 1 copy offsite, 1 copy immutable/airgapped, and 0 recoverability errors. With that in mind, I will start off with the following configuration options I recommend for your Veeam backup environment:
- VBR server not domain-joined; use local user accounts for administration
- Use storage integration with storage snapshot capability - my experience is with Nimble storage specifically. With Nimble snapshots, if you have an offsite array, you can create a ‘partner’ to the offsite array from your prod array and replicate snaps to it. We all know (I hope!) snapshots are not backups, but in this case, they actually are because a full copy of the data on your prod Nimble Volumes are replicated to the offisite array. I use Nimble arrays for both my prod data (VMware datastores) and for Veeam repositories. Separate arrays of course. I recommend configuring snapshots for both your prod data and Veeam repositories on your arrays. Multiple recoverability layers never hurts
- A NOTE about Storage Integration with Veeam > within Veeam, in the Storage Integration tab, snapshots can be deleted; so if your VBR server gets compromised, not only can backups be deleted, but any snapshots/replicated snaps could be deleted as well. This doesn’t mean you should not use snapshots, but is something you need to be aware of
- Utilize VeeamONE - VONE has a few reports/alarms which can help you detect there may be a problem with ransomware > Possible Ransomware Activity alarm, and the VM Change Rate History / Veeam Backup Files Growth reports.
@kirststoner12 does a great job describing these VONE features in the linked article I provided above - Configure Immutable repository storage, using Veeam’s new Hardened Linux Repositories, or other vendor immutability solution (Amazon, Wasabit, etc). It has been said ransomware can lay dormant for up to 45 days, so having a retention period above this is recommended. There is no guarantee malware files are still not backed up to your immutable repository; but, your chances of recoverability are certainly hightened if you use this feature
Those are my handful of suggestions. What other ransomware protection suggestions do you have which you use in your or your customer’s environments?
