ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    PCs Backup software that can isolate backup destination to protect from Ransomware virus.

    IT Discussion
    9
    170
    19.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • crustachioC
      crustachio @scottalanmiller
      last edited by crustachio

      @scottalanmiller said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

      @openit said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

      The backup destination will be NAS box and we got around 100 PCs.

      You must have a backup server in place between the PCs and the NAS in order to have any protection against ransomware, otherwise the ransomware can attack the NAS directly using the same permissions as the backup mechanism on the PCs.

      NAS snapshots could mitigate this risk. Just like Exablox advertises Continuous Data Protection (CDP) as a remedy to ransomware - you can go back to any snapshot in 10 second intervals out until your retention policy limit (file level or share level).

      Even basic QNAP and Synology boxes offer scheduled snapshots. Not necessarily a replacement for an intermediate backup server, just an option to consider.

      openitO 1 Reply Last reply Reply Quote 1
      • crustachioC
        crustachio
        last edited by

        Also, to the OP's question... isn't any backup software capabl;e

        @openit said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

        1. Software that can isolate backup destination to protect from ransom-ware so that PC got infected will not effect backup target.

        Isn't any backup software capable of this? As long as your backup storage target has unique permissions that can't be mapped, browsed or written by any domain users, the software you choose is irrelevant.

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller @crustachio
          last edited by

          @crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

          Also, to the OP's question... isn't any backup software capabl;e

          @openit said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

          1. Software that can isolate backup destination to protect from ransom-ware so that PC got infected will not effect backup target.

          Isn't any backup software capable of this? As long as your backup storage target has unique permissions that can't be mapped, browsed or written by any domain users, the software you choose is irrelevant.

          How does software do that when it is running on the compromised machine?

          JaredBuschJ crustachioC 2 Replies Last reply Reply Quote 1
          • JaredBuschJ
            JaredBusch @scottalanmiller
            last edited by

            @scottalanmiller said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

            @crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

            Also, to the OP's question... isn't any backup software capabl;e

            @openit said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

            1. Software that can isolate backup destination to protect from ransom-ware so that PC got infected will not effect backup target.

            Isn't any backup software capable of this? As long as your backup storage target has unique permissions that can't be mapped, browsed or written by any domain users, the software you choose is irrelevant.

            How does software do that when it is running on the compromised machine?

            Using veeam endpoint, I specify creds in the application. It does not connect to the nas with user creds.

            scottalanmillerS DashrenderD openitO 3 Replies Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @JaredBusch
              last edited by

              @JaredBusch said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

              @scottalanmiller said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

              @crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

              Also, to the OP's question... isn't any backup software capabl;e

              @openit said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

              1. Software that can isolate backup destination to protect from ransom-ware so that PC got infected will not effect backup target.

              Isn't any backup software capable of this? As long as your backup storage target has unique permissions that can't be mapped, browsed or written by any domain users, the software you choose is irrelevant.

              How does software do that when it is running on the compromised machine?

              Using veeam endpoint, I specify creds in the application. It does not connect to the nas with user creds.

              That helps. But once compromised, I wonder how much protection that supplies since the ransomware can control the binary.

              crustachioC 1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @JaredBusch
                last edited by

                @JaredBusch said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

                @scottalanmiller said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

                @crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

                Also, to the OP's question... isn't any backup software capabl;e

                @openit said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

                1. Software that can isolate backup destination to protect from ransom-ware so that PC got infected will not effect backup target.

                Isn't any backup software capable of this? As long as your backup storage target has unique permissions that can't be mapped, browsed or written by any domain users, the software you choose is irrelevant.

                How does software do that when it is running on the compromised machine?

                Using veeam endpoint, I specify creds in the application. It does not connect to the nas with user creds.

                I was thinking of this too, but if the endpoint is compromised, then the application can be attacked and those creds could (no idea of likeliness) be compromised.

                1 Reply Last reply Reply Quote 0
                • crustachioC
                  crustachio @scottalanmiller
                  last edited by crustachio

                  @scottalanmiller all the software I have used accesses remote storage using credentials supplied within the application. In Veeam, for instance, you can choose unique credentials when adding the backup repository:

                  alt text

                  You could be running Domain Admin on the backup host machine, but Domain Admin has no permissions on the NAS share.

                  A cryptolocker ran on the Domain Admin account on that machine would encrypt all the local files and share-accessible files, but since the Domain Admin has no permissions on the NAS, it's safe.

                  1 Reply Last reply Reply Quote 1
                  • crustachioC
                    crustachio @scottalanmiller
                    last edited by

                    @scottalanmiller If CryptoLocker exists that can manipulate the binaries of backup software, we're all !@&ed

                    scottalanmillerS 1 Reply Last reply Reply Quote 1
                    • crustachioC
                      crustachio
                      last edited by

                      Don't forget you can define standalone service accounts for Veeam itself on the host machine. It doesn't have to run as the local user/admin/etc.

                      1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @crustachio
                        last edited by

                        @crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

                        @scottalanmiller If CryptoLocker exists that can manipulate the binaries of backup software, we're all !@&ed

                        I'm going out on a @Dashrender limb here (He knows what I mean) but I think we have to assume that this is either here, or right around the corner as a risk vector.

                        DashrenderD crustachioC 2 Replies Last reply Reply Quote 1
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

                          @crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

                          @scottalanmiller If CryptoLocker exists that can manipulate the binaries of backup software, we're all !@&ed

                          I'm going out on a @Dashrender limb here (He knows what I mean) but I think we have to assume that this is either here, or right around the corner as a risk vector.

                          LOL - for a min there I thought I missed a post you put up.

                          Yeah, the ability to break into the app and pull out those credentials will be a thing. Just like how virus can disable antivirus software.

                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                          • crustachioC
                            crustachio @scottalanmiller
                            last edited by

                            @scottalanmiller said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

                            @crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

                            @scottalanmiller If CryptoLocker exists that can manipulate the binaries of backup software, we're all !@&ed

                            I'm going out on a @Dashrender limb here (He knows what I mean) but I think we have to assume that this is either here, or right around the corner as a risk vector.

                            OK, I'll grant that. So what's your recommendation? You said earlier to put backup software on a machine in front of the NAS. Now what? 😄

                            /devilsadvocate

                            scottalanmillerS 1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Dashrender
                              last edited by

                              @Dashrender said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

                              @scottalanmiller said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

                              @crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

                              @scottalanmiller If CryptoLocker exists that can manipulate the binaries of backup software, we're all !@&ed

                              I'm going out on a @Dashrender limb here (He knows what I mean) but I think we have to assume that this is either here, or right around the corner as a risk vector.

                              LOL - for a min there I thought I missed a post you put up.

                              Yeah, the ability to break into the app and pull out those credentials will be a thing. Just like how virus can disable antivirus software.

                              LOL, yeah, I realized that I must be "projecting potential attack vectors rather than established ones".

                              1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender
                                last edited by

                                You run a Veeam server. It connects to the computer in question, pulls the data off, and sends it to the NAS. Only the Veeam server has creds to talk to the NAS. As long as the Veeam server isn't infected, the NAS is safe.

                                The Veeam server should have really good creds, be behind a firewall that prevents all communication except that that is absolutely required.

                                1 Reply Last reply Reply Quote 1
                                • scottalanmillerS
                                  scottalanmiller @crustachio
                                  last edited by

                                  @crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

                                  @scottalanmiller said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

                                  @crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

                                  @scottalanmiller If CryptoLocker exists that can manipulate the binaries of backup software, we're all !@&ed

                                  I'm going out on a @Dashrender limb here (He knows what I mean) but I think we have to assume that this is either here, or right around the corner as a risk vector.

                                  OK, I'll grant that. So what's your recommendation? You said earlier to put backup software on a machine in front of the NAS. Now what? 😄

                                  /devilsadvocate

                                  It's an air gap, not quite as good as tape (physical air gap) but it is good.

                                  PC -> Backup Machine -> Storage

                                  The PC, no matter how compromised, has no permissions to the backup machine, the backup machine uses an agent or a pull method to get the data. Only the backup machine has access to the backup storage. The PC and the backup machine (server) share no credentials. So a compromise of the PC has no means of spreading to the Backup Machine.

                                  This is different than a binary on the PC which must contain the push credentials for the backup storage and, if compromised, takes the storage with it.

                                  1 Reply Last reply Reply Quote 0
                                  • crustachioC
                                    crustachio
                                    last edited by

                                    Oh right right. Derp. I was assuming we were talking about getting a hack on the backup host, but right, if it's on a user PC or whatever then yes, that gap is valuable.

                                    1 Reply Last reply Reply Quote 0
                                    • JaredBuschJ
                                      JaredBusch
                                      last edited by

                                      @scottalanmiller but this is not something that I will waste my time on. it is not any different than only buying hardware for now instead of for 5 years from now.

                                      Yes this is an eventual attack vector, but it is not anything now.

                                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @JaredBusch
                                        last edited by

                                        @JaredBusch said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:

                                        @scottalanmiller but this is not something that I will waste my time on. it is not any different than only buying hardware for now instead of for 5 years from now.

                                        Yes this is an eventual attack vector, but it is not anything now.

                                        I guess that I am only surprised that it is not a common vector already. But that's what I meant by the @Dashrender comment, he did the same thing to me last week and I said the same thing as you. I just realized that I was doing it here as well.

                                        It's good to know that it could happen, good to know that no one is doing it yet and move on. So Veeam EP does not have any current attack vector like this? That's good to know, it's so obvious that I just assumed that it was being done regularly.

                                        crustachioC 1 Reply Last reply Reply Quote 1
                                        • crustachioC
                                          crustachio @scottalanmiller
                                          last edited by

                                          @scottalanmiller I imagine the hacker world operates like anything else: Don't work any harder than you have to. It appears the well of ransomware victimes is still deep and easily accessible, so why spend time actively exploiting what is, by comparison to the whole spectrum of ransomware victims, a niche case?

                                          If and when the gravy train slows down for ransomware perpetrators, I imagine they'll get more vicious.

                                          DashrenderD 1 Reply Last reply Reply Quote 2
                                          • DashrenderD
                                            Dashrender
                                            last edited by

                                            It's not a common infection vector today, and we have to ask ourselves why it's not.

                                            Consider the following:

                                            1. how many machines are running local backup process that is really divorced from the logged on credentials?
                                            2. how many are running backups of local machines in the first place?

                                            I don't backup any local machine in my office. All files are saved to a network location, that location is then backed up through an air gapped backup solution as mentioned by Scott.

                                            Even if I was using a local client on the server to do backups, it's significantly more secure because the end user's infected machine shouldn't have an credentials that allow execution on the server.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 8
                                            • 9
                                            • 1 / 9
                                            • First post
                                              Last post