PCs Backup software that can isolate backup destination to protect from Ransomware virus.
-
@scottalanmiller said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
@openit said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
The backup destination will be NAS box and we got around 100 PCs.
You must have a backup server in place between the PCs and the NAS in order to have any protection against ransomware, otherwise the ransomware can attack the NAS directly using the same permissions as the backup mechanism on the PCs.
NAS snapshots could mitigate this risk. Just like Exablox advertises Continuous Data Protection (CDP) as a remedy to ransomware - you can go back to any snapshot in 10 second intervals out until your retention policy limit (file level or share level).
Even basic QNAP and Synology boxes offer scheduled snapshots. Not necessarily a replacement for an intermediate backup server, just an option to consider.
-
Also, to the OP's question... isn't any backup software capabl;e
@openit said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
- Software that can isolate backup destination to protect from ransom-ware so that PC got infected will not effect backup target.
Isn't any backup software capable of this? As long as your backup storage target has unique permissions that can't be mapped, browsed or written by any domain users, the software you choose is irrelevant.
-
@crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
Also, to the OP's question... isn't any backup software capabl;e
@openit said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
- Software that can isolate backup destination to protect from ransom-ware so that PC got infected will not effect backup target.
Isn't any backup software capable of this? As long as your backup storage target has unique permissions that can't be mapped, browsed or written by any domain users, the software you choose is irrelevant.
How does software do that when it is running on the compromised machine?
-
@scottalanmiller said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
@crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
Also, to the OP's question... isn't any backup software capabl;e
@openit said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
- Software that can isolate backup destination to protect from ransom-ware so that PC got infected will not effect backup target.
Isn't any backup software capable of this? As long as your backup storage target has unique permissions that can't be mapped, browsed or written by any domain users, the software you choose is irrelevant.
How does software do that when it is running on the compromised machine?
Using veeam endpoint, I specify creds in the application. It does not connect to the nas with user creds.
-
@JaredBusch said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
@scottalanmiller said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
@crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
Also, to the OP's question... isn't any backup software capabl;e
@openit said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
- Software that can isolate backup destination to protect from ransom-ware so that PC got infected will not effect backup target.
Isn't any backup software capable of this? As long as your backup storage target has unique permissions that can't be mapped, browsed or written by any domain users, the software you choose is irrelevant.
How does software do that when it is running on the compromised machine?
Using veeam endpoint, I specify creds in the application. It does not connect to the nas with user creds.
That helps. But once compromised, I wonder how much protection that supplies since the ransomware can control the binary.
-
@JaredBusch said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
@scottalanmiller said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
@crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
Also, to the OP's question... isn't any backup software capabl;e
@openit said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
- Software that can isolate backup destination to protect from ransom-ware so that PC got infected will not effect backup target.
Isn't any backup software capable of this? As long as your backup storage target has unique permissions that can't be mapped, browsed or written by any domain users, the software you choose is irrelevant.
How does software do that when it is running on the compromised machine?
Using veeam endpoint, I specify creds in the application. It does not connect to the nas with user creds.
I was thinking of this too, but if the endpoint is compromised, then the application can be attacked and those creds could (no idea of likeliness) be compromised.
-
@scottalanmiller all the software I have used accesses remote storage using credentials supplied within the application. In Veeam, for instance, you can choose unique credentials when adding the backup repository:
You could be running Domain Admin on the backup host machine, but Domain Admin has no permissions on the NAS share.
A cryptolocker ran on the Domain Admin account on that machine would encrypt all the local files and share-accessible files, but since the Domain Admin has no permissions on the NAS, it's safe.
-
@scottalanmiller If CryptoLocker exists that can manipulate the binaries of backup software, we're all !@&ed
-
Don't forget you can define standalone service accounts for Veeam itself on the host machine. It doesn't have to run as the local user/admin/etc.
-
@crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
@scottalanmiller If CryptoLocker exists that can manipulate the binaries of backup software, we're all !@&ed
I'm going out on a @Dashrender limb here (He knows what I mean) but I think we have to assume that this is either here, or right around the corner as a risk vector.
-
@scottalanmiller said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
@crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
@scottalanmiller If CryptoLocker exists that can manipulate the binaries of backup software, we're all !@&ed
I'm going out on a @Dashrender limb here (He knows what I mean) but I think we have to assume that this is either here, or right around the corner as a risk vector.
LOL - for a min there I thought I missed a post you put up.
Yeah, the ability to break into the app and pull out those credentials will be a thing. Just like how virus can disable antivirus software.
-
@scottalanmiller said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
@crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
@scottalanmiller If CryptoLocker exists that can manipulate the binaries of backup software, we're all !@&ed
I'm going out on a @Dashrender limb here (He knows what I mean) but I think we have to assume that this is either here, or right around the corner as a risk vector.
OK, I'll grant that. So what's your recommendation? You said earlier to put backup software on a machine in front of the NAS. Now what?
/devilsadvocate
-
@Dashrender said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
@scottalanmiller said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
@crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
@scottalanmiller If CryptoLocker exists that can manipulate the binaries of backup software, we're all !@&ed
I'm going out on a @Dashrender limb here (He knows what I mean) but I think we have to assume that this is either here, or right around the corner as a risk vector.
LOL - for a min there I thought I missed a post you put up.
Yeah, the ability to break into the app and pull out those credentials will be a thing. Just like how virus can disable antivirus software.
LOL, yeah, I realized that I must be "projecting potential attack vectors rather than established ones".
-
You run a Veeam server. It connects to the computer in question, pulls the data off, and sends it to the NAS. Only the Veeam server has creds to talk to the NAS. As long as the Veeam server isn't infected, the NAS is safe.
The Veeam server should have really good creds, be behind a firewall that prevents all communication except that that is absolutely required.
-
@crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
@scottalanmiller said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
@crustachio said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
@scottalanmiller If CryptoLocker exists that can manipulate the binaries of backup software, we're all !@&ed
I'm going out on a @Dashrender limb here (He knows what I mean) but I think we have to assume that this is either here, or right around the corner as a risk vector.
OK, I'll grant that. So what's your recommendation? You said earlier to put backup software on a machine in front of the NAS. Now what?
/devilsadvocate
It's an air gap, not quite as good as tape (physical air gap) but it is good.
PC -> Backup Machine -> Storage
The PC, no matter how compromised, has no permissions to the backup machine, the backup machine uses an agent or a pull method to get the data. Only the backup machine has access to the backup storage. The PC and the backup machine (server) share no credentials. So a compromise of the PC has no means of spreading to the Backup Machine.
This is different than a binary on the PC which must contain the push credentials for the backup storage and, if compromised, takes the storage with it.
-
Oh right right. Derp. I was assuming we were talking about getting a hack on the backup host, but right, if it's on a user PC or whatever then yes, that gap is valuable.
-
@scottalanmiller but this is not something that I will waste my time on. it is not any different than only buying hardware for now instead of for 5 years from now.
Yes this is an eventual attack vector, but it is not anything now.
-
@JaredBusch said in PCs Backup software that can isolate backup destination to protect from Ransomware virus.:
@scottalanmiller but this is not something that I will waste my time on. it is not any different than only buying hardware for now instead of for 5 years from now.
Yes this is an eventual attack vector, but it is not anything now.
I guess that I am only surprised that it is not a common vector already. But that's what I meant by the @Dashrender comment, he did the same thing to me last week and I said the same thing as you. I just realized that I was doing it here as well.
It's good to know that it could happen, good to know that no one is doing it yet and move on. So Veeam EP does not have any current attack vector like this? That's good to know, it's so obvious that I just assumed that it was being done regularly.
-
@scottalanmiller I imagine the hacker world operates like anything else: Don't work any harder than you have to. It appears the well of ransomware victimes is still deep and easily accessible, so why spend time actively exploiting what is, by comparison to the whole spectrum of ransomware victims, a niche case?
If and when the gravy train slows down for ransomware perpetrators, I imagine they'll get more vicious.
-
It's not a common infection vector today, and we have to ask ourselves why it's not.
Consider the following:
- how many machines are running local backup process that is really divorced from the logged on credentials?
- how many are running backups of local machines in the first place?
I don't backup any local machine in my office. All files are saved to a network location, that location is then backed up through an air gapped backup solution as mentioned by Scott.
Even if I was using a local client on the server to do backups, it's significantly more secure because the end user's infected machine shouldn't have an credentials that allow execution on the server.
