Offline versus Immutable Backups

An air-gap or offline is a way of isolating your critical data by separating a copy either physically (removing the tape out of the drive) or not accessible from the network ( network ports or routes disabled). An immutable backup is a copy of data that has role-based access controls and other types of authentications and cannot be changed or deleted until a set time has expired. However, it is not “offline” like an air-gap backup is, as it is still connected and accessible from the network. There are multiple technology vendors that leverage this type of immutability whether on-premises or in the cloud and can include Object Lock (S3), object storage, secure snapshots, and the hardened repository from Veeam for example.


Air-Gapped vs. Immutable Backups:

Since an immutable backup address some of the same ‘survivability’ goals as an air-gap backup, there are both similarities and differences. Both are going to offer resistance against ransomware and data compliancy but here is where they begin to differ.

A traditional air-gap backup, like tape, can incur an additional cost for managing the media and working with vendors to store the media properly. This also holds true for immutable storage as well as it can grow exponentially if data policies change. Basically, some vendors are innovating like Quantum with their Active Vault (isolated area into the library).

Recovery Time Objectives (RTO) are also a variable depending on the storage media used. For example, a customer who tested their restore speeds from cloud back to on-premises had noticeable network constraints that made it slower for them to recover the same data set that they had previously recovered from tape. It was taking weeks vs the few days they were accustomed to recall tapes. Increasing the download speeds was an option, but it required them to do an overhaul of their current network for an additional cost. On the contrary, another organization was able to perform restores directly to the public cloud provider and save weeks’ worth of downtime after a cyber event when they lost access to their on premise infrastructure due to forensic investigation. For them to wait for the investigation to complete would have cost a month of downtime.

In both cases, customers were able to build a cyber-resilient architecture:

The most common element of an incident response playbook is a good backup:

87% of organizations have a risk management program that drives their security roadmap or strategy. That said, only 35% believe their program is working well, while 52% are seeking to improve their situation and the remaining 13% do not yet even have an established program.

Regardless of what you call your program or team that is chartered with planning against cyber events and preparing for how the organization will deal with them, the most common elements of the ‘playbook’ in preparation against a cyber attack are:

  • Clean backup copies, which one might presume includes data that is ‘survivable’ against attacks and does not include malicious code,
  • Recurring verification that the backups are recoverable.

45% of production data was affected by a cyber attack:

This is unfortunately consistent with last year’s 47% affected statistic, with no reason to assume future attacks won’t result in a similar catastrophic amount of data loss or impact.

On average, organizations stated that 45% of their production data was affected by the cyber attack. In looking at the extremes, 25% had a small portion (<20%) of their data affected, while 14% had nearly all (>80%) of their data affected by the attack.

Unfortunately, only 66% of the affected data was recoverable. This calculates that 15% of the organizations’ production data was unrecoverably lost.

As an aside, cyber victims were also asked of their confidence before and after the attack.

In hindsight, only 59% considered themselves ‘prepared’ — and even then, the results did not vary greatly on how impactful the attack was.

Cartels were able to affect the backup repositories in 75% of attacks:

Said another way, one in four organizations had backups to restore from, which is down from last year when one in three organizations had survivable backups.

In fact, bad actors targeted the backup repositories in at least 93% of attacks in 2022, nearly identical to the 94% of repositories that were targeted in 2021. The respondents who stated that “some,” “most” or “all” of their repositories were affected, reveal that on average, 39% of backup repositories were affected.

Secure Backup is your last line of defense:

Defense-in-depth – target to hit:

First, respect this rule: 3-2-1-1-0 (with Trusted Immutability, one Offline Backup, and Backup Verification).

Second, protecting your Backup Server and integrating Trusted Repository Storage, Offline Backup (Tape, example: Quantum Active Vault) or Dell EMC Cyber Recovery (air-gapped backup through a sanctuary), or Immutable (Immutable Backup feature, Retention Time Lock with ExaGrid, Retention Lock with Dell EMC DataDomain, Snapshot feature in Quantum’s DXi appliance, HPE StoreOnce with Data Immutability, Object Lock with Object Storage solution such as Dell EMC ECS or DataCore SWARM, or Wasabi, etc.), Hardening (server, storage, OS..). Enabling snapshot protection such as Pure Storage Safe Mode or Dell EMC Secure Snap. Maintaining developed protocols of access rights hierarchy, Zero Trust, network security (segmentation, VLAN dedicated for Backup components), Backup environment not integrated into the domain (100% of attacks exploits a weakness of the Active Directory), and password hygiene, take care of your Local Accounts & segment your passwords into different Passwords Management tools (especially local accounts and CISO/Security Officer accounts). Enabling double-authentication on the management interface (storage hardware, appliances, etc.). Never leave your Password Management tool open on your workstation, and never store it on the Filer Servers. Protect your NTP. Anonymizing the name of backup servers and repositories – and the name of service accounts, creating a HoneyPot backup environment, creating fake backup services accounts without permissions (svc_backup and with all backup vendors) then monitoring them with AD alerting in real-time solution (such as Netwrix, Varonis, Tenable.AD), as well as systemic network monitoring aimed at spotting abnormal network behavior may significantly reduce the chances of Pay successfully removing backups. Secure backup solutions and mitigations listed will enable any possible victims to leave Pay without their demanded ransom money. Keep in mind backup is a building block of the cybersecurity ecosystem.

It is still worth trying to check more backup files, but it’s only about the time needed for getting the headers and checking them with a chance something can be restored from there, and time that can be used to rebuild that infrastructure.

You can get headers of multiple files, Backup solution vendor can check all of them.


Cuba ransomware and Veeam CVE-2023-27532: Blog Post
Akira ransomware infection routine: Blog Post
Veeam User Group Day in Monaco: Blog Post
2023 Ransomware Trends Report
Critical FortiOS & FortiProxy – Heap buffer overflow Vulnerability: Blog Post
Critical FortiOS and FortiProxy Vulnerability – FG-IR-23-001: Blog PostImportant Vulnerability in VMware ESXi: Blog Post
The core function of a SOC: Blog Post
Play ransomware infection routine: Blog Post
Identify a piece of malware with Yara: Blog Post
New Veeam v12 Platform Overview: Blog Post
OpenSSL patch (v3.0.7) for Vulnerability 2022: Blog Post
Building a SOC: Blog Post
List of vendors and software affected by the OpenSSL vulnerability: Blog Post
Critical OpenSSL Vulnerability version 3.0: Blog Post
Veeam v12 Linux Without SSH And SUDO: Blog PostHardened Repository in Veeam v12: Blog Post
Wasabi Object Storage Usage with Veeam B&R v12: Blog Post
VeeaMover in v12: Blog Post
Ransomware & Cybersecurity with Veeam v12: Blog Post
Why backup directly to Object Storage? Blog Post
Veeam B&R v12 New Features Overview: Blog Post
[REPLAY] Webinar Veeam v12 and Wasabi: Replay
Protect your data with Veeam and Wasabi: Blog post
Wasabi – Object Lock feature spotlight: Blog post
Veeam and the S3-compatible object storage solutions: Blog Post
[PODCAST] VeeamUser Group France #1: Record
Conti initiates their attacks on Backup: Blog Post
Backup with Trusted Repository Storage: Blog Post.
Protect your Backup against Ransomware: Blog Post

Please follow and like us:

Enjoy this blog? Please spread the word :)