3. Protecting backups against logical destruction 

As part of a defense‑in‑depth approach to backup protection, and in light of the threat landscape observed, the assumption of an illegitimate takeover of components within the storage and backup infrastructure must be considered. 

More generally, in order to effectively reduce the risk of data loss, best practice dictates ensuring that backups are not exposed to the same risks (cyber or otherwise) as the stored data. This approach is notably based on diversifying backup media, implementing physical or logical segregation, and maintaining at least one isolated copy that is both offline and off‑site. 

The use of mechanisms designed to prevent the alteration or deletion of backed‑up data,even in the event of a successful attack on the storage and backup infrastructure, should therefore be considered. 

Immutability and air gapping represent the two main approaches in this area. While these concepts are widely promoted by vendors, the solutions available and the residual risks associated with their implementation vary. It is therefore essential to fully understand the underlying mechanisms of these solutions in order to select the one that best addresses the required risk coverage. 

According to the Cyber Benchmark conducted by Wavestone, nearly 65% of organizations implement immutability or air‑gapping mechanisms, at least for critical functions, and 21% apply them across all of their backups. 

Backup Immutability, an Increasingly Adopted Technique 

“Data immutability means that data can be written but cannot be modified or deleted” (NIST). 

Far from being uniform, its implementation relies on a variety of technical approaches whose robustness varies depending on whether they are based on hardware or software mechanisms. 

a. Purely Hardware-Based Mechanisms 

• LTO WORM cartridges (with compatible hardware/firmware) 
  These magnetic tape cartridges allow data to be written once, preventing any subsequent modification or deletion, provided that the hardware and firmware support WORM (Write Once, Read Many) mode. 

     For more specific use cases : 

• Blu‑ray jukeboxes 
  This robotic system uses WORM Blu‑ray discs to permanently store data, rendering it physically unalterable once written. 
• Flash storage with WORM controller (firmware / e‑Fuse bit) 
  Some flash storage devices incorporate a controller with dedicated firmware or hardware mechanisms such as e‑Fuse bits, enabling data to be permanently locked after being written. 

b. Software-Based Mechanisms, Embedded or Appliance-Based 

• Hardware appliance with local management 
  This is a backup‑dedicated appliance, locally configured to enforce immutability policies, often through software locks or non‑modifiable retention periods. 
• Hardware appliance with online management 
  This type of appliance enables remote management, sometimes via an out‑of‑band channel, ensuring that immutability policies cannot be altered even if the primary network is compromised. 
• Software installed on the organization’s operating systems 
  Some software solutions allow immutability rules to be defined directly at the operating system level. However, this approach may be less robust, as it can be vulnerable if the host system is compromised. 
• Cloud capabilities (e.g., Amazon S3 Glacier / Azure Blob Storage) 
  Cloud storage services offer immutability features through retention policies or WORM locks, ensuring that stored objects cannot be modified or deleted for a defined period. 

It should be noted that the level of immutability can be adjusted based on the nature of the data concerned, in order to optimize the balance between security requirements and operational constraints. 

Immutability is increasingly observed as a mechanism deployed within backup protection strategies and remains more commonly implemented than air gapping. 

Backup Air Gapping : A Technique Observed but Less Optimized 

An air gap4 is defined as “an interface between two systems in which (a) the systems are not physically connected and (b) any logical connection is not automated (i.e., data is transferred across the interface only manually, under human control).” 

Like immutability, air gapping can be implemented in various ways, including: 

Physical implementations  :

1. Offline, protected tape storage (primarily at a remote site) 
   Magnetic tapes are removed from the active backup system and stored in a physically separate location, preventing any network or automated access. 
2. Tapes stored in a backup robot 
   Although physically connected, certain backup robot configurations allow tapes to be logically disconnected when not in use, thereby limiting the risk of unauthorized access. 
3. Other removable storage media such as disks (stored offline) 
   Hard drives or SSDs can be used to transfer data, then physically disconnected and stored in a secure environment, ensuring full isolation. 
4. Optical data diode transfer gateways 
   These devices enable one‑way data transfer, physically preventing any return flow of information or commands to the source system and providing a certain level of separation. When native support is not provided by backup software vendors, third‑party software agents enabling unidirectional transfer must be used in addition. 

Logical Air‑Gap Implementations (Departing from Physical Isolation) :

1. “Saloon door” network ports opened only during synchronization 
   Network connections are temporarily enabled to allow data synchronization and then automatically disabled, thereby limiting the exposure window and requiring strict controls to ensure that only legitimate replication traffic is authorized. 
2. Isolation through access control and encryption capabilities 
   Strict access control mechanisms combined with encryption make it possible to restrict access to backups to precisely defined users and time windows. 
3. Backup as a Service (isolated private cloud / third‑party cloud) 
   Some externalized backup offerings provide full logical isolation by segregating customer environments and limiting network interactions to strictly controlled channels. However, the risk of compromise is not null, as illustrated by a successful attack in 2025 against an online backup service targeting firewall configurations. 

Subject to a risk analysis, particularly when relying on logical solutions, implementing data immutability should generally be prioritized over air gapping. 

While immutability and air gapping constitute effective safeguards to preserve the integrity, and even the confidentiality, of traditional backups against risks of modification or exfiltration, other approaches that are more focused on operational optimization also warrant consideration. 

In this context, the objective is no longer to secure full data copies, but rather to rely on alternative mechanisms enabling rapid and large‑scale restoration, often at the cost of certain trade‑offs. This is notably the case with snapshots, which have emerged as a preferred technical solution in environments where recovery performance takes precedence over backup completeness or robustness. 

Snapshots: A Fast Recovery Solution, but Not a Full-Fledged Backup 

To better understand what the concept of a snapshot technically entails, it is useful to refer to the definition provided by NIST: “A record of the state of a running image, typically captured as the differences between a reference image and the current state.” 

In other words, a snapshot represents an instantaneous capture of the state of a file system or data volume at a given point in time. Unlike a full backup, it records only the blocks or files that have changed since the reference state. This mechanism, which is fast and resource‑efficient, is particularly well suited to environments where rapid recovery is a priority. It is therefore widely used in virtualized and cloud infrastructures. 

However, this operational efficiency comes with notable trade‑offs in terms of backup quality. Snapshots do not constitute independent copies of data; they depend on the integrity of the host system. In the event of corruption of the primary volume, snapshots may become unusable. In addition, their lifecycle management (rotation, retention, application consistency) requires particular rigor to avoid operational drift. 

While effective in accelerating business recovery, snapshots cannot replace a true backup strategy. They should be considered as a complement to more robust mechanisms that ensure long‑term data durability and integrity. 

Whether dealing with snapshots or traditional backups, their integration into a protection architecture requires a thorough risk analysis, including the identification of residual vulnerabilities. 

4. Risk-Based approach and identification of residual risks 

Given the stakes associated with irreversible data loss and/or prolonged disruption of critical business activities, risk analysis applied to backup mechanisms is not an optional step but rather a fundamental pillar of a consistent and well‑controlled backup strategy. 

Embedding Risk Analysis at the Core of Backup Management 

Whether or not it is part of a formal certification or authorization process, conducting a risk analysis of backup mechanisms aims to ensure that the controls in place are aligned with identified threats and business continuity requirements. 

In this context, a risk analysis applied to backups, based, for example, on the EBIOS Risk Manager (EBIOS‑RM) methodology proposed by ANSSI, makes it possible to assess existing controls, identify plausible attack scenarios such as compromise of the backup server or data tampering, and evaluate their likelihood. This approach helps prioritize security measures according to their potential impact on business activities, while ensuring that residual risks remain acceptable with regard to business objectives. 

Monitoring residual risks, those that persist despite the implementation of protection measures, is a natural extension of the risk analysis process. It is therefore essential to identify, document, and integrate them into an ongoing security risk management strategy. By way of illustration, such residual risks may include: 

• Insider threat : A malicious administrator or an employee with privileged access may intentionally alter or delete backups. 
• Compromise of the cloud backup service provider : A compromise of the cloud provider, for example through the exploitation of non‑public vulnerabilities, could allow an attacker to access or manipulate backups while bypassing customer‑side security mechanisms. 
• Compromise of customer (tenant) accounts : Unauthorized access to customer accounts may result in loss of control over backups, including their deletion or alteration. 
• Destruction of backup solution assets : If the backup infrastructure is destroyed (physically or logically), restoring backups may become difficult or even impossible in the event of the loss of critical resources such as: 
  • Backup catalogs / backup tool databases 
  • Secrets such as decryption keys 
• Technical compromise of the backup tool : An attacker may render backups unusable by exploiting technical vulnerabilities in the backup software or the host system, including via low‑level out‑of‑band access mechanisms such as iLO or iDRAC. 
• Compromise of administrative accounts : Even with immutability mechanisms in place, functional compromise of administrative accounts may allow an attacker to disable or bypass protections before, and in some cases after, data is written (retention periods, time‑management mechanisms, etc.). 
• Compromise of the backup tool’s cybersecurity controls : If an attacker tampers with backup protection settings, such as encryption parameters (e.g., encryption_secret), backups may remain unusable.  

Once a secure backup solution is implemented, complement the analysis with periodic audits, Including Red Team Exercises 

In addition to theoretical risk analysis and residual risk monitoring, periodic audits help identify vulnerabilities related to the implementation of the backup solution. Among the possible audit types, Red Team exercises aim to reproduce the behavior of an attacker seeking to destroy backups. These exercises also serve to test the effectiveness of the technical and human measures in place for protection, detection, and response to an attack. 

Conclusion 

Protecting backups against ransomware relies on a holistic approach rather than a purely “product‑based” one : 

• Continuously verifying the reliability of backups to ensure effective reconstruction of the information system; 
• Securing the backup infrastructure by reducing its attack surface; 
• Protecting backed‑up data, with immutability as a priority; 
• Adopting a cross‑functional, risk‑driven approach to security management. 

The level of rigor required for backup security will continue to increase as attackers refine their techniques and strengthen their capabilities.  

Continuous vigilance and adaptation to the evolving threat landscape therefore remain the strongest allies of a resilient backup strategy. 

Cet article Backups: The Last Line of Defense Against Ransomware Part 2  est apparu en premier sur RiskInsight.

This article presents four complementary approaches to strengthening end-to-end backup security: 

1. Continuously ensuring the availability of usable backups 
2. Strengthening the security of the backup infrastructure against attacker takeover 
3. Protecting backups against logical destruction 
4. Identifying residual risks in light of the measures implemented 

This article is published in two parts: the first focuses on approaches 1 and 2, followed by a second publication covering approaches 3 and 4. 

The recommendations presented do not replace those set out in ANSSI guidelines, which define the fundamental principles of backup [2] practices. 

Figure 1: Strengthening Backup Security Through Four Approaches 

1. Continuously ensuring the availability of usable backups 

To guarantee the availability of usable backups, it is essential to apply fundamental best practices. 

Ensuring backup completeness and consistency 

In the context of a ransomware attack, the primary objective of backups is to provide a reliable data source enabling the reconstruction of the information system. Backups are truly effective only if they contain all the elements required for full recovery. This notably includes businesscritical data, configurations of business applications and systems, installation sources, as well as critical operational data such as password vaults, licenses, and operational documentation. 

Backup completeness alone is not sufficient. The need for data consistency points across backups originating from different sources (e.g., a document management system (DMS) database and its associated files) must also be taken into account. Conducting a preliminary analysis helps facilitate data resynchronization across different repositories during the recovery phase. 

In addition, it is necessary to maintain backups of the infrastructure itself to enable identical reconstruction. These backups must include the backup catalog, software installation sources, encryption keys, and all other required secrets. A copy of configuration parameters should be stored in a separate location, such as an offline environment, distinct from the primary infrastructure, in order to limit the risk of a shared compromise. 

According to the Cyber Benchmark conducted by Wavestone across more than 170 assessed organizations, approximately 90% of the organizations observed perform regular data backups. 
Among organizations that perform regular backups: 

• Approximately 65% conduct restoration tests 
• Approximately 20% perform business data consistency checks 

In this context, various controls must be defined and implemented on a regular basis. 

Testing Backup Reliability Through Regular Controls 

A first level of control aims to ensure that backups are effectively performed and remain usable. This can be based on the application of daily verification procedures relying on evidence such as reports, logs, and alerts. These checks may be manual or (semi) automated. However, an additional human review remains necessary to ensure that indicators and alerts are not misleading, particularly in the event that monitoring and control mechanisms have been compromised or disabled by an attacker. 

This first level also includes periodic restoration tests, carried out on representative scopes, in order to verify, where possible with the involvement of application or business subject-matter experts, the integrity and completeness of the data required for business recovery. 

The second level consists in ensuring that first-level checks are properly applied. It relies on independent controls or formalized processes. Dashboards may be used to centralize confidence-level indicators by correlating the results of daily operational checks with restoration test outcomes. 

Once the reliability of backups has been established, restoration processes should be optimized by regularly testing them and ensuring their effectiveness. 

Industrializing Restoration Processes to Optimize Recovery Time in the Event of a Compromise 

To reduce recovery time following a compromise, it is essential to industrialize restoration processes at scale in order to support mass recoveries. This requires preparing these processes in advance, testing them regularly, and adapting them to different destruction scenarios. 

As the restoration phase of an information system may extend over several weeks, or even several months, it is necessary to increase backup retention periods for the data to be restored, in order to prevent their loss through overwriting or premature deletion. 

Restoration processes must also include mechanisms to rapidly assess the state of backedup data by identifying, based on indicators of compromise, data that has been compromised, modified, or corrupted, so as to effectively target the appropriate restoration points. 

Integrating the Risk of Backup Compromise into the Restoration Strategy 

To ensure reliable recovery following a compromise, it is essential to account, within the overall restoration strategy, for the risk of alteration or manipulation of backedup data. This involves addressing the risk of data alteration or manipulation occurring upstream of backup processing by the backup agent, for example: 

• Being able to rely on full backups created prior to the attacker’s intrusion, as identified during the initial investigations. In such cases, the backedup data can be considered uncompromised and used to rebuild systems and applications. 

When restoring unaltered application or system components that are not reinstalled from trusted sources, the restoration process must also include the application of security patches and hardening measures to prevent any subsequent compromise. 

The backup process alone cannot prevent potential data compromise before the data is handed over to it. Depending on the context, additional measures may be implemented, such as: 

• Protecting data integrity through system-level mechanisms and/or cryptographic means; 
• Detecting data alteration through application-level validation, monitoring of “canary files” data, or the use of an EDR (Endpoint Detection and Response) solution. 

These topics must be addressed in addition to backup protection measures. 

Extending Backup and Restoration Best Practices to Cloud Environments 

Finally, the backup rules defined for onpremises environments must be replicated and adapted to cloud environments. 

According to the Cyber Benchmark conducted by Wavestone, approximately 25% of the organizations observed have a regularly reviewed and updated backup policy covering both onpremises and cloud environments. 

In addition, around 29% of organizations externalize a backup of their cloud data to another region or to an onpremises environment, ensuring resilience against cyberattacks and regularly testing this process. 

Beyond the usability of backups, securing the infrastructure that hosts them represents an equally critical challenge, one that is sometimes insufficiently addressed. 

2. Strengthening the security of the backup infrastructure against attacker takeover 

Before considering more advanced mechanisms, it is important to recall that effective backup protection first relies on best practices for securing the backup infrastructure, notably those documented by ANSSI3. A compromise of this infrastructure could indeed result in the alteration of backups (encryption, destruction, etc.). 

Ensuring Defense in Depth for the Backup Infrastructure 

These best practices include segregating production and backup environments, using dedicated administrative accounts, and hardening infrastructure components, particularly through the application of ANSSI hardening guides applicable to Windows, Linux, and other systems. They also apply to backup agents, which may constitute a propagation vector toward production systems. 

In addition to hardening measures, the backup infrastructure must be subject to both technical and cybersecurity monitoring. 

Implementing technical and cyber monitoring of backup infrastructures 

Technical monitoring of backup infrastructures helps ensure their proper operation and detect any anomalies. The effective handling of detected anomalies must be regularly reviewed. 

Cybersecurity monitoring of the backup infrastructure relies on appropriate logging and traffic analysis. It must be capable of detecting the main attack techniques observed in the wild. 

Maintaining Threat Intelligence Focused on Backup Systems 

Threat intelligence specifically targeting backup systems must be maintained, beyond the technical vulnerability monitoring performed as part of maintaining the backup infrastructure in a secure operating condition. This threat intelligence should cover attack techniques and tactics used against backup infrastructures, in order to anticipate potential attacks and adapt protection, detection, and response capabilities accordingly. 

Despite the measures implemented to prevent the compromise of backup infrastructures, the risk of logical destruction remains and must be anticipated. 

Reference

[1] Wavestone, CERT

[2] ANSSI, Sauvegarde des systèmes d’information

[3] ANSSI, Sauvegarde des systèmes d’information

Cet article Backups : The Last Line of Defense Against Ransomware – Part 1  est apparu en premier sur RiskInsight.