On Nov. 26, UK NCSC issued guide on ransomware-resistant backups.
UK NCSC published principles for making on-premises and cloud backups resistant.
Background
Backups are an essential part of an organisation’s response and recovery process.
Making regular backups is the most effective way to recover from a destructive ransomware attack, where an attacker’s aim is to destroy or erase a victim’s data.
Analysis of incidents shows that in early stages of ransomware attack, actors often target backups and infrastructure, deleting or destroying the data stored there to make it harder for the victim to recover their data, and more likely to pay the ransom.
This puts data stored on backups at particular risk from ransomware actors.
Principles set out functions a backup service should offer, to be considered resistant.
Principles
There are two separate sets of principles, covering protections to put in place for both on-premises and cloud-based backup solutions, and the principles are for vendors of backup solutions, system owners and operators intending to use these services.
They can be used to assess resilience of a backup solution in a ransomware threat.
For each principle the threat is described along with suggested implementations.
Principles for On-Premises Solutions
Principle 1 covers isolation of back-up solution; principle 2 covers updating back-up solution; principle 3 covers resilience to destructive actions; principle 4 concerns possibility of restoration from earlier backup, even if later versions become corrupted.
Principle 5 covers robust key management for data-at-rest protection; principle 6 covers triggering of alerts if significant changes made, privileged actions attempted.
Principles for Cloud Back-ups
Principle 1 concerns resilience of backups to destructive actions; principle 2 states a backup system should be configured so it isn’t possible to deny all customer access.
Principle 3 concerns service allowing customer to restore from a backup version, even if later versions become corrupted; principle 4 covers robust key management for data-at-rest protection; principle 5 concerns triggering of alerts where major changes.
Extortion Threat from Ransomware
The guidance focuses on mitigating the impact of a destructive ransomware attack.
Applying the principles doesn't address growing trend where an attacker steals data to later extort a victim, noting to address this, backup systems should be protected from unauthorized access, in same way as would protect system holding sensitive data.
