The well-known 3-2-1 backup strategy has started falling short, so experts are looking to add another -1. Ransomware has continued to become more sophisticated to the point that there are now versions that look for and go after backups.
Two of the more high-profile examples are SamSam and Ryuk which, combined, have cost victims approximately $68M. With this in mind, cybersecurity experts like the ones at CISA1,2,3 are recommending to keep a copy of your backups offline. Thus, bumping the famed 3-2-1 to 3-2-1-1, that’s three copies, two different media types, one offsite, and one offline.
There are a number of options available today for the new -1 depending on the amount of data that needs to be protected. There are tapes, rotating hard drives, and immutable storage.
Tapes have been around a long time and, arguably, offer the best all-around protection. There is a variation called WORM (write once read many) tapes that are by nature immutable, and were originally created to address records compliance requirements. They, like regular rewritable tapes, can be taken completely offline by removing them from the library. As an added benefit, even tapes that are in the library are not directly accessible to the operating system, so the ransomware would need to be able to issue commands to your backup software to affect them. Not fool proof, but certainly a deterrence.
Rotating hard drives would be used similarly to tapes in that they would be disconnected from the backup solution while not in use.
The last option is immutable storage, which some might consider the more convenient digital version of “offline.” Immutable storage has the ability to define retention policies that make altering or deleting data difficult to impossible. The difference between them and the previous “offline” options is that they are still readable. There are a number of on-prem storage vendors like NetApp, Isilon, and Pure Storage that come out of the box with immutable snapshots which lend themselves well to this paradigm. Adding to the mix are cloud options from AWS, Azure, Google Cloud Storage, and Oracle Cloud which all offer immutable storage configurations.
To conclude, the critical thing about all of these options becomes defining the retention policy that’s long enough to recover your data. Factors to consider: you might not detect the ransomware right away, and worse, in some cases, the ransomware may lie dormant. Keeping several months should provide protection from dormant and slow-moving ransomware.
By William Vest, Sr. Systems Administrator