The One Reason to Pen Test Data Backup Systems - Ransomware Protection

At the heart of your disaster recovery plan, organizations often disregard data backup and recovery systems when it comes to pen testing and maintaining security. Vulnerable backup systems make for an attractive target by ransomware gangs, grief/ breach gangs, and effective pen-testing.

Disaster Recovery Plan and Ransomware Protection

One of the most significant sets of controls that programs will point to and rely on when impacted by a ransomware attack is Business Continuity and Disaster Recovery (BCDR) systems which depend on Data Backup and Recovery. While effective ransomware protection years ago, recently observed ransomware attacks prove that ransomware gangs are well aware of these strategies and are learning how to weaponize them. Backup and recovery operations, while touted as a way to save a business from a disaster such as ransomware attacks, is a highly risky operation and often disregarded or unsupported until needed in a disaster.

Ransomware Attack 2021

Ransomware gangs have grown to understand this and thus target an organization's backup and recovery mechanism when launching a Ransomware attack. The model looks like this:

1. Breach an organization through one form or another
2. Identify backup and recovery information from company-wide accessible BCDR documentation or passive network reconnaissance
3. Target the backup and recovery solution for compromise before targeting other systems
4. Once compromised, work to validate the overall image expiration date of backups per the backup policies
5. Once an effective window is established, be it 30, 60, or 90 days represented as ‘r’ for retention window, launch the attack by infecting hosts with either the credentials acquired from the compromised backup mechanism, or perform an alternate client restore targeting all systems with a delayed payload  shortly outpacing the average image expiration date, such as r + 10 days
6. Back away from the attack and set a timer for revisiting the target after the attack
7. Consider selling the attack to another ransomware gang for a short profit without the overhead of dealing with the victim (a common practice in the dark web)
8. The attack owner contacts the victim after a few days of the attack, informing the victim that their backups won't save them, telling them you’ll contact them in five days to validate the claim
9. Contact the victim five days later, demanding payment.

In most cases, backup administrators are often disregarded when it comes to updating and maintaining quality backup systems or securing them in a way that prevents unauthorized access. Additionally, backup and recovery systems require access to all networks that require recovery, meaning that information flow enforcement policies no longer apply. This makes for an attractive target for gangs, grief/ breach gangs, and penetration testers. Backup systems are one of my favorite attack vectors while conducting penetration tests. Why target Fort Knox when the backup system gives me the same data?

The fact is that like active directory-driven networks, backup systems, which have access to everything sensitive to the organization, are only as strong as your weakest domain connected system or weakest domain password when connected or least secure backup server.

While availability is important in the event of a disaster, access controls of backup systems should be nearly as strong as the systems they protect. In our experience, most backup solutions are easily accessible, and vulnerable through blended attacks.  

It doesn’t matter how many strong controls you have within your organization protecting your critical systems. If your backup systems are vulnerable through direct or blended attacks, everything is accessible, and this is becoming one of the favorite tools for future ransomware examples.

Pen Testing Your Data Backup and Recovery

Suppose you’re not conducting comprehensive internal or external penetration testing, including your backup and disaster recovery services. In that case, you have gaps in ransomware protection and more than likely, one breach away from complete disaster.

Why Truvantis? 

Truvantis understands these facts through the testing we’ve conducted and the trends we’ve seen on the dark web. If you would like insights into weaknesses that these gangs can leverage against you before an attack, reach out to a Truvantis security expert to talk about the benefits of Attack Surface Analysis, Comprehensive Penetration Testing and Red Team exercises Truvantis offers that sets us apart from our peers.