Truth, Lies and BCDR: Local Immutability

The Business Continuity and Disaster Recovery (BCDR) landscape is incredibly dynamic. Advancements in technology transform how we deliver and consume data and organizations must adapt with agility to protect workloads spread across on-premises infrastructure, remote endpoints, cloud and SaaS applications. As vendors drive change in the space, how do you cut through the marketing noise and separate fact from fiction?

With a myriad of technologies, it’s challenging to find the right choice for your business. In our Truth, Lies and BCDR series, Unitrends breaks down a variety of BCDR-related technology topics to help you determine the best fit to meet your current and future needs.

This week we look at local immutability.

What is immutability?

Immutable data cannot be overwritten, deleted or otherwise modified. It is typically achieved by the use of a WORM (write once, read many) designation that cannot be accessed by external hosts, with writes to the internal system allowed only by trusted internal services or APIs.

Immutable backups help protect data by rendering it fixed and unchangeable, enabling an organization to maintain an optimum number of recovery points and preventing any source from tampering with existing data storage blocks.

Modern-day cyberthreats have managed to infiltrate backups in addition to wreaking havoc in production environments, leaving organizations with little chance of recovery. In widespread response to these advanced attacks, many vendors are positioning “immutable” backups as a last line of defense. This immutability should protect backup data from accidental or intentional deletion as well as cyberthreats such as ransomware.

What is local immutability?

Local immutability applies the concept of immutability for backups stored on-premises. Immutable backups are enabled on the repository level, either when creating the backup repository or modifying the settings of an existing repository.

Local immutability utilizes native filesystem features by flagging the immutable attribute within the backup chain for all applicable files. For example, in Linux, each file can have an i flag enabled in a file’s attributes. While this flag is active, files cannot be changed or removed. The flag is set by root, not by a designated user, to minimize risk should a threat actor gain privileged access to a user account in an attempt to add or remove flags. After the specified period of immutability has passed, the flag is removed and the file(s) can be deleted.

Risks of local immutability

True immutability goes beyond being a simple add-on for a backup vendor. The concept of immutability should be baked into the backup architecture to remove security vulnerabilities that can impact backup files. There are various ways for threat actors to gain access to backups stored on-premises to delete or encrypt them. Even with solutions that support storing backups in an immutable repository, the backup index is still often stored on-premises as well and can be at risk.

Common threat vectors include:

Insider threats: A staggering 63% of successful attacks come from internal threats such as malicious insiders, misconfigured controls, human error and fraud (such as Account Takeover attacks). Should a threat actor gain access to your backup system or infrastructure through compromised credentials, they can disable the GUI toggle for any immutability setting. From there, it becomes a waiting game as they hide until the immutability flags cycle out of stored backups, following which they are then able to encrypt or delete data.

Increasingly, modern ransomware variants have periods of dormancy and/or gestation for weeks or even months before executing their attack. Considering the average time to identify a data breach is 228 days, there’s ample opportunity for threat actors to study an infected environment in preparation for launching attacks with incredible efficacy.

Limited infrastructure components: Many software-based backup solutions require multiple hosts to perform different tasks associated with local backup and recovery. This may include, but is not limited to, an administrative server, backup proxies (commonly one proxy per every 10TBs protected), backup storage repositories, and management and reporting components.

Best practices dictate each of these roles are fulfilled by a dedicated server with its operating system, virtual infrastructure and database. However, in smaller environments that are limited by physical data center space, budgetary requirements or a combination thereof, and organizations may have no choice but to run multiple roles on a server. Running secondary roles on a backup repository creates additional risk. Whether it’s a kernel bug or a hacker’s ability to break out containers, the backup data is in danger.

Deduplication devices: Often, organizations will pair a software-based backup solution with a dedicated deduplication device to maximize storage efficiency for their backups. Deduplication appliances often default to using NFS or SMB shares that can potentially be accessed and attacked by a malicious actor. Sleeper ransomware lying dormant within backups can damage both backup copies should the appliance replicate backups to another target appliance.

Windows-based solutions: As the dominant OS in the marketplace, Windows-based backup servers are a common ransomware attack vector. Modern variants will often attack Windows infrastructure components, such as Volume Shadow Copy Services (VSS), as observed in attacks by Maze ransomware, Gandcrab, Trickbot and others.

Threat actors may use a combination of Windows Management Instruction (WMI) scripts, vssadmin.exe commands or PowerShell scripts to autonomously delete backups. Windows-based backup infrastructure is as vulnerable to a ransomware attack as the rest of the Windows-based data center. In other words, if the backup server sits in the same physical location as the infrastructure it’s protecting, the risk is even higher.

Physical access: With a majority of attacks originating from insider threats, nearly anything is possible with physical access. The insertion of a USB drive and live boot CD from a Linux distribution is all it takes to directly access immutable backups hosted in your local data center. From there, backups can be deleted or encrypted, or even physically stolen, to render a repository and it’s backup unrecoverable.

What does true immutability look like?

Relying on immutable backups stored locally within the physical data center is an expensive risk for many organizations.  These organizations leverage removable media, such as disk or tape, to create an “air gap” between the production environment, primary backup repository and the backup copies. However, management is cumbersome and the time to retrieve, rehydrate and restore data from cold media is at odds with the dwindling RTOs demanded today.

True immutability and ransomware protection with Unitrends.

The best way to truly protect backups from ransomware is to replicate them off-site to a secure, immutable cloud storage location. At Unitrends, our data protection solution begins with a Linux appliance deployed locally. Hardening of the Linux OS kernel helps camouflage backups from Windows-targeting malware. Predictive analytics flag anomalies within the backup data and Recovery Assurance testing validates backups for integrity and recoverability, down to the application and services level. Unitrends can then replicate backups to a variety of cloud destinations, including Forever Cloud.

Unitrends Forever Cloud is a proprietary cloud service that provides users with a solution for cost-effective long-term data retention and the utilization of Disaster-Recovery-as-a-Service (DRaaS). Data written to Unitrends cloud is stored in an immutable format. That means once data written to the cloud target, those objects cannot be modified, changed or otherwise deleted until the end of their specified retention period. A local Unitrends appliance can read backup copies on the target and download granular items or entire backup groups back to the local instance in an on-demand, self-service fashion.

However, no external source, not even the source appliance, can modify, change or delete backups as they are stored on immutable blocks. Unitrends encrypts all data in transit and at rest with AES 256-bit encryption and meets major industry regulations for compliance and security including SOC 2, HIPAA, GDPR and more.

Defense against ransomware requires a multifaceted, continuous effort combining end-user training and awareness, security controls and configurations, and a well-tested BCDR strategy. As part of your BCDR solution, Unitrends provides protection against and recovery from these advanced threats.

Interested in learning more about how Unitrends solutions and immutable cloud storage can help shore up your organization’s defenses? Get in touch today!


Discover how Unitrends can help protect your organization's sensitive data