Secure Backup is your last line

of Defence
Chris Wong
Systems Engineer, Hong Kong and Macau
Why is ransomware effective?
People, processes, technology
Untested backup and slow
restore times

Lack of network segmentation

Misconfiguration
Poor password policies

Missing patches
Alert fatigue
Inconsistent policy between
data center and cloud
© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
6 Stages of an Advanced Ransomware Attack

1
Stage 1: Observation
Information is gathered on the victim's
people, processes and technology in play
© 2020 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
6 Stages of an Advanced Ransomware Attack

Stage 3: Setting up Shop 3

Creating a base of operations and let's
make it redundant and highly available

Stage 2: Sneak in
2 Gain access to the victim,
1 lets click a link!

Stage 1: Observation
Information is gathered on the victim's
people, processes and technology in play
© 2020 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
6 Stages of an Advanced Ransomware Attack
Stage 4: Preparation (30days)
Snooping around without being detected
and comprise higher value targets

Stage 3: Setting up Shop 3

Creating a base of operations and let's
make it redundant and highly available

Stage 2: Sneak in
2 Gain access to the victim,
1 lets click a link!

Stage 1: Observation
Information is gathered on the victim's
people, processes and technology in play
© 2020 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
6 Stages of an Advanced Ransomware Attack
Stage 4: Preparation (30days) Stage 5: Cripple Recoverability
Snooping around without being detected Destroy all the backup copies
and comprise higher value targets
5
4

Stage 3: Setting up Shop 3

Creating a base of operations and let's
make it redundant and highly available

Stage 2: Sneak in
2 Gain access to the victim,
1 lets click a link!

Stage 1: Observation
Information is gathered on the victim's
people, processes and technology in play
© 2020 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
6 Stages of an Advanced Ransomware Attack
Stage 4: Preparation (30days) Stage 5: Cripple Recoverability
Snooping around without being detected Destroy all the backup copies
and comprise higher value targets
5
4
Stage 6: Ransom Declared!
Stage 3: Setting up Shop 3 6 Encrypt victim's data, wipe
archives/backup/data, issue
Creating a base of operations and let's
ransom demands!
make it redundant and highly available

Stage 2: Sneak in
2 Gain access to the victim,
1 lets click a link!

Stage 1: Observation
Information is gathered on the victim's
people, processes and technology in play
© 2020 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
6 Stages of an Advanced Ransomware Attack
Stage 4: Preparation (30days) Stage 5: Cripple Recoverability
Snooping around without being detected Destroy all the backup copies
and comprise higher value targets
5
4
Stage 6: Ransom Declared!
Stage 3: Setting up Shop 3 6 Encrypt victim's data, wipe
archives/backup/data, issue
Creating a base of operations and let's
ransom demands!
make it redundant and highly available

Stage 2: Sneak in
2 Gain access to the victim,
1 lets click a link!

Stage 1: Observation
Information is gathered on the victim's
people, processes and technology in play
© 2020 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Ransom Declared

© 2020 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Ransomware:
Secure Backup is your last line of Defense

Three-part approach:
1. Protect with immutable backups
2. Detect, monitor and alert for visibility
3. Testing and verification for rapid, reliable recovery

© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Best practices for ransomware protection

Three different Two different media One offsite copy Of which is: No errors after
copies of data offline air-gapped automated backup
or immutable testing &
recoverability
verification

© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Trusted immutability
Scale-out Backup
Repository

Performance Tier Capacity Tier Archive Tier

S3 Compatible
Immutability
Amazon S3
DAS NAS from start to finish Amazon S3
Glacier

IBM Object
• Policy-based Storage
• Transparent
• Space-efficient
Dedupe Hardened • Self-sufficient Microsoft Azure Microsoft Azure
appliance repository • No extra costs Blob Storage Archive Blob
Google Storage
Cloud Platform

© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Install a Linux server

© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
XFS integration (fast clone)

© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Create local user

© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Remove SUDO right and disable SSH

© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Architecture suggestion
Disable SSH and
Harden your out-of-band management

TCP port
6162
incoming

Via out-of-band
Proxy Repository management
(iLO, DRAC, CIMC…)

Backup server

© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Polling Question 1
Demo
Linux Harden Repo in Veeam

© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Detect signs of ransomware
Look for the signs and be alerted automatically
Alarms out of the box
• Possible ransomware activity alarm
• Suspicious incremental backup size alarm

Use other monitoring features to:

• Monitor network performance
• Build alarms based on specific performance measures
• Find unprotected virtual machines (VMs)

© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Detect issues with backup verification

To recover from ransomware, your assets

must be PROTECTED
• Ensure all assets are protected
with automated reporting
• Ensure protection jobs are running
and completed
• Receive alerts and act automatically
when issues are detected

© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Design for recovery
How long will it take to transfer 10 TB of data over a 10 Gbps link?

10 TB = 10 * 1,024 (GB) * 1,024 (MB) = 10,485,760 MB

10,485,760 MB / 900 MB/s = 11,651 seconds
195 minutes / 60 minutes
11,651 seconds / 60 seconds = 195 minutes = 3 hours 15 minutes

© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Recover: Instant Recovery by Veeam
Compressed / deduplicated
backup files Instant
1
multi-VM recovery
VMs

Physical
Instant
2
servers disk recovery

Cloud VBR Repository

instances Instant
3
DB recovery

File
shares
Instant
4
Compressed NAS NAS recovery
backup files

© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Polling Question 2
Ransomware
is a disaster
 Veeam Disaster Recovery Orchestrator v5
Non-stop operations and business acceleration for today’s
modern enterprise with reliable and easy-to-use business
continuity/disaster recovery (BCDR) orchestration,
automated testing and assured compliance.

Key capabilities for

Veeam CDP replicas, Veeam replicas, Veeam backups and Storage Snapshots

Reliable recovery Automated testing Dynamic documentation

• Reliable, scalable • Non-disruptive • Audit trails
orchestration • Scheduled and on-demand • Compliance reporting
• Application-centric • Readiness checks • Built-in change tracking
• Proactive remediation

© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Demo
Automate Backup Verification
Automate VM restore during Ransomware Attack
Veeam ransomware solution
Veeam Backup & Replication™

Veeam ONE™

Veeam Disaster Recovery

Orchestrator

Kasten K10 by Veeam

© 2021 Veeam Software. Confidential information. All rights reserved. All trademarks are the property of their respective owners.
Questions ?
Thank you