Pen Test and Off Domain Backup Infrastructure

[bdufour]

Good Veeam folks,

We decided to go the off domain route at my company, and it's proven to be the right choice. We are required by regulation to go through a third party audit before the fed comes in. The audit typically involves pen testing, social engineering, insider threat, security posture, ect. We have been with this audit firm for a few years, well known in our industry and recommended by the fed. They haven't been able to compromise anything in the past few years outside of being able to just enumerate AD (which was resolved, i can comment on how that was resolved bc it's not generally known and it's not only GPO settings). But this year, they were able to exploit a vulnerability their firm discovered 6 months ago in a VERY common application within our industry - they're actually preparing to disclose this to the vendor bc they have been able to exploit this at several companies this year. This vulnerability allowed them to gain local admin rights to the server the application is installed on, at that point they were able to wreak havoc on our network. Granted, we do play along with these guys, by allowing them onto our network which is protected via wired/wireless nac (clearpass), and also ignoring all of the alerts that are generated when they start trying to exploit different systems.

They were eventually able to gain domain admin access, BUT they were not able to compromise our backup infrastructure! Which was a huge deal to me and obviously our company from a ransomware perspective (a very common threat of course), and this will be reflected in the documentation they will provide to us.

Key lessons learned:

-Off domain backup infrastructure is the way to go!

-With domain admin access, they could have installed a keylogger on a machine that would be used to log into the veeam server (can delete backups directly from the console obviously) - and MFA on the veeam console would prevent this in theory (likely not going to happen in a ransomware attack, although it's something to think about).

-Off domain backup infrastructure WITH MFA on the veeam console would really be the best security posture from my experience.

Thanks!

[Gostev]

Hi, Blake.

This is incredibly useful information, thanks a lot for taking time to share this with the community.

One other, non-security benefit of having an off domain backup infrastructure is no impact on the ability to recover even if your Active Directory and/or DNS services are affected by the disaster, which obviously makes you unable to login anywhere using your domain accounts. This includes logging in to the Veeam console, connecting to backup repositories, connecting to vCenter that is required to perform actual VM restore, and so on.

Thanks!

[nitramd]

Blake and Anton,

Thank you for posting this information - the tips are very helpful.

Reading through Blake's post reminded me of what Anton always proselytizes (so to speak), ensure that you always apply the latest software updates.

Thanks again.

[Mark]

It's interesting that you're vouching for "off domain" (which is the same approach we use), when this conflicts with Veeam Orchestrator requiring domain membership for the backup servers.
Can we get some clarification around this?

[Alec King]

Veeam Orchestrator requires domain memberships because of the security and management benefits a domain provides. Of course critical infrastructure - such as Backup servers (and antivirus, patching etc) - should be secured, but they can be secured in a separate/standalone resource domain from everyday users & apps, and use MFA, hardened security policies, etc.