Enhancing Security against Ransomware with "Notification on Key Managment"?

[Igor Lukic]

Hello,

there is following information in this documentation:
https://helpcenter.veeam.com/docs/backu ... ml?ver=110

"You can configure Enterprise Manager to send notifications about the following key management operations: key expiration, key deletion, key modification."

Because of Ransomware, there would be a possiblity that even a backup to tape is vulnerable:
If someone gets access to B&R he could change the encryption password for the tapes.
Without this password we wouldn't have any chance to restore the data from tape if the hacker waits for a few days.

My Question is:
Would there be any help if I configure "Notifications on Key Management" in Veeam Enterprise Manager?
How could we secure Enterprise Manager?

If not, I would like to make a feature request:
A functionality, which only allows configuration changes to the mailserver settings and the encryption settings if a mail was successfully delivered to the mail server.

I know, there is no ultimate security. But the goal should be to make it as hard as possible for the hackers.

Thank you.

Igor

[HannesK]

Hello,

Without this password we wouldn't have any chance to restore the data from tape if the hacker waits for a few days.

that's not true as long as you still own the Enterprise Manager server. Well, an attacker could block the Enterprise Manager connection for example with the Windows firewall. But you should notice that if you don't get proper email reports anymore.

It depends what you define as "help" The notifications you are talking about is about the "encryption password loss protection" keys. I'm not sure how much that email helps / not help. I mean, you can automatically change that key every X weeks and get a notification then. That's the main idea of the notification.

How could we secure Enterprise Manager?

like any other Windows system with IIS (internet information server). There should be hardening guides on "the internet".

if a mail was successfully delivered to the mail server.

as an attacker, I could just send emails to a different mailserver, different mailbox... and it would be fine then?


Best regards,
Hannes

[Igor Lukic]

Hello Hannes,

I think the problem are the SMB customers.
Most of them will host the Enterprise Manager on the same machine or at least a VM on a Host in the same domain.
If the domain is hijacked this would at least give them a chance that the backups are ok.
So this is the reason why I ask for some kind of second layer security.
If B&R would send a mail, that an encryption password changed, the admin or the external IT pro would be informed that something is happing.
This is also the reason why the SMTP configuration should be monitored in B&R.

With "Help" I mean would the Enterpise Console at least inform someone, that an encrption password in B&R was manualy changed?
Or does B&R change the password with Enterprise console from time to time without user interaction?

Maybe some information via Veeam One about an encryption change would be even better?

Thank you
Igor

[HannesK]

Hello,

If the domain is hijacked

Then they are lost. Trying anything to improve with new features if an attacker is admin on a backup server would be snake oil.

I would go for a Hardened Repository on a Linux machine instead. Of course, you can also remove the backup server from the domain and harden it separately.

https://helpcenter.veeam.com/docs/backu ... ml?ver=110
post402811.html#p402811

Best regards,
Hannes

[Igor Lukic]

Hello Hannes,

I also thought first on a hardenend repository but, if somebody changes the encryption key, waits a few days and then starts his ransomware...
This repository would be useless. Or do I miss something?

Igor

[Gostev]

Good news is you can still restore from older restore points. This is actually happening right now at every Veeam customer affected by Hafnium

Otherwise, in general if you lost your environment to a hacker, then you already lost. If their plan is to remain sleeping for extended time, then of course they will be doing changes in the way to ensure you don't get notified about them. For example, simply blocking the SMTP port is way too trivial for someone who was able to penetrate an environment and get admin access though some zero-day vulnerabiity.

[Igor Lukic]

Hello Gostev,

I understand your position with the older restore points.
But how long will the hacker stay silent?
You think you have a miniumum safety (B2D and an external Tape Backup) but this encryption key is a potential weakness and should be better secured in my opinon.

I have even a better idea for local systems:
The encryption key has to be stored in a second device like a Yubikey or something like that. (As a backup)
No Yubikey, no change of the encryption password.

Igor

[Gostev]

Well again, none of these things help once you lost the server to a hacker with admin privileges... as whatever function performs the check of the device, it can be hooked and simply bypassed (effectively made to always return "success" of the check).

Although it would be much easier for a hacker to just write the new key directly into the configuration database, bypassing the product with all of its checks entirely.

[Igor Lukic]

OK.
My hope was to make it as hard as possible for the attacker.
Thank you.

[Gostev]

The most important thing to realize is that at a certain moment, it becomes impossible to make it hard for the attacker. Knife and butter situation at its best.

The best analogy would be the following:

Imagine you first let a person carrying a flaming torch and a portable gas tank into the bank, through the security in the employees-only area, and through the vault door. He's now standing on top of a pile of paper bills, and we're discussing "how can we make it as hard as possible for him to burn them". But it's a complete waste of time at this point, as obviously you're already too late: the fire will consume any smarts you put in place, no matter how cool they look from the technology perspective.

Instead, the person should have been stopped much, much earlier. Accordingly, you should focus first and foremost on things like tightly controlling access to the environment from the Internet: put all Internet-facing services into a DMZ, make a single point of remote entry into your production networks a jump box with MFA-protected Remove Desktop, keep the backup infrastructure network physically isolated from the "end user" network where malware can come from etc. (you should talk to the real security people, because I'm not).

Then make a blueprint for your SMB customers and implement it everywhere to make consistent and super easy to maintain. If anything, this will give you a unique "selling" point of your managed services. Cyber-security is one thing that sells like hot pies these days, even better than backup