Protect backups against unwanted deletion

[tobiascapin]

Dears, I want to report a bad experience I had about a similar topic.

Few days ago my system had an attack and the attacker had access to veeam backup console, he removed all backup repositories: 2 local nas and one remote repository.

Then instantly, he could delete all backups from everywhere, please consider he didn't have access to backup filesystem because they were stored to a network share with dedicated access. But of course the veeam console had it.

So my question is: do you think it is possible to prevent it?
Is possible to protect repositories from deletion?
I know the authentication is the first answer but the fact is that the veeam console was accessible to a domain user and somehow the attacker could impersonate this dedicate domain user to run the console.

I'm wondering if the second local backup is preferably to be done by external systems other than veeam backup copy not accessible by veeam.

Thank you for any suggestions.

#Mod: Topic split from here

[Mildur]

Hello Tobias

I‘m sorry to hear that you were attacked. Hopefully you had a offline copy of your backups.

To protect yourself against such attacks, please use one of our immutable or airgapped backup storage options.
If implemented correctly, an attacker will not be able to delete your backups:

Immutable backup storage: https://helpcenter.veeam.com/docs/backu ... ml?ver=120

Airgapped backup media:
- offline tapes
- disconnected rotated disks

A third option:
- Veeam Cloud Cloud Connect provider with enabled insider protection

I know the authentication is the first answer but the fact is that the veeam console was accessible to a domain user and somehow the attacker could impersonate this dedicate domain user to run the console.

Make sure that the backup server is not joined to your production domain. Install the backup console on a management server which can only be access by selected users. Additionally enable MFA for every user who will use the backup console to connect to the backup server: https://helpcenter.veeam.com/docs/backu ... ml?ver=120


Best,
Fabian

[ober72]

Hi tobiascapin,

Very sorry to hear this. Mildur's response above is spot on. I think going forward Veeam is encouraging people to follow Zero Trust in relation to Data protection. One of the principles of zero trust is "assume breach". So when you are building your environment you assume it is breached which means that you need to segment components and reduce the attack surface as much as possible. This was a bit of a learning curve for me when I first encountered it but Veeam have a white paper that explains this very clearly: https://www.veeam.com/wp-zero-trust-dat ... brief.html

cheers

[tobiascapin]

Thank you everybody for your tips, I started to study the document and now I can really understand the approach.
Many thanks for your support.