VBR Disaster Recovery from WORM Tapes after Cyber Attack ...

[ThierryF]

Hello friends,

We are looking at moving from LTO7 Classic mediums to LTO7WORM mediums, as
backup media protection against cyber attack, copying 2.5TB Tape backups a day VBR backups
to Azure/AWS Immuable storage being impossible.

Assuming a scenario with all of my backups to be Tape-Copy'ed on WORM Tapes
(actually avg 10 LTO7WORM Tapes a day, Avg 2.5TB Data daily, synthetic fulls being spread on all days of the week),
my VBR Repositories to be destroyed by Cyber attack, including Veeam Database ...
In other words, VBR env dead ...

Due to WORM Tapes, hacker cannot overwrite my backup medias as read-only once
mediaset is closed and/or tape full.

Assuming also that I have a SQL-based daily full backup of my VeeamDB, stored in a folder on my
Veeam Server (VBR and SQL roles on same physical server) that is protected by a VBR job, with a
daily synthetic full cycle and also being tape-copied to WORM Tapes ...

Assume also that I have a daily hardcopy of all of my backups stored on tape, out of hacker attack ...

What would be the procedure to recover my VBR Env and start VBR Guests (VM/physical servers) Recoveries ?
Reinstalling Servers (OS, SQL, Veeam) on Veeam Server/Proxy and Veeam Repositories,
then Restore SQL DB and let's go ?

But to start restoring SQLDB, tape should be known by new VBR Environment.
Should I just process like loading tapes written on another veeam server, to let new environment
aware of latest WORM tape (the one containing latest SQLBackup), then restore my SQL DB backup files,
then stop and proceed with SQL DB recovery before restarting VBR Env?
Any other missing steps ?

In such a setup (all VBR Backups and SQL DB Backups put to WORM Tapes),
what about need to backup VeeamConfigBackup repository ?
Faster DRP Recovery with VCB backups also on WORM Tapes ?

Any advises are welcome ...

Thierry

[HannesK]

Hello,

Assuming also that I have a SQL-based daily full backup of my VeeamDB

that makes everything complicated when it comes to passwords, because passwords are encrypted with the machine key of the backup server. If the backup server is lost, then you somehow have to manage restoring potentially hundreds or thousands of passwords.

I would go with configuration backup. Copy that somewhere on disk media / object storage / even USB disk might work, with whatever 3rd-party copy tool instead of doing a full restore from tape. It just simplifies everything and saves hours during restore.

Best regards,
Hannes

[ThierryF]

Good advise. VCB Backups being small in size regarding other backups,
it make sense to copy them to Azure/AWS Immuable Storage space for easier restart !

Good idea !
Have a great day !
Thierry

[IanBolton]

Hello
Sorry for resurrecting an old thread, but we have our config backup set to copy to tape, and also to both off-site linux repos with immutability set via a file-copy job. In the event of Bad Things Happening we know that we can get the config backup off tape, but also, if the entire tape setup is nuked, then from the linux repos via a USB key. Even if you dont use a linux repo in the usual setup, you could set one up on a small server with not much storage JUST for your config backup.

[Mildur]

Hi Ian

Thanks for sharing.
Files copied by File Copy Jobs will not be immutable on linux hardened repos. They can be deleted by an attacker.

Thanks
Fabian

[IanBolton]

Oh

Every day is a school day.

[IanBolton]

There's no way around this is there?

My config backup scheduled job writes to a repo - I can't do a backup copy job from that repo to linux repo. because it only deals in actual backup files?

I guess WORM tape is my only hope here...

[Mildur]

You can use an older configuration backup from a week earlier on an air gapped tape to restore the VBR configuration.

Or copy the configuration backup to a managed server which you already have protected by a backup job. Then the config backups gets immutable with this servers backup. It's more a workaround and not really required. The tape solution is the easiest way, if you rotate them.
V12 might bring some additional protection possibilities when it's released.

[IanBolton]

Would a WORM tape for the file to tape not also do the job? Then we could have it constantly appending.

Alternatively yeah we could have 2 tapes in the pool used by the file to tape job which we rotate weekly.

I suppose part of me prefers the WORM tape idea because we would have the latest config backup in case of Bas Things Happening

[Mildur]

WORM Tape will help, as long nothing happens to that tape on a physical level.