Disaster Recovery and Ransomware Protection with Bacula Enterprise

Increased ransomware attacks

The surge in ransomware attacks has become an alarming trend in the realm of cybersecurity. Among the litany of cyber incidents that have made headlines in recent years, the WannaCry ransomware attack in May 2017 stands out as a watershed moment that jolted the world’s attention to this menacing threat. This devastating attack transcended national borders, infiltrating the defenses of over 200,000 computers across 150 countries. It served as a stark reminder of ransomware’s capacity for global disruption.

Regrettably, the aftermath of WannaCry was not a decline in ransomware activity but a troubling surge. The statistics are telling: ransomware attacks increased by a staggering 150% from 2019 to 2020, according to data from leading cybersecurity firms. This surge is not a transient phenomenon but rather an ominous trajectory, with ransomware becoming more sophisticated and persistent. Reports predict that ransomware will continue to evolve, making organizations vulnerable to new attack vectors.

To safeguard against this mounting threat, organizations must adopt a multifaceted approach with data backup and recovery at its core. The statistics bear this out: a study by the Cybersecurity and Infrastructure Security Agency (CISA) found that organizations with robust data backup strategies were not only less likely to pay ransoms but also more likely to recover data successfully without succumbing to extortion.

Achieving comprehensive protection requires proactive planning. Consider this: a survey by cybersecurity firm Sophos revealed that a staggering 94% of organizations hit by ransomware also suffered data breaches. Thus, it is not just about preventing ransomware attacks but also fortifying your defenses against data breaches, which often accompany such incidents.

Within this context, the importance of a meticulously designed data backup solution cannot be overstated. Such a solution should not merely encompass regular backups but prioritize the security and off-site storage of critical data. Bacula Enterprise emerges as a preeminent choice, trusted by renowned security organizations as their primary backup system and an integral part of their business continuity strategy. For medium to large enterprises, Bacula is no longer a discretionary investment but a survival imperative.

Disaster recovery for business continuity

Disaster recovery is a broad and deep topic. This article outlines disaster recovery (DR) fundamentals and an introduction to DR. But it also offers a direct link to Bacula Systems’ comprehensive DR guide and planning template across an entire organization. This comprehensive document is strongly recommended to organizations that are reviewing their DR strategy. Protection from ransomware and other cyber-attacks needs consideration from a holistic view and global level. It includes a lot of factors that involve company personal, organization strategies and policies. Moving forward in a changing world, the following factors need special consideration.

Growth planning and contingency

As data grows within organizations, their backup and restore systems need to backup data inside time-windows, and meet RTO’s and RPO’s. The backup infrastructure needs to be planned for these growth and performance objectives. This includes the budgetary aspect of the infrastructure, and financial planning/forecasting for ongoing development of these considerations. Bacula uniquely answers this need by providing a modern, modular architecture that provides the flexibility to scale up in a way that fits an individual organization, while utilizing a business model that does not charge by data volume.

Utilizing public cloud

Public cloud infrastructure as a service (IaaS) may be an additional option or even a replacement to off-site tape storage. Public and hybrid clouds are increasingly being incorporated into disaster recovery strategies where suitable for purpose. Bacula Enterprise facilitates this industry shift by being easily able back up and recover data across an especially wide range of tapes and cloud interfaces. It also uses a unique cloud caching architecture to provide advanced cloud backup interface management options and much more rapid data recovery of cloud backups.

Best-practice safeguarding of the backup repositories

Organizations must implement backup architectures that follow industry best practices and provide multiple layers of defense against data loss from any source, including intentional attacks against data availability. Bacula’s FIPS-compliant solution ensures data privacy and security, and its architecture allows for flexible data storage options including offline data stores to provide recovery-in-depth for the enterprise. This, coupled with built-in threat detection and advanced support services to help guide implementation help enterprises ensure that they can recover from any situation.

Ensure that data is correctly safeguarded, independent of its location or use

As enterprises evolve, new and additional locations are being used to situate data. This is especially true regarding various cloud destinations and SaaS providers, with the added factor of many organizations planning and deploying new edge architectures. Data and applications in these increasingly popular locations need similar protection. Organizations need to develop their backup and recovery strategy to embrace these changes, and be in prepared for a future IT environment that is more agile, diverse and changeable. Bacula Enterprise provides a ‘single pane of glass’ view over an entire IT environment, spanning edge, off-site, on-site, cloud, client behind NAT, co-location hosted and other data environments.

Adjusting for new technologies

New technologies, such as deployed container environments, or use of different hypervisors (Proxmox, for example) requires a backup and recovery strategy that takes these new environments into account. Bacula Enterprise is one of the few vendors that can backup and recover applications and persistent data from Kubernetes Clusters, Docker containers, and natively integrating with many emerging new hypervisors.

The Role of the Cloud in Business Continuity

One strategy adopted to help protect against cyber threat is to backup certain data to public or private cloud. However, certain safety challenges arise again when backup data is stored in the cloud. If a company’s data is hosted by a cloud provider, and it becomes the sole source of data that needs to be recovered, then what guarantees does that hosting service offer you? Is there a liability issue? Is there an time limit for the provider to inform you if your data has been compromised? Do the SLAs work for you? Are you subject to or applying penalties as per your contract? The US has already seen initial class actions against cloud providers who have been hit by malware. End users are claiming against the inability to access their data, with a resulting loss of business, combined with a failure to protect their data.

For these reasons, as well as overall ongoing cost protection to the enterprise, Bacula Enterprise has the unique cloud backup architecture and tools built-in, to provide its users with state of the art control, protection and choice regarding maximizing the security and minimizing the risk of cloud-based backup. It provides granular control over data that needs to be restored from the cloud, significantly reducing operational exposure to cloud costs and boosting business agility. With Bacula, backing up data to and from cloud providers and keeping local caches of important data ensures that data can be recovered in the event of a loss of any site.

Content separation is necessary. Right now.

Content segregation is critical for dealing with the risks presenting themselves to today’s enterprise. Many organizations are fearful of, or prohibited from, placing data in certain physical servers or cloud storage due to restrictions on data access or compliance with government or industry regulations. These are often referred to as data residency or data sovereignty regulations. For example, in the US, ITAR/EAR regulated data cannot be stored, backed-up or transferred through a server physically located outside of the US. Similarly, European data protection laws prohibit personal data from moving outside of the European Union (EU) or even specific country borders. These regulations are different from the well-known and well understood access control rules. The problem these data owners and security architects are facing is not around access controls, but around physical storage of data when created, caching of data when accessed, and storage of data in transit. Bacula Enterprise has specific and distinct pools linked to particular storage devices which allow its data backup to be segregated on both on-premises and off-site storage systems. Bacula’s unique modular approach means that each agent’s data can be stored in a separate silo that only it can access, on a separate data store, and even that access can be controlled so that data loss potential can be minimized. Data can be further replicated to secondary storages to add layers of protection. Remember too that the value of tape for offline storage – and Bacula’s advanced tape backup and recovery abilities – should not be underestimated.

Ransomware: Defense Fundamentals

Let’s delve into the granular technical measures that can fortify your enterprise against the relentless ransomware onslaught:

Distinct Credentials for Backup Storage

It is essential to employ distinct and isolated credentials exclusively for backup storage. This stringent practice ensures the utmost confidentiality while significantly reducing the risk of unauthorized access. Furthermore, it creates a formidable defense against ransomware’s lateral movement. Root or administrator privileges should be eschewed in favor of service accounts with meticulously restricted permissions. Bacula epitomizes this principle by default, utilizing dedicated service accounts as part of its core design.

Elevating Offline Storage

Elevate offline storage to the forefront of your backup strategy. This offline bastion acts as an impervious shield against ransomware’s encroachment into your backup storage. Various offline and semi-offline storage options can be deployed, each offering its unique advantages.

Harness the versatility of Backup Copy Jobs to enhance your ransomware resilience. This feature allows you to create multiple restore points on different storage repositories, each subject to distinct retention rules. In conjunction with the aforementioned security measures, Backup Copy Jobs become a linchpin in minimizing the impact of a ransomware assault.

Security Over File Systems

While diversifying file systems may offer an additional layer of protection, it is crucial to recognize that it alone does not guarantee immunity from ransomware attacks. Instead, emphasize robust security practices. Restrict access to backup storage with utmost rigor, adhering to Bacula’s exemplary approach of utilizing a single service account per known machine. Backup data storage locations should be exclusively accessible to the pertinent service accounts, with stringent restrictions preventing end-users from different systems from gaining access. Bacula’s design philosophy reinforces this by minimizing remote access to storage and advocating dedicated, well-protected file systems or shares.

Enhancing the 3-2-1-1 Rule

Embrace the timeless 3-2-1 rule of data backup, which advocates maintaining three distinct copies of your data on two different media, with one copy stored off-site. This principle provides remarkable resilience against various failure scenarios. In the ransomware era, consider extending this rule by introducing an extra “1” — ensuring one of the media copies remains securely offline. As mentioned earlier, a variety of options, including tape storage and cloud targets, can facilitate this extension.

Prudent Use of Storage Snapshots

While storage snapshots serve a valuable purpose in recovering deleted files to a specific point in time, they should not be conflated with comprehensive backups. Storage snapshots often lack advanced retention management, comprehensive reporting, and crucially, they still reside on the same system, making them susceptible to attacks affecting the primary data.

Bare Metal Recovery in Disaster Recovery

Bare metal recovery plays a pivotal role in disaster recovery strategies. While many enterprises opt for a standard image deployment approach coupled with software provisioning and data restoration, there are scenarios where this generic approach falls short. The ability to restore a machine entirely to a precise point in time becomes paramount. This capability is especially critical in the context of ransomware attacks, where swift and comprehensive recovery of a ransomware-encrypted system, including locally stored user data, is non-negotiable. Comparable strategies can be extended to virtualized systems, with hypervisor-level options often preferred for system-level recovery.

Bare metal recovery as part of a DR strategy

Bare metal recovery can be done in a variety of ways. Some organizations simply deploy a standard image, install software, and then restore data and user preferences. This is often practical when all data is stored remotely and the system itself is not critical. However, in other cases, it is important to be able to completely restore a machine to a point in time. This is especially true for ransomware attacks, where the ability to restore a system to a recent point in time, including any user data, can be a critical part of the recovery process.

File-Based or Image-Based

For any sort of bare metal recovery, a complete backup of the original system is required. This is usually accomplished either by a filesystem-level backup of all files, partitions, and data, or by a block-level image backup of the disk(s). While both approaches have their pros and cons, we focus on the file based approach here.

Regarding image level backups, additional information can be found in the Bacula Systems whitepaper “VMware Virtual Machine Backup with Bacula Enterprise”. File based backups are typically smaller, and allow an easy capture of differential and incremental backups. Correspondingly, it’s easily possible to restore individual files (which, for many organizations, is still the most common scenario requiring restore operations).

Bacula Enterprise Director and Storage daemon components, used in the backup and restore of your Windows system, can run on any supported platform. Note that you will need to modify the Bacula Director configuration, so it may be reasonable to set up a test installation in your network and use that until you are satisfied that your production backup system will not be negatively affected by your work.

Users should already have Bacula Enterprise installed, including the required network connectivity, i.e. all routers and firewalls involved should allow Bacula traffic as needed. In particular, this means that you may need to allow connections from all machines you consider valid targets for BMR to the Bacula Director.

Since bare metal recovery is used as a means to get critical systems up and running quickly, it is important to ensure that the procedures planned actually work. A good deal of this testing and fine-tuning today can be done in virtualized environments; however, Bacula Systems recommends to test on your physical hardware as well – only then can you be sure of your procedures. Full solution installation details are available with a Bacula Systems subscription.

How the WinBMR works?

During backup, the WinBMR plugin analyzes host disks and partitions. It creates the directory C:/Bacula/winbmr and copies certain files and directories needed at restore time to that location (only a few MB). If a “Recovery” or a “System Reserved” partition is found, the plugin assigns an unused drive letter (usually the first free letter starting at T:) to it for the time of the backup. This letter is released at the end of the backup. If the system is EFI-enabled, the EFI partition is automatically mounted, its contents copied to C:/Bacula/winbmr/partitions/EFI, and the partition then unmounted. The BMR feature adds all static volumes that have a drive letters to the backed-up File Set. As mentioned above you may exclude some drive letters using the “exclude” option, but be careful to not exclude an important drive or an unused letter (like T:) that the plugin might use for the “hidden” partitions.

Bacula’s bare metal recovery tool provides both a CDROM and an ISO image. For testing purposes, on physical servers, the CD-ROM is the best choice, while in virtual machines, the ISO image should be used. It is also possible to create a bootable USB flash drive from the ISO.

Creating a bootable USB flash disk

If you need a bootable USB device, this is quite straightforward. To create a bootable USB device from the ISO, you must first prepare your USB key using diskpart. You must create a single partition and activate it to make it bootable, then format the partition as FAT32 and assign it a drive letter, to copy the content of the CDROM on it.

Doing the recovery

Bacula’s bare metal recovery tool allows for rapid and easy data recovery, via a comprehensive GUI that allows review and modification of the configuration stored on the recovery media, network configuration, client selection, and where to restore to. You are able to manage disk drives, create partitions, format them and select to which of them the data will be restored. Disk Matching, manual portioning and Volume Matching functions are all provided. After working through the restore wizard, the restore can be started. Using the wizard, you can “Cancel” the process and go back to make further changes, or simply start a new restore process. When restore is completed, the screen shows the status of the restore and the status of the process making the host bootable.

If your setup includes dynamic disks, you must import them in the freshly restored system after the reboot. This can be done via Bacula’s inbuilt tools.

Disaster recovery planning – an overview

Approaches outlined above, such as bare metal recovery , are important individual technical measures an IT department can utilize to protect an organization against ransomware attacks. However, they need to be part of a wider, deeper contingency plan that spans the entire organization – disaster recovery.

Having a sound disaster recovery plan is one of the cornerstones of cyber security, and one of the best ways to effectively protect your organization as a last resort. This is equally true when it comes to implementing ransomware protection strategies, and must not be ignored.

Developing an IT disaster recovery plan involves choosing the right people to be involved, assigning appropriate roles, selecting the technologies to use, as well as developing, implementing, testing, and documenting the recovery process.

What is an IT disaster recovery plan?

An IT disaster recovery plan documents:

• the company’s leadership’s objectives for disaster recovery
• members of the recovery team and their roles and responsibilities
• detailed procedures for protecting and recovering required technical services after a disruptive event such as a flood or fire

An IT disaster recovery plan aims to:

• provide critical IT services after an incident.
• ensure that critical business functions continue within a sufficient period of time.

Who is involved in IT disaster recovery planning?

The company’s IT manager should lead the planning. He or she usually works with the IT department to determine specific steps within the disaster recovery process and to develop and test the resulting recovery plan.

In addition, it is also important to involve other stakeholders outside of the IT department, including senior leaders, CTO and CEO office representatives, and board members (if applicable) to ensure the entire organization’s needs are met.

The disaster recovery planning process

Disaster recovery planning is an ongoing and iterative process. Each step includes several activities to be performed. During initial development of the disaster recovery plan, certain stages are repeated several times, each time focusing on developing and testing recovery plans for a different service or a set of services.

After obtaining leadership commitment to the disaster recovery planning program in stage 1, stages 2 through 5 are repeated periodically. IT services are dynamic: new services are created and obsolete services are retired. Remember that priorities and disaster recovery plans must be reviewed and revised periodically to ensure that they are current.

Backup Fortress offers a comprehensive disaster recovery planning and helps you to create a comprehensive recovery plan for your company that can be further expanded, based on your company’s needs.

Here is a DR guide which documents the following planning factors:

• Defining Priorities

– Identifying Critical Services

– Assessing Impact of Service Outage

– Risk Assessment

– Prioritization

– Deciding extent of action

• Deciding on Technical Methodology

– Determining a technical methodology for each service

– Developing Facility and Infrastructure Plan

– Estimating Costs and Developing a Schedule

• Developing and Implementing the Plan

– Roles and Responsibilities

– Determining disaster response process

– Developing detailed service recovery plans

– How to Test

• Authorization

– Policies and Administrative Regulation

– Objectives

• Services and Their Priorities

– Services List

– Assessing Impact of Service Outage

– Assessing Risks

– Prioritize

– Set Scope

• Facility and Infrastructure Plan

– Determining technical approach for each service

– Facility Plan

– Infrastructure Plan

– Estimating Costs and Developing a Schedule

• Plan Implementation

– Roles and Responsibilities

– Disaster Response Processes

– IT Services Recovery Plans

– Testing the DR Plan

How Secure Is Bacula Enterprise?

One of the fundamental reasons Bacula is especially strong against cyber-attack is that its core components run on Linux. This tends to give it a strong advantage over many other solutions that do not, or other proprietary solutions that cannot offer dedicated encryption to their different components. Furthermore, many backup systems are not even modular enough to offer sufficient encryption configurations and options to be truly secure.

Another way Bacula offers security is that it is typically able to back up all of the many applications, databases and file-types found in todays most complex IT departments. Being able to back up everything from a single platform helps to significantly reduce the risk of mistakes from using multiple backup solutions, or combining a principle backup system with a secondary, less secure solution. It is not only Bacula’s core architecture that brings inherent superior security; it also has specific security features, many of which that are highly customizable: Bacula is unparalleled in the backup and recovery industry in providing for extremely high security levels. This ability spans specific elements regarding its architecture, features, usage approaches and customizability Bacula’s critical components run on Linux. Bacula has state of the art security built into each of its software layers. Some other features are:

• FIPS 140-2 compliant
• Verify the reliability of existing backed up data
•  Detect Silent Data Corruption
• Data encryption cipher (AES 128, AES192, AES256 or blowfish) and the digest algorithm
• Automatic use of TLS for all network communications (can be turned off)
• Verification of files previously catalogued, permitting a Tripwire-like capability (system break-in detection)
• CRAM-MD5 password authentication between each component (daemon)
• Configurable TLS (SSL) communications encryption between each component
• Configurable Data (on Volume) encryption on a Client by Client basis
• Computation of MD5 or SHA1 signatures of the file data if requested
• Windows Encrypting File System (EFS)
• Unique system architecture for especially strong protection against ransomware
• Immutable disk volume feature
• bconsole option to connect to an Active Driectory or LDAP server in order to protect its access
• Advanced Rasomware detection tools
• One-Time Password (OTP) authentication allowing use of smartphones with bio-metric functions to access Bacula’s web GUI
• Storage Daemon Encryption
• Security Information and Event Management (SIEM) Integration
• Security module dedicated to Windows
• Automatic malware protection (backup, restore, verify)
• Improved & enriched security metrics
• SNMP Monitoring integration module
• NFS Immutability support (Netapp SnapLock)

Conclusion

Bacula Enterprise offers a modern, modular, high-value solution for backing up and recovering data fast and effectively after a Ransomware attack. Its common interface and policy engine gives the required level of safety, speed and control needed for correctly protecting today’s – and tomorrow’s IT environments.