We've heard it all before — backups are crucial! They're the insurance policy for your digital world, protecting against a myriad of threats that can cause data loss and cripple your organization. From accidental deletions to catastrophic hardware failures, natural disasters, and cyberattacks, a solid backup strategy is non-negotiable.
However, the landscape of cyber threats is constantly shifting. Ransomware attacks in particular have become increasingly sophisticated. Cybercriminals are aware of the importance of backups and are actively targeting them to maximize damage. They're trying different ways to render the backups useless and breach the last line of defense by attempting to encrypt on-premise backups, deleting them entirely, or even planting dormant malware into the backups to reintroduce infection post-recovery. As a result, traditional backup and recovery solutions are no longer sufficient.
In our previous blog, we explained how Druva customers can use threat hunting on endpoints (edge devices) to search, contain, and destroy malware hiding in the backups. Building upon our previous discussion of threat hunting, let's delve deeper into the specific challenges and strategies associated with protecting backups of data centers, with a focus on virtualization software like VMware.
The Evolving Threat Landscape
Data centers are the heart of modern digital infrastructure, housing critical applications and data. This makes them prime targets for cybercriminals. Virtualization software like VMware are integral part of most data centers today. Threat actors targeting data centers often take advantage of vulnerabilities and misconfiguration issues in Virtualization software deployed in data centers.
Some of the common threats are:
Virtual machine (VM) sprawl: Unmanaged or poorly configured VMs can create blind spots for security controls.
VM escape: Attackers may exploit vulnerabilities in virtualization software to gain unauthorized access to the host system.
Service account compromise: Attackers abuse shared service accounts created for managing guest OS to gain initial access and move laterally inside the data center.
We have seen quite a few ransomware strains of late that are known to target VMware, including LockBit, HelloKitty, BlackMatter, Scattered Spider, Akira, Cactus, BlackCat, Cheerscrypt, and Eldorado.
Druva Threat Hunting for VMware Backups
Druva’s threat hunting plays a vital role in proactively identifying and neutralizing threats targeting data centers and virtualization software. Backup admins and security teams can uncover sophisticated attacks that may evade traditional security controls and make their way into the backups.
It allows you to proactively hunt for malware IoCs and improve incident response for VMware-backed resources. Key capabilities include:
Malware IoC search: Hunt for malware IoCs within VMware backups.
Infection scope and timelines: Gain insights into infection scope and timelines. Identify the first infection point and lateral spread of the malware over time.
Identify the latest clean recovery point: Threat hunting can help you identify the best recovery point to use for a clean recovery.
Quarantine infected snapshots: Automatically isolate infected VMware snapshots to prevent reinfection.
Rich metadata: Access detailed metadata to aid investigation and incident response.
When to use Threat Hunting?
There are primarily two use cases for using threat hunting. The first is a pre-attack (peacetime) hypothesis-based scenario. The trigger for initiating a peacetime threat hunt could be the availability of new threat intelligence, a new threat advisory, research from the infosec team, etc.
The other use case would be for recovery, which is also called post-attack or wartime threat hunting. It is incident-driven and helps you identify the impact and spread of the malware infection. It's a crucial part of incident response and recovery.
Pre-attack scenarios (peacetime, hypothesis-based):
Purpose: Validate protection against specific prevalent threats from security blogs or advisories.
Example questions: "Am I protected from this specific threat I read about? Are my backups clean?"
Post-attack (wartime, incident response):
Purpose: Identify the blast radius after an attack and choose the latest clean recovery point for restore.
Example questions: "Given that I am impacted, how many resources or snapshots are infected? How can I recover cleanly?"
Takeaways
Threat Hunting is a powerful feature which can help you to:
Identify the scope of an attack
Identifying the initial infection point and attack’s origin
Understanding the scope and infection spread over time
Preventing malware reinfection
Quarantine impacted snapshots
Identify clean snapshots that can be used to restore
Reduce recovery time
Compliance and due diligence
Proactively scan backups for the presence of IoCs from an advisory
Next Steps
See how Druva’s security features bolster your defense against ransomware and today’s data threats. Try our 100% SaaS data protection for yourself free for 30 days — no credit card info required!