Ransomware Resiliency for Storage & Backup: Trends, Threats & Tips

By Doron Pinhas

By Doron Pinhas | CTO at Continuity, Co-author of NIST Special Publication Security Guidelines for Storage Infrastructure

Ransomware attacks have been in the public eye for quite a while now. Growth is propelled not only by the surge in the number of cybercrime groups specializing in ransomware, but to a large extent, also by the continual increase in attack sophistication.

Ransomware has evolved into a fully-fledged industry, with competing groups that continually introduce new capabilities and techniques.

Some of the new trends in data crimes, such as data leak, threat of data exposure and shaming techniques have ignited the media attention, though other, potentially even more devastating are still not widely discussed, which we’ll attempt to correct here.

Breaking The Myths: Storage, Backup, And Data Recoverability

A few years ago, very few CISOs thought that storage & backups were important. That’s no longer the case today.

In a security research study published by Continuity, more than two-thirds of respondents believed an attack on their storage environment would have ‘significant’ or ‘catastrophic’ impact, and almost 60% of respondents were not confident in their ability to recover from a ransomware attack.

Ransomware has pushed backup and recovery back onto the agenda.

Cybercriminals like Conti, Hive and REvil have been actively targeting storage and backup systems, to prevent recovery.

Regulators are starting to pay attention to backup systems and data recovery. Industry awareness is also steadily growing. NIST released a Special Publication 800—209, titled Security Guidelines for Storage Infrastructure, that places significant emphasis on securing and protecting data against attacks.

This has driven CISOs to look again at potential holes in their safety nets, by reviewing their storage, backup and recovery strategies.

“In my experience CISOs have not given the storage layer enough attention in the past in protecting their businesses (including myself).” — John Meakin, Former CISO at GlaxoSmithKline

Storage and backup systems may seem relatively minor in the IT stack, but size isn’t the best measure of the criticality of storage.

Let’s compare storage to the human heart. The heart is modest in size but pumps life-giving blood throughout the body. So, storage houses critical high-risk data that feeds your applications and devices.

Just as shooters aim for the heart, so hackers target data where it lives, in your storage systems. If you let cybercriminals leak data from storage and backup systems, they can sell it or give it away.

Unlike an attack on individual endpoints or servers, which can be highly inconvenient to a large enterprise, one that targets central storage or backup can be truly devastating. This is because a compromise of a single storage fabric can bring down thousands of servers.

Furthermore, while recovery of an individual server is relatively straightforward, recovery of a storage fabric is a complete unknown to many CISOs.

In other words, storage & backup security neglect will take its toll. CISOs must learn the ropes and must stop pushing it off as someone else’s responsibility.

“It is good to see more and more CISOs acknowledging the risks, and beginning to properly secure their storage & backup systems.” — Joel Fulton, Former CISO at Symantec and Splunk

The Current Threat Landscape for Storage, Backup And Data Recovery

NIST SP 800-209 provides a detailed overview of storage & backup system threats, risks, attack surfaces and security recommendations.

By successfully infiltrating these new targets, ransomware gangs can:

  • Prevent recovery efforts by destroying or tampering with backups (including offsite cloud-based copies and immutable storage)
  • Steal or encrypt petabytes of data easily stored on a single storage or backup system
  • Evade detection by existing Data Loss Prevention (DLP), Intrusion Detection Systems (IDS), and most modern threat intelligence solutions. Some hackers actually take advantage of cloud-based offsite backup solutions which, if not secured properly, can provide access to copies of huge datasets without introducing any visible load on production systems

“You need to have governance and an active program to secure your storage layer.” — Marc Ashworth, CISO at First Bank


Data is a major part of the role of any CISO. And in today’s digitized, data-everywhere world, an organization must make significant investments in data protection, and storage and backup hardening.

CISOs have the skill to do it; many simply lack a clear view of the problem. The problem needs to be reframed in the minds of security experts, and fast. Analyzing data storage and backup security posture is a new skill that security teams must adopt in order to deal with emerging cyber-security threats.

I’m expecting to see much stricter national guidance to organizations to tighten their data protection solutions and to avoid negotiating with criminals.

I highly recommend evaluating your internal security processes to determine if they cover storage and backup infrastructure to a sufficient degree.  Some of the questions that could help clarify the level of maturity are:

  • Are you evaluating the resiliency of your storage and backup systems on an ongoing basis?
  • Do you have detailed plans and procedures for recovery from a successful ransomware attack on a storage or backup system?
  • How confident are you that you can recover from a successful ransomware attack?

Storage vulnerability management would significantly help security teams get a full view of security risks in your storage & backup systems. It does this by continuously scanning these systems, to automatically detect security misconfigurations and vulnerabilities, and then prioritizing those risks in order of urgency.

Finally, I encourage you to learn more about ransomware resiliency for storage and backups.  A good start could be the NIST Guide for Storage Security – a report I co-authored along with NIST.

This guide provides CISOs with an overview of the evolution of the storage and backup technology landscape, current security threats, and a set of practical recommendations.


About Doron Pinhas (Chief Technology Officer, Continuity)

Doron is an avid Storage and Backup security advocate, and one of the two authors of the recently published NIST special publication titled: “Security Guidelines for Storage Infrastructure”.  Alongside continuous research of storage security, threat landscape, and market maturity analysis, he is also engaged in writing, public speaking and information exchanged with leading organizations.

Doron has over 20 years of experience in data and storage management, mission critical computing, operating system design and development, cloud computing, and networking architecture.


No posts to display