Virtualization Technology News and Information
Ransomware Resiliency For Storage & Backup: Trends, Threats & Tips


By Doron Pinhas, CTO at Continuity and Co-author of NIST Special Publication Security Guidelines for Storage Infrastructure


Ransomware attacks have been in the public eye for quite a while now. Growth is propelled not only by the surge in the number of cybercrime groups specializing in ransomware, but to a large extent, also by the continual increase in attack sophistication. 

Ransomware has evolved into a fully-fledged industry, with competing groups that continually introduce new capabilities and techniques. 

Some of the new trends in data crimes, such as data leak, threat of data exposure and shaming techniques have ignited the media attention, though other, potentially even more devastating are still not widely discussed, which we'll attempt to correct here.

Breaking The Myths: Storage, Backup, And Data Recoverability

A few years ago, very few CISOs thought that storage & backups were important. That's no longer the case today. 

In a security research study published by Continuity and CISO Mag, more than two-thirds of respondents believed an attack on their storage environment would have ‘significant' or ‘catastrophic' impact, and almost 60% of respondents were not confident in their ability to recover from a ransomware attack.

Ransomware has pushed backup and recovery back onto the agenda.

Cybercriminals like Conti, Hive and REvil have been actively targeting storage and backup systems, to prevent recovery.

Regulators are starting to pay attention to backup systems and data recovery. Industry awareness is also steadily growing. NIST released a Special Publication 800-209, titled Security Guidelines for Storage Infrastructure, that places significant emphasis on securing and protecting data against attacks.

This has driven CISOs to look again at potential holes in their safety nets, by reviewing their storage, backup and recovery strategies.

"In my experience CISOs have not given the storage layer enough attention in the past in protecting their businesses (including myself)." -- John Meakin, Former CISO at GlaxoSmithKline

The Current Threat Landscape For Storage, Backup And Data Recovery

NIST SP 800-209 provides a detailed overview of storage & backup system threats, risks, attack surfaces and security recommendations. 

Some of the more sophisticated ransomware tactics include:

  • Compromising storage operating systems, firmwares and drivers. These attacks will rarely be detected by existing vulnerability detection tools, which offer no support for storage systems and networks
  • Exploiting overlooked attack surfaces. from the most obvious storage array factory accounts that are sometimes not removed during installation, to more elusive ones including: servers that can send storage arrays commands through Fibre Channel devices
  • Poisoning snapshots and backups. Even when a ransomware attack does not succeed in corrupting existing storage and backup systems (e.g., when immutable storage is used), it may still find a way to suspend of corrupt future snapshots or backups. It's then just a matter of waiting long enough before locking production data. By that time, the only remaining valid copies may be too old for any practical use. Most organizations do not test recoverability frequently - so such attacks are likely to go unnoticed

By successfully infiltrating these new targets, ransomware gangs can:

  • Prevent recovery efforts by destroying or tampering with backups (including offsite cloud-based copies and immutable storage)
  • Steal or encrypt petabytes of data easily stored on a single storage or backup system
  • Evade detection by existing Data Loss Prevention (DLP), Intrusion Detection Systems (IDS), and most modern threat intelligence solutions. Some hackers actually take advantage of cloud-based offsite backup solutions which, if not secured properly, can provide access to copies of huge datasets without introducing any visible load on production systems

"You need to have governance and an active program to secure your storage layer." -- Marc Ashworth, CISO at First Bank


Data is a major part of the role of any CISO. And in today's digitized, data-everywhere world, an organization must make significant investments in data protection, and storage and backup hardening.

CISOs have the skill to do it; many simply lack a clear view of the problem. The problem needs to be reframed in the minds of security experts, and fast. Analyzing data storage and backup security posture is a new skill that security teams must adopt in order to deal with emerging cyber-security threats.

Organizations report that they are now starting to pay much more attention to their storage and backup security than ever before. In a recent study we conducted among CISOs, more than two-thirds confirmed that auditors were recently hired to review their storage and backup systems. 

I'm expecting to see much stricter national guidance to organizations to tighten their data protection solutions and to avoid negotiating with criminals.

I highly recommend evaluating your internal security processes to determine if they cover storage and backup infrastructure to a sufficient degree.  Some of the questions that could help clarify the level of maturity are:

  • Are you evaluating the resiliency of your storage and backup systems on an ongoing basis?
  • Do you have detailed plans and procedures for recovery from a successful ransomware attack on a storage or backup system?
  • How confident are you that you can recover from a successful ransomware attack?

Storage vulnerability management would significantly help security teams get a full view of security risks in your storage & backup systems. It does this by continuously scanning these systems, to automatically detect security misconfigurations and vulnerabilities, and then prioritizing those risks in order of urgency.

Finally, I encourage you to learn more about ransomware resiliency for storage and backups.  A good start could be the NIST Guide for Storage Security - a report I co-authored along with NIST.

This guide provides CISOs with an overview of the evolution of the storage and backup technology landscape, current security threats, and a set of practical recommendations.



Doron Pinhas, Chief Technology Officer, Continuity


Doron is an avid Storage and Backup security advocate, and one of the two authors of the recently published NIST special publication titled: "Security Guidelines for Storage Infrastructure".  Alongside continuous research of storage security, threat landscape, and market maturity analysis, he is also engaged in writing, public speaking and information exchanged with leading organizations.

Doron has over 20 years of experience in data and storage management, mission critical computing, operating system design and development, cloud computing, and networking architecture.

Published Monday, November 07, 2022 1:01 PM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2022>