Data backups are often in the crosshairs of cybercriminals looking to turn a profit off ransomware. As a result, threat researchers have noted an increasingly common new target: backup administrators.
These essential personnel are gatekeepers for a company’s data backups, managing the system and ensuring backups work as expected in the event of a crisis. So, hackers are targeting backup administrators to steal their credentials and gather other key information that may clear their path toward circumventing security measures, deactivating backup protections and corrupting data. This allows bad actors to effectively cut off all access to backups, eliminating an organization’s last line of defense.
To combat this, IT leaders must prepare their backup administrators and shore up data protection systems by leveraging new and innovative strategies.
Backup administrator resiliency
There’s a lot of talk about increasing cyber resiliency, but it’s not applied enough to the IT professionals themselves. While IT professionals of any discipline are typically better at spotting phishing attempts, no one is immune. As generative AI tools improve the quality of social engineering, cybercriminals can use those tools to create well-written emails designed to phish a backup administrator.
Consequently, no IT personnel, especially those outside the security team, should ever be exempt from cybersecurity trainings. In fact, their ongoing cybersecurity training should be much more rigorous than that of the average employee given the level of access they have to critical systems.
On that note, it’s also important to have robust role-based access control across the board, and particularly for backup administrators. If there is more than one backup administrator, spread access to backups — of which security leaders should always have multiple stored in different places — among them, not allowing a single administrator to have access to all the backups. If there is just one backup administrator, designate someone else from the IT team and give them access to a copy of the backup data that the backup administrator doesn’t have access to.
The evolution of anomaly detection
Traditional anomaly detection for backup data does not monitor the behavior of backup administrators, but instead focuses on the data the system collects from backups themselves to provide insights on how data changes over time. While this used to be enough, now anomaly detection must also be able to identify any changes in the behavior of backup administrator(s). For example, attackers frequently use compromised backup administrator accounts to remove clients from backup policies, attempt to expire or delete backup images, change or delete encryption keys and other destructive actions that will make recovery from backup copies impossible.
Just as AI is becoming a key tool for cybercriminals to compromise more advanced users, such as IT professionals, AI is also key to advanced anomaly detection. Using backup metadata, AI can help data protection systems dynamically identify and flag anomalies in case backup data or administrator behavior issues arise.
Fully autonomous data management
Another way cybercriminals are seeking to exploit backup administrators — and just about any other IT role — is by attacking when organizations are most vulnerable, such as a Sunday morning at 2 a.m. in the middle of a long holiday weekend when fewer, if any, IT staff are paying attention.
AI can help here, too, by extending intelligent, fully autonomous defensive system responses to identified threats. Such actions can include suspension of administrator rights for compromised logins and stopping expiration of backup copies for clients that are flagged as compromised. It can even switch the entire backup system into a “safe mode.” A system in safe mode can revoke trust relationships with compromised systems to limit access to the backup system, suspend destructive actions, activate additional multi-factor authentication challenges and more.
In addition to responding to direct threats even when no humans are available, autonomous data management can help already stretched-to-the-max IT teams handle many other challenges associated with the almost unfathomable amount of data in today’s enterprise multi-cloud environments.
Venerable backup administrators are doing the best they can, but they’ve got big targets on their backs. Preparing them to deal with the ever-evolving threat landscape, placing proper control on access to backup data, ensuring anomaly detection can spot compromised backup activity in both data and administrator behavior and arming them with tools to leverage autonomous data management will go a long way toward shielding them from of the enemy’s arrows.