|"Breakin' Up Is Hard To Do" - Neil Sedaka 1966
In the last 10 days we talked about the attacks on VCenter and recommended urgent patching. (If you have not yet patched and need assistance, please reach out to us).
Last week I read how one of the latest ransomware variants actively scours Active Directory looking for IDs that have Veeam access rights and specifically targets them to breach your backup processes and corrupt/encrypt them. That way when they launch their attack, you will find your backups totally compromised and be even more at their mercy to pay the ransom fee.
Over the years, Microsoft and others have promised the power of leveraging Active Directory. However, what is so powerful has now also been proven so dangerous because if Active Directory becomes compromised, it becomes a "speed pass" for the bad guys to hurt your network.
The solution is breaking parts of your network into separate, disconnected silos of functionality. This is done with VLAN segmentations. Vendors each have their VLAN lane to do what they do - separate from the internal network. Internet facing devices start when ever possible in a DMZ zone. Access is based upon the principle of least privilege required to do what is needed to be done. No matter who you are, we don't trust you - even if you have proper credentials - without a secondary, multi-factor access challenge such as Cisco DUO.
For a long time now I have been urging you to break VMware VCenter from Active Directory. While it is very convenient to not have to know extra credentials, in this day and age it is too much access. VMware should be its own silo - the holy of holies - completely separate from your network. In the much talked about "Notpetya" Russian Cyberwarfare attack in the Ukraine, the only thing that survived the destruction of the network was the separate, sandbox VMware implementation that wasn't part of the main network. There was a current copy of their domain controller there that was used for prototyping.
Please, please, please break this Active Directory connection to VCenter.
Second is the issue of backups. First whatever you are doing for backups should have some completely disconnected, out of band backup that is sitting on the shelf someplace. That is your "break glass", last resort backup.
Then you need to have copies of your backups off-site. For those using a BOCES/RIC CoSer you meet this criteria. For those using Veeam, if you don't have a cloud repository for your Veeam backups, you definitely should have it. CSI offers Veeam cloud backup storage services.
Increasingly auditors and Cyber Insurance underwriters are requiring that you not only say you have good backups and off-line backups, but also that you also are able to regularly demonstrate that your backups actually work on a monthly or even a weekly basis.
If you don't have the capability to do this in a pretty effortless way in your present backup solution, give us a call we can talk to you about how to get functionality implemented.
My final recommendation ends where I began this Tidbit - your Veeam backup server (or whatever you are using) should be completely disconnected from your Microsoft Active Directory domain. It should be a workgroup server that is hardened with its own credentials that has absolutely no relationship with your main Active Directory credentials. This includes all local storage devices used to house your on-site backups.
If the bad guys are probing your network, they should find absolutely nothing about your backups in your main network. If they compromise your Active Directory Administrator credentials and disable your network, it should have absolutely no effect on your backup server.
I know for a fact that a lot of you still have your Vcenter and Backup Server as part of your Active Directory. This has to change.
If that is you, there are some steps that need to be taken to improve your security stance and make you more secure.
CSI is happy to assist you in whatever way you need.
Give us a call.