Your Backups Are Talking — Are You Listening?

Kyle Fiehler: Since secure backups can't be altered or encrypted or deleted, a lot of times, they are the source of sort of digital fingerprints for threats that have evaded detection. You know, they can act as a record of threats that other security solutions have missed. What we've found is that threat actors understand this. They've sort of conducted a proof of concept for the threat vector, and so it's something that we expect to see a lot more going forward. But just in general, we see it as another source of telemetry that is too often overlooked. [ Music ]

Caleb Tolin: Hello, and welcome to another episode of Data Security Decoded. I'm your host, Caleb Tolin, and if this is your first time joining us, welcome to the show. Make sure you hit that Subscribe button so you're notified when we drop new episodes. And if you're a returning subscriber, thanks for spending some more time with us. Drop a comment below. Give us a rating. Let us know what you think about the show. It really helps us reach more listeners like you who are trying to improve the resilience of their business, and it helps me know what content you want to hear more about. So today, I had a really great conversation with Kyle Fiehler, a transformation analyst at Rubrik Zero Labs. His expertise across AI and info security, cybersecurity and geopolitics, cyber resilience, and IT leadership. He works really closely with CXOs at G2K enterprise organizations on matters of zero trust and secure digital transformation. We'll talk about backups being a snapshot into failed attempts at stopping bad actors, a really interesting conversation and a really refreshing take. Let's get into it. [ Music ] Well, Kyle, welcome to the podcast. So excited to have you on. We're here to talk about backups, which is not something that a lot of security teams tend to spend a lot of time with, but it seems like you believe that they should. So what are some things that backups reveal that traditional security telemetry often misses?

Kyle Fiehler: Yeah, so since secure backups can't be altered or encrypted or deleted, a lot of times, they are the source of sort of digital fingerprints for threats that have evaded detection. You know, they can act as a record of threats that other security solutions have missed. So, example, a threat that is embedded in, you know, a hypervisor. Those things are backed up, but traditional EDR solutions often lack visibility into those. So what we've found is that threat actors understand this. They've sort of conducted a proof of concept for the threat vector, and so it's something that we expect to see a lot more going forward. But just in general, we see it as another source of telemetry that, as you rightly point out, is too often overlooked because it is another source. And I think if you're in charge of defending a company from the myriad of threats facing any large organization today, you want all the information that's available to make the best decisions possible.

Caleb Tolin: Right. Absolutely. And when you're analyzing these compromised backups, where are most organizations going wrong? Are you noticing any patterns throughout all the different organizations that you're kind of analyzing and working with?

Kyle Fiehler: The biggest thing is just companies not recognizing that their backup data is that additional source of telemetry, like I mentioned. So it's often just completely overlooked. I think that, in general, there is an opportunity for security teams to be scanning backups for indicators of compromise using YARA rules, hashes to be searching for threat actors in their backup data, especially ones who have the utmost motivation to not be found. These are traditionally state-backed actors who are interested in establishing persistence and evading detection so that they can conduct these long-term operations.

Caleb Tolin: Right. And so if backups are showing repeated failure patterns over time, who owns fixing that? Is it the CISO? Is it the CIO? Is it the board? Is it a combination of all of these folks? Who kind of owns addressing this issue?

Kyle Fiehler: Yeah, so I think it's different by organization and, you know, in general, there is this issue in managing backups about ownership. Who owns it? You know, is it IT or security? And I think more and more it will need to become a security function as we notice groups that are financially motivated threat actors who recognize the importance or the opportunity, I should say, in targeting backups specifically. So Evil Corp is a Russian-based ransomware group that has figured this out very well. They know that they can delete, you know, recovery routines, delete the backups themselves, and by doing so, they maximize their leverage over whoever their target may be. So I think it's increasingly becoming a security concern as we see more and more financially motivated threat actors who are interested in achieving the payday as soon as possible. They actually want to trip that wire. They want to trigger a response from a security team because that's the quickest way to get the engagement going.

Caleb Tolin: Absolutely. It's interesting to think about how, you know, of course, there's plenty of organizations out there that are aware of these different groups, different threat intelligence groups are tracking all of these different organizations, kind of like you've mentioned already, too. And we're always looking for the new and shiny thing, but there's obviously some of these hidden vulnerabilities that are really important. And to your point, if backups are seen as this kind of snapshot of all of the failed attempts of the rest of your security stack from stopping attackers from getting in, then it is a very valuable asset for organizations to be leveraging.

Kyle Fiehler: Right. If you're only looking for the latest and greatest, you may be missing what's been known to work for some time.

Caleb Tolin: Absolutely. And I'd like to talk a little bit about backup's best friend, and that is recovery. You know, oftentimes we're talking about backup and recovery. And another theme that you and your team talk a lot about is MTTR, or mean time to response. So how should security leaders think about mean time to response, or MTTR, and what should they be doing to reduce that?

Kyle Fiehler: Yeah, so stepping back a little bit, some interesting data we've found is that, you know, in conducting year-after-year surveys, we've found, among our respondents, who are IT and security leaders all over the globe, large organizations, confidence in recovery times tends to be falling. And, you know, I think the numbers are something like barely a quarter of IT and security leaders feel that they could respond in 12 hours or less to a security incident, whereas a year ago that number was over 40%. So what are those -- what are the reasons for that? I suspect one of them is the deliberate targeting of backup data. And then another, I would say, is identity infrastructure is often compromised as a part of these attacks. And this is where too many organizations are still relying on manual processes to recover their identity infrastructure, because oftentimes threat actors will escalate privileges in order to get something done. I mentioned the deleting of recovery routines. You know, oftentimes you need elevated privileges to do that. But what happens when threat actors start to compromise identity infrastructure is almost no access or authorization processes can be trusted. And so it's so important to restore identity infrastructure to a clean state if you're going to take that power away from the threat actor, you know, right? In terms of MTTR, what we talk a lot about at Rubrik Zero Labs is, how do we turn that from a course metric of, okay, you know, my mean time to recover, we were aiming for four hours, and it took us six? That doesn't tell you why. So a lot of what we've focused on is, how can we use the data that we have to sort of break that process down into discrete phases? So is the problem that it took you a long time to determine the scope of the compromise? Is the problem that it took you a long time to validate that you recovered to a clean state? Or is it some other phase in there? So we often talk about how understanding the phased recovery process points you to potential areas for improvement where you can cut that overall MTTR. And then, of course, these are things you'll hear from security leaders all the time, that you cannot go into an incident. That's not the time to be testing your recovery. So these things have to be drilled continuously as sort of a lifecycle management of recovery capabilities.

Caleb Tolin: I want to go back to something else that you mentioned at the top of that question, and you talked a little bit about how identity-based attacks kind of operate and the challenges facing, you know, attacks that operate in that aspect. But you also mentioned that threat actors are targeting backups. And so we talked about how backups can be used as this unique security telemetry tool, but I kind of want to talk about it from the threat actor perspective. I understand why an organization, you know, a nation-state group, or some hacktivist group is targeting a backup system, but what can organizations do about that if, you know, they're thinking of their backups as their last line of defense? How can they prepare against those kind of attacks?

Kyle Fiehler: Yeah, so it starts with, you know, things like isolated clean recovery environments, air-gapping. You have to be able to limit your access to the backup environments themselves. And so that's why a lot of threat actors today are targeting cloud-based backup -- cloud-native backup specifically, is because there's not that -- you know, there's not that barrier there. So I mentioned Evil Corp. There's another group that Microsoft is following closely called Storm-0501 that I think is sort of the proof that this has become a pure leverage play. So this group is known to deliberately target and delete backups to the point where they're no longer deploying traditional malware with their ransomware threats. They're just exfiltrating the data, deleting the backups, and then delivering a ransom without what we would consider a traditional piece of ransomware. This group used to deploy, you know, things like LockBit or Hive, BlackCat, but they've just completely left that off the, you know, the attack chain now because it's not necessary for them. They've already compromised the target to such a degree that the leverage is there.

Caleb Tolin: How did you and your team start to identify backups as a valuable intelligence asset?

Kyle Fiehler: Yeah, I think, at Rubrik Zero Labs, it started with us, you know, in part the recognition that we are conducting something like two and a half million snapshot scans per day and realized that this had to be sort of a useful source for threat intelligence. And I think one of the other things we found is that we weren't just finding the latest headline-grabbing threats. You know, we were finding ransomware groups that the security community more or less knew about, but they continued to evade detection either because they weren't being scanned for or they were evading detection in some other way. Web shells are another example of, you know, not necessarily new breaking threats, but threats that can certainly act as an initial access vector. And so finding those and then being able to build in, you know, alerts into the product, which is something we're currently working on, is we recognize the value there, and it's something that's unique to what Rubrik does. So we wanted to make sure that we were maximizing that value for our customers.

Caleb Tolin: So going back to how organizations can really leverage their backup data and start, you know, maximizing their value there, what are the three actionable steps that security and IT teams can take today to start getting that full value from their backup data?

Kyle Fiehler: Well, I mean, one is starting to scan the environment. You have to be conducting the scans to get any real benefit from them. You want to be monitoring for things like configuration drift, any suspicious activity in logs that you wouldn't expect to see in places like VPNs or appliances that are not, you know, the "boxes" that are not typically scanned by, you know, an EDR tool or other security solutions. And then finally, I would say the hardening and recoverability of that identity infrastructure is critical, especially if, you know, you're in a position where you're relying on cloud-native identity infrastructures like the Entra IDs and things like that.

Caleb Tolin: Great things for everyone listening to start considering about their own organization if they're not already. But, Kyle, thank you so much. Is there anything else that you want to leave the listeners with that we haven't already covered already?

Kyle Fiehler: I think I would just, you know, reiterate that because secure backups are not, you know, can't be altered, encrypted, or deleted, they often act as a de facto record of what your other security solutions have missed. So there's really no reason not to be probing them for that valuable threat intelligence.

Caleb Tolin: Right. Absolutely. That's a really interesting and different perspective than we've heard before. So thank you so much for joining us. Until next time.

Kyle Fiehler: Of course, thanks for having me. [ Music ] That's a wrap on today's episode of Data Security Decoded. If you liked what you heard today, subscribe wherever you listen and give us a rating on either Apple Podcasts or Spotify. Your feedback really helps me understand what you want to hear more about. And if you want to email me about the show, email me directly at data-security-decoded@n2k.com. Thank you to Rubrik for sponsoring this podcast. The team at N2K includes senior producer Alice Carruth and executive producer Jennifer Eiben. Content strategy by Mayan Plaut. Sound design by Elliott Peltzman. Audio mixing by Elliott Peltzman and Trey Hester. Video production support by Brigitte Criqui Wild and Sarelle Joppy. Until next time, stay resilient. [ Music ]