Ransomware Defense in UBSi-Commvault

Introduction

This document explains some of the ransomware defense settings and features specifically available to users of UBSi-Commvault.  This is not intended to be an exhaustive guide on ransomware defense; please also refer to other more general references:

• Ransomware Defense Overview
• https://security.psu.edu/education-training/ransomware/
• https://www.cisa.gov/stopransomware/ransomware-guide

Prevention

The first step in ransomware defense is prevention.

Within the UBSi-Commvault environment, we have implemented many features to help prevent ransomware infection of our own infrastructure, including:

• Frequent scheduled updates of operating system and application components
• Windows security features configured via Group Policy
• Security vulnerability scanning and prompt remediation
• Restrictive, default-deny firewall rules in place on both network firewalls and host firewalls
• Use of antivirus products wherever possible
• Use of SELinux policies wherever possible
• Use of least-privilege access, with monitoring and auditing of administrative accounts
• Multi-factor authentication enabled wherever possible

The UBSi-Commvault service does not play a direct role in preventing the initial ransomware infection of our users’ devices.  Please refer to the Ransomware Defense Overview and other resources and ensure that you have implemented similar protections on your own systems.

Preparation

The second step in ransomware defense is preparation.

In UBSi-Commvault, we use replication of all user data in order to protect against physical disruption to our primary site.  Where possible, we have taken steps to isolate the infrastructure at each site, in order to make it difficult for an attack on one site to spread to the other site.  However, if a ransomware attack is able to delete a client from UBSi-Commvault, both the primary and replicated copy will be deleted.  A ransomware attack which gained control of the UBSi Administrative accounts or the core database would likely be able to attack both copies equally.

In order for replication to be effective against ransomware, it is necessary to replicate data to an immutable copy, which cannot be overwritten or deleted.  See the section about Immutability lower on this page for more information about the backup options in UBSi-Commvault.

To protect the UBSi-Commvault environment, we perform daily backups of the central “CommServe” database to immutable storage provided by our vendor. This database does not contain backup data, but includes all other UBSi-Commvault configuration: user accounts, tenant configuration, client settings, schedules, job history, and encryption keys.  If our on-premise infrastructure were ever compromised, these backups would allow us to restore the web interface and begin rebuilding the environment.  We would then reconnect to any surviving storage pools (e.g. the immutable cloud copy) to allow users to begin restoring the related data.

Detection

The third step in ransomware defense is detection.

UBSi-Commvault provides a report which can aid in ransomware detection:

Unusual File Activity Monitoring

The Commvault software monitors backup jobs and attempts to detect unusual file activity patterns.  For example, if a server typically backs up only a few files each night, the sudden deletion or modification of thousands of files might be detected as unusual.

A report of Unusual File Activity on a server does not always indicate a security issue.  For example, it might be normal for many files to be modified at the beginning of the semester.  The Commvault software is not aware of our business practices, so it’s important to have a human determine whether or not the activity was abnormal.

Users can view a report of Unusual File Activity here: https://ubsi.blue.psu.edu/commandcenter/#/fileAnomaly

More information is available here: https://documentation.commvault.com/v11/essential/unusual_file_activity_monitoring_dashboard.html

We are not currently able to configure a tenant-level alert for this type of behavior.  We hope that future enhancements to the Commvault software will allow us to configure an optional alert for each tenant in the future.

---

Immutability

UBSi-Commvault offers several levels of backup immutability in order to help defend against attempts to delete your backup data.  For each server or service, you should evaluate the risks and select a backup type that is appropriate for the data.

1. Normal Backup to a Normal Tenant – Minimal Protection

By default, Tenant Administrators have the ability to delete backup data, clients, and other resources within their UBSi-Commvault tenant.  This makes it easier for you to manage your backups in response to changing business needs.  For example, you may wish to delete backups when decommissioning an old server.  Or you may wish to delete a particular backup which used incorrect settings.

Unsophisticated ransomware without access to your Penn State Account credentials should be unable to access the tenant, and thus should not be able to delete your backup data.

However, ransomware which captures your credentials or which is able to run scripts as your account could potentially access command-line or API tools and request deletion of your data from the tenant.

• Protects against: Unsophisticated ransomware
• Weak against: Ransomware attack with access to your account or to a UBSi Administrator account
• Inconvenience: None

2. Normal Backup to a Resistant Tenant – Moderate Protection

At your request, the UBSi Administrators can modify your tenant to remove your ability to delete data.  This will make it more inconvenient to manage your tenant, since you will need to submit a request to the UBSi Administrators any time you need to delete data.  However, this restriction will make it harder for ransomware to delete backup data without your knowledge.

It’s still possible that a sophisticated attacker with access to your account could craft a counterfeit message to the UBSi Administrators requesting deletion, but this is significantly less risky than the possibility of automated deletion by a script using your account.

• Protects against: Moderately sophisticated ransomware
• Weak against: Ransomware attack with access to a UBSi Administrator account
• Inconvenience: Deletion requests must be submitted to the UBSi Administrators

3. Backup with Immutable Cloud Copy – Strong Protection

At your request, after approval from Penn State IT Infrastructure management, the UBSi Administrators can configure your VM backups to use a special retention plan which sends a copy of your data to “immutable” storage in the Amazon AWS cloud.  The data in this copy cannot be deleted before expiration by you or by the UBSi Administrators.  This will incur significant additional cost, but makes it very difficult for your data to be lost.

This is a “virtual” immutability, so it’s still technically possible for the data to be deleted.  However, this would require multiple accounts to be compromised simultaneously at the same time as the ransomware attack, so this would require an extremely sophisticated large-scale attack.

• Protects against: Sophisticated ransomware, compromised UBSi Administrator accounts
• Weak against: Extremely sophisticated attack involving multiple companies or multiple teams’ compromised administrative accounts
• Inconvenience: Early deletion is not possible for any reason, incurring significant additional costs which you cannot avoid once committed.

4. Custom Options

If the options above do not meet your needs, please Contact Us with the details, and we’ll investigate to see if we can provide a customized option or recommendation.