A “seed vault” approach to ransomware protection can be a last-resort method for organizations to access their data in the event of a catastrophic availability event such as a ransomware attack. Ransomware is most often associated with the use of encryption to encipher an organization’s data with strong algorithms and make it unavailable without an encryption key to decipher the data. An electronic seed vault is a highly secure, out-of-band backup of an organization’s key data assets. It is intended only to be leveraged as a last-resort option for the recovery of data in the event that all other options are no longer available or effective.
To create an electronic seed vault, multiple layers of design and security controls must be implemented. This is to establish and maintain the vault’s confidentiality, integrity and availability (CIA). These will include a combination of people, processes, procedures and technological capabilities.
The following are 5 key considerations when implementing an electronic seed vault for data protection:
- Use a positive pressure design. A positive pressure design approach is based on the idea that the electronic seed vault will not allow any incoming connections for data transfer and will only originate connections to systems that house the data that will be retrieved for storage and restoration activities. This approach significantly reduces the threat of a malicious actor or ransomware software being able to find, attack and/or encrypt the data assets in the electronic seed vault backup. It also limits the ability for the electronic seed vault to be made inaccessible due to a network- or application-level denial-of-service (DoS) attack.
When establishing a positive pressure design, it is beneficial to use network and application aware proxies (e.g., proxy-based firewalls, web application firewalls) at the network ingress and egress points for the network segments where the electronic seed vault’s technical infrastructure is located. These proxies should inspect all traffic entering and exiting the network segment where the seed vault is located to ensure that the traffic profile is appropriate and does not contain malicious or unwanted payloads. They also will enable the use of granular-level access controls for source and destination traffic analysis, and rules between the source where the data are being retrieved and the electronic seed vault receiving systems. - Use versioned and scheduled backups. Versioned backups of data provide protection against encryption-based ransomware attacks and should be used in the seed vault storage. Versioned backups allow an organization to revert to data that they are confident have integrity and are free of malicious components if there is concern that an adversary has implanted its attack capabilities for some period before the attack (i.e., the attacker dwell period) to establish a way to continue to harm an organization after it has started its initial recovery efforts by restoring backups. The number of versions of data that should be maintained will often be determined by the volume of data that are being backed up and the cost of the storage infrastructure that is used. Minimally, it is suggested that at least 3 versions of data be retained to minimize any data corruption concerns.
It is important to consider that an electronic seed vault backup is not intended to replace a replication or traditional backup strategy, but instead complement it. The manual nature of the operating procedures that should be used to access and update the electronic seed vault backup makes it difficult to use as a primary backup or replication capability. The electronic seed vault should be limited to storing only the most critical data assets of an organization and the backup of this data should be conducted on a scheduled basis. These backups can occur weekly, monthly or on an on-demand basis and their frequency should be determined using business recovery point objectives (RPOs) and recovery time objectives (RTOs). This inherently provides a higher level of security for the seed vault but also requires the organization to thoughtfully identify the data and the frequency of the backups to minimize the operational overhead that will be created by these processes. - Access to the seed vault should require multiple layers of access control. A “jump host” approach for system administration of the electronic seed vault’s technical infrastructure should be used. This ensures that system administrators cannot make direct connections to the technical components and instead will use virtual terminal capabilities that have originated at the jump host to conduct their administrative functions. The jump host can also have privileged user monitoring capabilities implemented to passively record and actively monitor all system administration activities to ensure that no malicious actions are intentionally or mistakenly taken against the seed vault.
User and system access to administer, update or restore backups from the seed vault should be tightly controlled and approval should be granted based on the two-man rule. In this operating model, a system administrator or authorized user would request access to the electronic seed vault environment and systems, and then a separate and independent authorized individual would approve their access and the scope of their activity. For example, a system administrator may request access to maintain or update the electronic seed vault from the organization’s information security organization, which would then verify the administrator’s need for access and review their expected actions and activities to ensure that they are appropriate prior to approving access for a specific period of time. The information security organization can then provide oversight and a review of actions to ensure that only appropriate ones have occurred and that the electronic seed vault still is secure and has integrity. - The seed vault backup should only be connected to source systems when backups or recovery actions are being performed. The seed vault should not be constantly connected to the source systems it supports. By creating a network “air gap” between the source networks and systems and the seed vault networks and systems, it will be extremely difficult for an attacker to target the seed vault backups as part of an attack. The process to create a connection between the source systems and the seed vault should follow the same two-man rule described above and only be allowed to be performed on a manual basis. No system-automated connections or updates should be used as part of the seed vault operation to ensure that there is appropriate oversight and control of the capability at all times.
Consistency is an often-overlooked vulnerability that an experienced adversary who has taken the time to observe and learn an organization’s operating procedures will attempt to leverage in their attack. The timing of connections from the seed vault environment to source networks and systems should be randomized. This helps minimize the ability of an adversary to identify periods when connections will be enabled and leverage them as part of their attack timing. The timing and schedule of these connections should also be kept confidential and limited to a need-to-know audience whenever possible to limit the potential for an insider to conduct malicious activities while connections are established. - Electronic seed vaults should be contained in a secondary provider’s technical infrastructure or in a separate operating tenant in the current provider. Cloud-based Infrastructure as a Service (IaaS) providers are ideal candidates for the location of electronic seed vaults. If the source data that will be protected are already located in an IaaS provider’s environment, it is recommended that the electronic seed vault be housed in a separate IaaS provider or, minimally, in a separate operating tenant within the current provider. This limits the ability of an adversary to leverage any technical vulnerabilities or operating model weaknesses of the primary IaaS provider that could negatively impact the electronic seed vault. It also allows for the use of separate, distinct credentials and access control mechanisms for access to the environment that contains the electronic seed vault.
An electronic seed vault should be considered a last-resort backup for critical data recovery in the event of a catastrophic cyberattack such as an encryption-based ransomware attack. The highly controlled and governed manual operating models and segmented nature of the electronic seed vault inherently enhance its security and resilience. This approach provides an organization a viable option to recover its sensitive data and systems without having to pay a ransom to regain access to them.
John P. Pironti, CISA, CRISC, CISM, CGEIT, CDPSE, CISSP, ISSAP, ISSMP is the president of IP Architects LLC.