From cybersecurity-skills
Designs ransomware-resilient backup strategies via 3-2-1-1-0 rule, RPO/RTO schedules, credential isolation, and automated restore tests for critical systems.
npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsThis skill uses the workspace's default tool permissions.
- Designing backup architecture that withstands ransomware encryption and deletion attempts
Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.
Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.
Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.
Do not use as a substitute for endpoint protection, network segmentation, or incident response planning. Backups are a last line of defense, not a primary prevention control.
Map all systems into recovery tiers based on business impact:
| Tier | Examples | RPO | RTO | Backup Frequency |
|---|---|---|---|---|
| Tier 1 (Critical) | Domain controllers, ERP, databases | 1 hour | 4 hours | Hourly incremental, daily full |
| Tier 2 (Important) | File servers, email, web apps | 4 hours | 12 hours | Every 4 hours incremental, daily full |
| Tier 3 (Standard) | Dev environments, archives | 24 hours | 48 hours | Daily incremental, weekly full |
Document dependencies between systems. Domain controllers and DNS must recover before application servers. Database servers before application tiers.
Configure backup storage following the extended 3-2-1-1-0 rule:
Copy 1 - Primary backup on local storage:
# Veeam backup job targeting local repository
# Fast restore for operational recovery
Backup Repository: Local NAS (CIFS/NFS) or SAN
Retention: 14 days of restore points
Encryption: AES-256 with password not stored in AD
Copy 2 - Secondary backup on different media:
# Replicate to secondary site or cloud
# Veeam Backup Copy Job or Scale-Out Backup Repository
Target: AWS S3 / Azure Blob / Wasabi / tape library
Retention: 30 days
Transfer: Encrypted TLS 1.2+ in transit
Copy 3 - Offsite copy:
# Geographically separated from primary and secondary
# Cloud object storage in different region or physical tape rotation
Target: Cross-region cloud storage or Iron Mountain tape vaulting
Retention: 90 days
+1 - Immutable or air-gapped copy:
# Cannot be modified or deleted for defined retention period
# Veeam Hardened Repository on Linux with immutable flag
# Or AWS S3 Object Lock in Compliance mode
# Or physical air-gapped tape
+0 - Zero errors on restore verification:
# Automated restore testing using Veeam SureBackup or equivalent
# Scheduled weekly for Tier 1, monthly for Tier 2/3
# Verify boot, network connectivity, and application health
Ransomware operators target backup infrastructure by compromising backup admin credentials through Active Directory:
# Linux Hardened Repository - disable SSH password auth
sudo sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl restart sshd
# Set immutable flag on backup files (XFS filesystem)
sudo chattr +i /mnt/backup/repository/*
# Veeam Hardened Repository uses single-use credentials
# that are not stored on the Veeam server after initial setup
Veeam Hardened Linux Repository:
# Minimal Ubuntu 22.04 LTS installation
# No GUI, no unnecessary services
# Veeam uses temporary SSH credentials during backup window only
# Configure XFS with reflink support
sudo mkfs.xfs -b size=4096 -m reflink=1 /dev/sdb1
sudo mount /dev/sdb1 /mnt/veeam-repo
# Create dedicated Veeam user with limited permissions
sudo useradd -m -s /bin/bash veeamuser
sudo mkdir -p /mnt/veeam-repo/backups
sudo chown veeamuser:veeamuser /mnt/veeam-repo/backups
AWS S3 Object Lock (Compliance Mode):
# Create bucket with Object Lock enabled
aws s3api create-bucket \
--bucket company-immutable-backups \
--object-lock-enabled-for-bucket \
--region us-east-1
# Set default retention - 30 days compliance mode
aws s3api put-object-lock-configuration \
--bucket company-immutable-backups \
--object-lock-configuration '{
"ObjectLockEnabled": "Enabled",
"Rule": {
"DefaultRetention": {
"Mode": "COMPLIANCE",
"Days": 30
}
}
}'
Azure Immutable Blob Storage:
# Create storage account with immutable storage
az storage container immutability-policy create \
--account-name backupaccount \
--container-name immutable-backups \
--period 30
# Lock the policy (irreversible)
az storage container immutability-policy lock \
--account-name backupaccount \
--container-name immutable-backups
Configure automated restore verification on a recurring schedule:
# Veeam SureBackup verification job (PowerShell)
# Tests VM boot, network ping, and application health
Add-PSSnapin VeeamPSSnapin
$backupJob = Get-VBRJob -Name "Tier1-DailyBackup"
$sureBackupJob = Get-VSBJob -Name "Tier1-RestoreTest"
# Verify last restore test completed successfully
$lastSession = Get-VSBSession -Job $sureBackupJob -Last
if ($lastSession.Result -ne "Success") {
Send-MailMessage -To "backup-team@company.com" `
-Subject "ALERT: SureBackup verification failed" `
-Body "Tier 1 restore test failed. Last result: $($lastSession.Result)" `
-SmtpServer "smtp.company.com"
}
Document restore test results and maintain a recovery runbook with step-by-step procedures for each tier.
| Term | Definition |
|---|---|
| 3-2-1-1-0 | Extended backup rule: 3 copies, 2 media types, 1 offsite, 1 immutable/air-gapped, 0 restore verification errors |
| RPO | Recovery Point Objective: maximum acceptable data loss measured in time (e.g., 1 hour RPO means max 1 hour of data loss) |
| RTO | Recovery Time Objective: maximum acceptable downtime before system must be operational |
| Immutable Backup | Backup copy that cannot be modified, encrypted, or deleted for a defined retention period, even by administrators |
| Air-Gapped Backup | Physically isolated backup with no network connectivity to production systems, providing strongest ransomware protection |
| Hardened Repository | Linux-based backup storage with minimal attack surface, no persistent SSH, and immutable file flags |
Context: A mid-size bank with 500 servers, 200TB of data, and regulatory requirements for 7-year retention must redesign backup after a peer institution was hit by ransomware. Current backups use a single Veeam repository on a Windows server joined to the production domain.
Approach:
Pitfalls:
## Ransomware Backup Strategy Assessment
**Organization**: [Name]
**Assessment Date**: [Date]
**Assessor**: [Name]
### Current State
- Backup Solution: [Product/Version]
- Copies: [Number and locations]
- Immutable Copy: [Yes/No - Details]
- Air-Gapped Copy: [Yes/No - Details]
- Credential Isolation: [Yes/No - Details]
- Last Restore Test: [Date - Result]
### Gap Analysis
| Control | Current | Target | Gap | Priority |
|---------|---------|--------|-----|----------|
| Immutable backup | None | S3 Object Lock + Linux Hardened Repo | Missing | Critical |
| Credential isolation | Domain-joined | Standalone local accounts + MFA | Partial | Critical |
| Restore testing | Ad-hoc manual | Automated weekly SureBackup | Missing | High |
### Recommendations
1. [Priority] [Recommendation] - [Estimated effort]
2. ...
### Recovery Tier Summary
| Tier | Systems | RPO | RTO | Backup Schedule | Restore Test Frequency |
|------|---------|-----|-----|-----------------|----------------------|
| 1 | 50 | 1hr | 4hr | Hourly inc/Daily full | Weekly |
| 2 | 200 | 4hr | 12hr | 4hr inc/Daily full | Monthly |
| 3 | 250 | 24hr | 48hr | Daily inc/Weekly full | Quarterly |