AWS re:Invent 2025 - Building resilience against ransomware using AWS Backup (STG412)

Building Resilience Against Ransomware Using AWS Backup

Cyber Threat Landscape

• Ransomware attacks have evolved from a nuisance to a full-blown industry, with attackers often targeting and deleting backups as a primary objective.
• The key metrics to focus on are:
  • Mean Time to Detect (MTTD): Minimize the time it takes to detect a compromise.
  • Mean Time to Respond (MTTR): Reduce the time it takes to initiate mitigation and recovery efforts.
  • Mean Time to Normal (MTTN): Decrease the time it takes to restore normal business operations.
  • Maximum Tolerable Data Loss (MTDL): Determine the maximum amount of data your organization can afford to lose.
• Regulatory landscape is evolving, with new standards and requirements around cyber resilience and data protection, such as DORA, NYDFS, GxP, HIPAA, MASTRM, HKMA, and APRA.

The Role of Backups in Risk Mitigation

• Threat modeling is crucial to identify attack vectors and devise an appropriate recovery strategy.
• Common attack targets include backup systems, notification mechanisms, recovery infrastructure, and backup data itself.
• The 3-2-1 backup strategy is recommended: 3 copies of data, 2 backups, and 1 copy off-site.
• Backups themselves can become a threat if not properly protected, so the principle of least privilege should be applied.
• Developing and maintaining up-to-date runbooks for recovery is essential.

AWS Backup Reference Architecture

Pillars of Resilient Backup Strategy

1. Immutability and Isolation:
   • Backups cannot be altered or deleted, even by an attacker with full account access.
   • Backups are isolated from production systems to prevent shared points of failure.
2. Integrity:
   • Backups are regularly tested to ensure they are clean and can be successfully restored.
   • AWS Backup's "Restore Testing" feature automates this process.
3. Availability:
   • Ensures backups can be accessed and restored, even if the primary account is compromised.
   • AWS Backup's "Multi-Party Approval" feature allows a trusted team to approve access to the backup vault.

Reference Architecture Components

1. AWS Organizations: Used to centralize data management and apply security policies.
2. Delegated Admin Account: Manages backup policies and monitors backups across the organization.
3. Isolated KMS Key Account: Stores encryption keys separately to prevent access denial.
4. Primary Backup Vault: Stores the first copy of backups, with Guard Duty integration for malware scanning.
5. Secondary Backup Vault (Logical Air Gap): Stores an isolated, immutable copy of backups in a separate account.
6. Disaster Recovery Backup Vault: Stores backups in a different AWS Region for disaster recovery.
7. Forensics Account: Used for regular backup testing and malware scanning, leveraging third-party tools.
8. Multi-Party Approval Team: Trusted group that can approve access to the backup vault in the event of a compromise.

Key Takeaways

• Recovery is a multi-stage process, not just a matter of having secure backups.
• Threat modeling is crucial to identify and mitigate specific risks to your recovery strategy.
• Operational recovery, disaster recovery, and cyber recovery should be treated as distinct requirements.
• Cyber resilience is a business problem, not just an IT problem, requiring alignment across the organization.
• The AWS Backup reference architecture provides a comprehensive approach to building resilience against ransomware, focusing on immutability, integrity, and availability of backups.