Credits: This blog post has been co-authored by Chaya Aishwarya. Automation samples developed by Akhil Nampelly, Rajath Ranganath and Vasavi Pasula. Reviewers: Srinath Vasireddy, Anshul Ahuja, Neeraj Jain, Pratik Joshi, Kalyan Karri, Sivasubramanian Narayanan, Yuri Diogenes
Ransomware attacks deliberately encrypt or tamper data to force your organization to pay money to attackers. These attacks can target your data and your backups. The best way to prevent falling victim to ransomware is to implement preventive measures and have tools that protect your organization from every step that attackers take to infiltrate your systems. You can leverage Azure native ransomware protection capabilities and implement the best practices to ensure your organization is optimally positioned to prevent, protect, and detect potential ransomware attacks on your Azure assets.
One of the most important steps you can take to protect your data is to have a reliable backup infrastructure. But it's just as important to ensure that your data is backed up in a secure fashion, and that your backups are always protected. Azure Backup provides several security capabilities to help you protect your backup data – Soft Delete is enabled by default, even if a malicious actor deletes a backup (or backup data is accidentally deleted), the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss. Immutable vault can help you protect your backup data by blocking any operations that could lead to loss of recovery points. You can configure Multi-user authorization (MUA) for Azure Backup as an additional layer of protection to critical operations on your Recovery Services vaults. Even if security best practices are not followed and notifications aren't configured for the Recovery Services vault, critical alert for destructive operation (such as stop protection with delete backup data) are still raised and an email is sent to subscription owners, admins, and co-admins (learn more).
Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for all of your Azure, on-premises, and multicloud (Amazon AWS and Google GCP) resources. Defender for Cloud generates security alerts when threats are identified in your cloud, hybrid, or on-premises environment. It is available when you enable enhanced security features. Each alert provides details of affected resources along with the information you need to quickly investigate the problem and steps to take to remediate an attack. In the event of a malware or a ransomware attack on an Azure Virtual Machine, Microsoft Defender for Cloud detects suspicious activity and indicators associated with ransomware on an Azure VM and generates a Security Alert.
Here are the Defender for Cloud Alerts that trigger on a Ransomware detection:
Defender for Cloud provides threat intelligence reports containing information about detected threats. This helps incident response teams investigate and remediate threats. For more details: Microsoft Defender for Cloud threat intelligence report | Microsoft Learn
Assume Virtual Machine protected by both Defender and Azure Backup is breached. Defender detects the ransomware, raises an alert which includes details of the activity and suggested recommendations to remediate. As soon as a ransomware signal is detected from Defender, ensuring backups are preserved (i.e., paused from expiring) to minimize the data loss is top of our customers’ mind. This sample solution demonstrates integration of Azure Backup with Microsoft Defender for Cloud for detection and response to alerts to accelerate response. Sample illustrates following three uses cases: 1) ability to send email alerts to backup admin 2) SecOps admin triages and manually triggers logic app to secure backups and 3) Workflow to automatically respond to the alert by performing the Disable Backup Policy (Stop backup and retain data) operation.
Note: This sample solution is scoped to Azure Virtual Machines. The logic app can only be deployed at a subscription level, which means that all Azure VMs under the subscription can leverage the logic app for pausing expiry of recovery points in the event of a security alert.
Step 1: Deploy the logic app
Note: Owner access on the Subscription is needed to deploy the logic app.
Subscription: Select the Subscription whose Azure VMs the logic app should govern.
Name: Input a suitable name for the logic app.
Region: Choose the region with which the Subscription is associated.
Email: Input the email address of the Backup admin for them to receive alerts when policy is suspended.
Resource Group: Logic apps need to be associated with a Resource Group for deployment. Choose any Resource Group for the same.
Managed Identity: Create and assign a Managed Identity (for guidance on creating a User-defined Managed Identity, visit here ) with the below minimum permissions for the service to perform the operation of ‘Stop backup and retain data’ on the backup item automatically in the event of a malware alert.
Note: To further tighten the security, we recommend you create a custom role and assign that to the Managed Identity instead of the above built-in roles. This will ensure that all the calls run with least privileges. For more details on custom role, visit Github article.
Managed Identity Subscription: Input the name of a Subscription that the Managed Identity should reside in.
Managed Identity Resource Group: Input the name of a Resource Group that the Managed Identity should reside in.
Step 2: Authorize Office 365 for email alerts
To authorize the API connection to Office 365:
Step 3: Triggering the logic app
The logic app deployed in step 1 can be triggered manually or automatically by leveraging workflow automation.
Note: The minimum RBAC permissions needed for triggering an action for the security alert are as follows: Logic app Operator, Security Admin role
Triggering using workflow automation via Azure portal:
Workflow automation will ensure that in the event of a security alert, your backups corresponding to the VM facing this issue will automatically reach ‘Stop backup and retain data’ state hence suspending policy and pause recovery point pruning. You can also use Azure Policy to deploy workflow automations.
Note: Minimum roles of Logic app Operator and Security Admin are required to deploy the workflow automation.
Step 4: Email Alerts
Upon disabling the backup policy on the backup item, the logic app also sends an email to the ID entered during deployment. The email ID should ideally be that of the Backup Admin. The alert can then be investigated, and the backups can be resumed once the issue is resolved or if it is a false alarm.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.