Immutable (persistent) backups are designed to ensure that critical data remains available and trustworthy, even if production systems and traditional backups are compromised. The primary objective is to guarantee a reliable recovery point when attackers attempt to delete, corrupt, or encrypt data.
Modern attackers increasingly target backup systems as part of their operations. In wiper scenarios, this is especially critical: once data is destroyed, recovery is only possible if clean backups still exist and remain accessible.
Key good practices
The CCB guidelines emphasize several core principles for effective immutable backup strategies:
- Immutability by design
Backups must be protected against modification or deletion once written. This prevents attackers, including those with administrative privileges, from tampering with backup data. - Layered backup approach
Organizations are encouraged to combine multiple backup technologies (for example, cloud-based immutability, on-premises solutions, or offline media such as tapes). This reduces single points of failure and increases resilience against sophisticated attacks. - Isolation and air-gapping
Backup environments should be logically or physically isolated from production systems. This limits the attacker’s ability to move laterally and compromise backups during an incident. - Appropriate retention policies
Retention periods must be long enough to ensure recovery even when an attack remains undetected for weeks. Retaining multiple restore points increases the likelihood of finding clean data. - Regular restoration testing
Backups are only effective if they can be restored. Periodic testing validates technical recovery procedures and ensures teams are familiar with them under pressure.
Benefits
When properly implemented, persistent backups:
- Provide a reliable foundation for recovery after destructive attacks.
- Reduce downtime and operational disruption.
- Support regulatory compliance and accountability.
- Protect public trust by enabling continuity of critical services.
In the context of wiper attacks, they represent the last and only line of recovery.