The article shows you how to recover backups from partial deletion of your assets at Rackspace. The Related comments section at the end of this article discusses how to recover from complete asset deletion.
Occasionally, bad actors attempt to destroy your cloud assets, such as files, websites, databases, and so on. The bad actor might be a foreign attacker who stole cloud account authentication info, or it might be a disgruntled employee with access to company assets or any similar bad actor. Attacks like this might cripple or kill a company, and the ability to recover backups makes the difference between whether the company survives the attack or not.
Note: It should go without saying that you are responsible for protecting the credentials that allow access to your cloud assets. This article outlines how to recover if your credentials were compromised.
Symptoms of an attack#
Company assets, such as servers, backups, or cloud files, suddenly begin disappearing as fast as the bad actor can destroy them.
Solution#
Note: This article addresses the recovery of only those assets related to Cloud Backup (CBU).
For each intact backup configuration (config) container in Cloud Files, you can recover backups for that backup config.
The following steps provide a summary of the solution:
Save or recover as much from associated Cloud Files containers as possible.
The Rackspace CBU support team must revert any machine agents and backup configs that have been deleted for this account.
Do a cross-site restore from the recovered backups to new servers.
The following sections describe the preceding steps in detail.
Step 1#
Time is of the essence in this step. You need to stop the damage before it becomes total. Most importantly, stop the bad actor from deleting any more Cloud Files assets. These should be protected first.
After you discover that assets are being destroyed, contact support to immediately halt access to the account and reset credentials. If you have monitoring and alerts in place to immediately notify stakeholders of malfunctioning assets, you have an advantage in detecting these attacks.
One advantage of Cloud Files in this scenario is that there is not an easy way to do bulk deletes through the web interface without some high-powered utilities that aren’t available through our web interface. So deleting these files can be slow enough that you can interrupt the attacker before he finishes.
The more Cloud Files assets that can be saved or restored before recovery starts, the more backups you can salvage.
Step 2#
Revert any valid machine agents and/or backup configs that have been deleted.
Note: The Rackspace CBU Operations Engineering (OpsEng) or support teams must perform this step.
If you have any offsite backups of the Cloud Files containers for the backup configs in question (see Related comments at the end of this article), you should restore them to their original locations at this time. For this step to be successful, you must have at least one undeleted (or restored) Cloud Files container for at least one backup configuration.
When you request help for this step, reference the Cloud Backup support wiki article, Cloud Backup - Bad Actor Attack, in your comments on the ticket. The public can’t view the article, but Cloud Backup support can access it. Only Rackspace Support can perform the steps described in that wiki article. They must revert the deleted assets (machine agents and backup configurations) in your account.
Step 3#
For any machine agent and backup config that Support successfully restored, use Cloud Backup to do a cross-site restore to a new server.