Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Rubrik: Backups as Security Telemetry

Rubrik
07/01/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


sort of digital fingerprints for threats that have evaded detection. You know, they can act as a record of threats that other security solutions have missed. So example, a threat that is embedded in, you know, a hypervisor. Those things are backed up, but traditional EDR solutions often lack visibility into those. So what we've found is that threat actors understand this. They've sort of conducted a proof of concept for the threat vector. And so it's something that we expect to be a lot more going forward. But just in general, we see it as another source of telemetry that, as you rightly point out, is too often overlooked. Give us a rating. Let us know what you think about the show. It really helps us reach more listeners like you who are trying to improve the resilience of their business. And it helps me know what content you want to hear more about. So today I had a really great conversation with Kyle Feeler, a transformation analyst at Rubrik Xero Labs. He has expertise across AI and info security, cybersecurity and geopolitics, cyber resilience and IT leadership. He works closely with CXOs at G2K Enterprise Organizations on matters of zero trust and secure digital transformation. We'll talk about backups being a snapshot into failed attempts at stopping bad actors. A really interesting conversation and a really refreshing take. Let's get into it. Well, to get into the media conversation. So we're here to talk about backups, which is not something that a lot of security teams tend to spend a lot of time with, but it seems like you believe that they should. So what are some things that backups reveal that traditional security telemetry often misses? Yeah. So since secure backups can't be altered or encrypted or deleted, a lot of times they are the source of sort of digital fingerprints for threats that have evaded detection. They can act as a record of threats that other security solutions have missed. So example, a threat that is embedded in a hypervisor, those things are backed up, but traditional EDR solutions often lack visibility into those. So what we've found is that threat actors understand this. They've sort of conducted a proof of concept for the threat factor. And so it's something that we expect to see a lot more going forward. But just in general, we see it as another source of telemetry that, as you rightly point out, is too often overlooked because it is another source. And I think if you're in charge of defending a company from the myriad of threats facing any large organization today, you want all the information that's available to make the best decisions possible. Right. Absolutely. And when you're analyzing these compromised backups, where are most organizations going wrong? Are you noticing any patterns throughout all the different organizations that you're kind of analyzing and working with? Well, I'd say, I mean, the biggest thing is just companies not recognizing that their backup data is that additional source of telemetry, like I mentioned. So it's often just completely overlooked. I think that in general, there is an opportunity for security teams to be scanning backups for, you know, indicators of compromise, using YARA rules, hashes, to be searching for threat actors in their backup data, especially ones who have the utmost motivation to not be found. So these are typically state-backed actors who are interested in establishing persistence, evading detection, so that they can conduct these long-term operations. Right, right. And so if backups are showing repeated failure patterns over time, who owns fixing that? Is it the CISO? Is it the CIO? Is it the board? Is it a combination of all of these folks? Who kind of owns addressing this issue? Yeah. So I think it's different. It's different by organization. And, you know, in general, there is this issue in managing backups about ownership. Who owns it? You know, is it IT or security? And I think more and more, it will need to become a security function as we notice groups that are financially motivated threat actors who recognize the importance or the opportunity, I should say, in targeting backups specifically. So Evil Corp is a Russian-based ransomware group that has figured this out very well. They know that they can delete, you know, recovery routines, delete the backups themselves, and by doing so, they've maximized their leverage over whoever their target may be. So I think it's increasingly becoming a security concern as we see more and more financially motivated threat actors who are interested in achieving the payday as soon as possible. They actually want to trip that wire. They want to trigger a response from a security team because that's the quickest way to get the engagement going. Right, right. Absolutely. And I'd like to talk a little bit about backups, best friend, and that is recovery. You know, oftentimes we're talking about backup and recovery. And another theme that you and your team talk a lot about is MTTR or mean time to response. So how should security leaders think about mean time to response or MTTR? And what should they be doing to reduce that? Yeah, so stepping back a little bit, what some interesting data we've found is that, you know, in conducting year after year surveys, we've found among our respondents who are IT and security leaders all over the globe, large organizations, confidence in recovery times tends to be falling. And, you know, I think the numbers are something like barely a quarter of IT and security leaders feel that they could respond in 12 hours or less to a security incident, whereas a year ago, that number was over 40%. So what are the reasons for that? I suspect one of them is the deliberate targeting of backup data. And then another I would say is identity infrastructure is often compromised as a part of these attacks. And this is where too many organizations are still relying on manual processes to recover their identity infrastructure, because oftentimes threat actors will escalate privileges in order to get something done. I mentioned the deleting of recovery routines. You know, oftentimes you need elevated privileges to do that. But what happens when threat actors start to compromise identity infrastructure is almost no access or authorization processes can be trusted. And so it's so important to restore identity infrastructure to a clean state if you're going to take that power away from the threat actor. In terms of NTTR, what we talk a lot about at Rubrik Zero Labs is how do we turn that from a course metric of, okay, you know, my mean time to recover, we were aiming for four hours and it took us six. That doesn't tell you why. So a lot of what we've focused on is how can we use the data that we have, break that process down into discrete phases. So is the problem that it took you a long time to determine the scope of the compromise? Is the problem that it took you a long time to validate that you recovered to a clean state? Or is it some other phase in there? So we often talk about how understanding the phased recovery process points you to potential areas for improvement where you can cut that overall NTTR. And then, of course, these are things, you know, you'll hear from security leaders all the time that you cannot go into an incident, that's not the time to be testing your recovery. So these things have to be drilled continuously as sort of a, you know, lifecycle management of recovery capabilities. Right. I want to go back to something else that you mentioned at the top of that question. And you talked a little bit about how identity-based attacks kind of operate and the challenges facing attacks that operate in that aspect. But you also mentioned that threat actors are targeting backups. And so we talked about how backups can be used as this unique security telemetry tool, but I kind of want to talk about it from the threat actor perspective. I understand why an organization, you know, a nation-state group or some hacktivist group is targeting a backup system. But what can organizations do about that if, you know, they're thinking of their backups as their last line of defense? How can they prepare against those kind of attacks? Yeah, so it starts with, you know, things like isolated clean room recovery environments, air gapping. You have to be able to limit your access to the backup environments themselves. And so that's why a lot of threat actors today are targeting cloud-based backup, cloud-native backups specifically, is because there's not that, you know, there's not that barrier there. So I mentioned Evil Corp. There's another group that Microsoft is following closely called Storm 0501 that I think is sort of the proof that this has become a pure leverage play. So this group is known to deliberately target and delete backups to the point where they're no longer deploying traditional malware with their ransomware threats. They're just exfiltrating the data, deleting the backups, and saying, you know, and then delivering ransom without, you know, what we would consider a traditional piece of ransomware. This group used to deploy, you know, things like LockBit or Hive, BlackCat, but they've just completely left that off the, you know, the attack chain now because it's just, it's not necessary for them. They've already compromised the target to such a degree that the leverage is there. So going back to how organizations can really leverage their backup data and start, you know, maximizing their value there, what are the three actionable steps that security and IT teams can take today to start getting that full value from their backup data? Well, I mean, one is starting to scan the environment. You know, you have to be conducting the scans to get any real benefit from them. You want to be monitoring for things like configuration drift. So any suspicious activity in logs that you wouldn't expect to see in places like VPNs or appliances that are not, you know, the quote-unquote boxes that are not typically scanned by, you know, an ADR tool or, you know, other security solutions. And then finally, I would say the hardening and recoverability of that identity infrastructure is critical, especially if, you know, you're in a position where you're relying on cloud-native identity infrastructures like the Entrez IDs and things like that. Great things for everyone listening to start considering about their own organization if they're not already. But Kyle, thank you so much. Is there anything else that you want to leave the listeners with that we haven't already covered already? Um, no, I think I would just, you know, reiterate that because secure backups are not, you know, can't be altered, encrypted, or deleted, they often act as a de facto record of what your other security solutions have missed. So there's really no reason not to be probing them for that valuable threat intelligence. Right, absolutely. That's a really interesting and different perspective than we've heard before. So thank you so much for joining us again. And, you know, until next time. This has been a wrap-down designed by Elliot Peltzman, audio mixing by Elliot Peltzman and Trey Hester, video production support by Bridget Kricke-Wilde and Sorel Joppe. Until next time, stay resilient.

TL;DR

  • Secure backups preserve digital fingerprints of threats that evaded traditional security tools, making them a critical but overlooked source of security telemetry for detecting hypervisor-level and state-backed threats.
  • Ransomware groups like Evil Corp and Storm-0501 deliberately target and delete backups to maximize leverage, with Storm-0501 now skipping traditional ransomware payloads entirely in favor of data exfiltration and backup deletion.
  • Confidence in recovery times is falling as organizations struggle with identity infrastructure compromise and lack phased recovery processes that isolate bottlenecks in scoping, validation, and identity restoration.
  • Organizations should scan backup environments for IOCs, monitor configuration drift in non-traditional assets like VPNs and appliances, and harden identity infrastructure with isolated clean room recovery environments.

Backups as Overlooked Security Telemetry

Kyle Fiehler argues that secure, immutable backups represent a critical but underutilized source of security intelligence. Because they cannot be altered, encrypted, or deleted, backups preserve digital fingerprints of threats that evaded traditional detection tools like EDR solutions. Hypervisor-level threats, for example, are captured in backups but often lack visibility in endpoint security platforms. Organizations fail to recognize backup data as actionable telemetry, missing opportunities to scan for indicators of compromise using YARA rules and threat hashes. This oversight is particularly dangerous given that state-backed actors deliberately evade detection to establish long-term persistence, making backups one of the few records of their activity.

Ransomware Groups Targeting Backup Infrastructure

Financially motivated threat actors have recognized that targeting backups maximizes leverage and accelerates ransom payouts. Groups like Evil Corp and Storm-0501 deliberately delete backups and recovery routines to eliminate recovery options. Storm-0501 has evolved its tactics to the point where it no longer deploys traditional ransomware payloads like LockBit or Hive — instead, the group exfiltrates data, deletes backups, and delivers ransom demands without encryption. This shift reflects a pure leverage play where compromising backup infrastructure alone is sufficient to force payment. Organizations relying on cloud-native backups without proper isolation, air gapping, or clean room recovery environments are particularly vulnerable to these targeted attacks.

Rethinking MTTR and Identity Recovery

Confidence in recovery times is declining, with only a quarter of IT and security leaders believing they can respond to incidents in 12 hours or less, down from over 40% a year prior. Fiehler attributes this to deliberate backup targeting and the compromise of identity infrastructure, which many organizations still recover manually. When threat actors escalate privileges to delete recovery routines or compromise identity systems, no access or authorization processes can be trusted. Rubrik Zero Labs advocates breaking MTTR into discrete phases — scoping compromise, validating clean recovery, and restoring identity — to identify specific bottlenecks rather than treating recovery as a single coarse metric. Continuous drilling of phased recovery processes is essential, as incidents are not the time to test recovery capabilities.

Chapters

0:00 - Backups as Digital Fingerprints
2:00 - Introduction and Context
3:34 - Where Organizations Go Wrong
4:43 - Who Owns Backup Security
6:11 - Rethinking MTTR
9:21 - Threat Actors Targeting Backups
11:38 - Three Actionable Steps
13:01 - Closing Thoughts

Key Quotes

0:00 "Since secure backups can't be altered or encrypted or deleted, a lot of times they are the source of sort of digital fingerprints for threats that have evaded detection."
2:38 "They can act as a record of threats that other security solutions have missed."
5:26 "Evil Corp is a Russian-based ransomware group that has figured this out very well. They know that they can delete recovery routines, delete the backups themselves, and by doing so, they've maximized their leverage over whoever their target may be."
10:41 "There's another group that Microsoft is following closely called Storm 0501 that I think is sort of the proof that this has become a pure leverage play."
10:57 "They're just exfiltrating the data, deleting the backups, and saying, you know, and then delivering ransom without what we would consider a traditional piece of ransomware."
13:10 "Because secure backups are not, you know, can't be altered, encrypted, or deleted, they often act as a de facto record of what your other security solutions have missed."

FAQ

Why are backups considered a unique source of security telemetry?

Secure backups cannot be altered, encrypted, or deleted, so they preserve digital fingerprints of threats that evaded detection by traditional security tools. They capture hypervisor-level threats and state-backed actor activity that endpoint and network solutions often miss, making them a historical record of compromises that other telemetry sources overlook.

How should organizations protect backups from targeted attacks?

Organizations should implement isolated clean room recovery environments, air gapping, and strict access controls to backup infrastructure. Cloud-native backups are particularly vulnerable because they lack physical barriers, so limiting access and hardening identity infrastructure are critical to preventing threat actors from deleting backups and recovery routines.


Categories:
  • » Webinar Library » Rubrik
  • » Data Protection » Backup & Recovery
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Data Protection
  • Security Operations
  • Threat Intelligence
  • Identity & Access
  • Technical Deep Dive
  • Backup Security
  • Security Telemetry
  • Ransomware Tactics
  • Identity Infrastructure
  • Mean Time to Response
  • Threat Detection
  • Recovery Operations
  • Immutable Backups
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Rubrik: Backups as Security Telemetry

              Upcoming Webinar Calendar

              • 07/02/2026
                10:00 AM
                07/02/2026
                Building Resilience: Insights from Hybrid Threats Amid Cloud Challenges
                https://www.truthinit.com/index.php/channel/2011/building-resilience-insights-from-hybrid-threats-amid-cloud-challenges/
              • 07/09/2026
                01:00 PM
                07/09/2026
                The HUMAN Experience: Empowering Agentic Trust in Practice
                https://www.truthinit.com/index.php/channel/2026/the-human-experience-empowering-agentic-trust-in-practice/
              • 07/14/2026
                01:00 PM
                07/14/2026
                Crafting an Elite Security Team to Achieve Championship-Level Defense
                https://www.truthinit.com/index.php/channel/2025/crafting-an-elite-security-team-to-achieve-championship-level-defense/
              • 07/14/2026
                02:00 PM
                07/14/2026
                Understanding the Crucial Role of Context in AI Data
                https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-ai-data/
              • 07/21/2026
                04:00 AM
                07/21/2026
                Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
              • 07/21/2026
                01:00 PM
                07/21/2026
                HUMAN Dialogue: Insights from Attackers During the FIFA World Cup
                https://www.truthinit.com/index.php/channel/2029/human-dialogue-insights-from-attackers-during-the-fifa-world-cup/
              • 07/22/2026
                06:30 AM
                07/22/2026
                Insights and Strategies for Mastering the DPDP Framework
                https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-mastering-the-dpdp-framework/
              • 07/28/2026
                01:00 PM
                07/28/2026
                Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
              • 07/29/2026
                04:00 AM
                07/29/2026
                Real-Time Strategies for Safeguarding Against Prompt Injections
                https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
              • 08/19/2026
                12:00 PM
                08/19/2026
                Becoming Agent Ready: Insights from Cyera's Expertise
                https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
              • 09/30/2026
                04:00 AM
                09/30/2026
                AI Command Center: Optimizing Visibility and Control in Your Operations
                https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/

              Upcoming Events

              • Jul
                02

                Building Resilience: Insights from Hybrid Threats Amid Cloud Challenges

                07/02/202610:00 AM ET
                • Jul
                  09

                  The HUMAN Experience: Empowering Agentic Trust in Practice

                  07/09/202601:00 PM ET
                  • Jul
                    14

                    Crafting an Elite Security Team to Achieve Championship-Level Defense

                    07/14/202601:00 PM ET
                    • Jul
                      14

                      Understanding the Crucial Role of Context in AI Data

                      07/14/202602:00 PM ET
                      • Jul
                        21

                        Strategies for Managing AI Governance and Securing App-to-LLM API Traffic

                        07/21/202604:00 AM ET
                        More events
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version