We are always looking for ways to better protect our data protection infrastructure. Recent investigations and evidence of ransomware attacks have revealed something key: attackers are focusing their efforts on compromising and destroying backup solutions. Why? Simple: without backups, organizations are more likely to pay the ransom. This is where Veeam Decoys comes in, an open source project I developed some time ago to help detect lateral movements (TA0008) and service discovery (TA0007) in your internal network.
Introduction#
The reality is that detecting data protection solutions in a network is relatively simple. Services use specific ports and documentation is public. For an attacker who already has access with administrative credentials, it’s just a matter of time before finding and potentially compromising these critical systems.
This is why, in addition to following the 3-2-1-1-0 rule and implementing immutability in your backups, you need an additional layer of early detection.
Simple but Effective Solution#
Veeam Decoys creates “honeypots” that appear to be real Veeam services. It’s like putting motion sensors in your house, but in this case, it’s in your internal network. These decoys detect if someone or some software is:
- Scanning your network looking for Veeam servers or services
- Attempting to connect to the Veeam console
- Trying to connect to backup repositories
- Testing credentials on remote administration services, RDP, SSH, Netbios
- Performing lateral movements in your infrastructure
What’s it for? Simple - if an attacker is looking for Veeam services, this solution will detect network scans targeting Veeam services and send notifications through:
- Syslog, sending all logs to your SIEM
- Email notifications
This way, you can know early on when attackers are already in your network, using Mitre tactics TA0007 and TA0008 to conduct the respective investigation or initiate the incident response plan.
Simulated Services#
- Veeam Backup Server
- Veeam Hardened Repository
- Veeam Windows Repository
- Veeam Backup Enterprise Manager
- SSH
- Remote Desktop (RDP)
- Netbios
Key Benefits#
- Minimal Resources
- 1 vCPU
- 2GB RAM
- 50GB storage
- Perfect for multiple deployments
- Flexible Implementation
- Deploy across multiple VLANs with a single instance
- Distributed architecture for greater coverage
- Disposable appliance – easy to replace
- Integration and Notification
- Send logs to SIEM via Syslog
- Email alerts
- Compatible with existing monitoring tools
Simple and Distributed Architecture#
Simple Architecture: Ideal for small and medium businesses:
- One Veeam Decoy per critical VLAN
- Centralized SIEM integration
- Email monitoring
Distributed Architecture: Perfect for large enterprises:
- Hierarchical monitoring
- Multiple Decoys per location
- Strategically distributed honeypots
Detailed information about each architecture can be found in the documentation.
Results#
Multiple tests quickly detected:
- Automatic network scans that were previously unknown
- Connection attempts from unauthorized equipment
- Misconfigured inventory tools
- Suspicious lateral movements
- Login attempts on the Veeam Console Decoy
Download and Installation#
Virtual Appliance
- Download: https://dl.24xsiempre.com/DecoyV1.ova
- Implementation time: ~15 minutes
Manual Installation
- GitHub: https://github.com/VeeamHub/veeam-decoy
- Single command installation
Documentation#
English: https://dl.24xsiempre.com/Decoy_Manual_EN.pdf
Spanish: https://dl.24xsiempre.com/Decoy_Manual_ES.pdf
Frequently Asked Questions#
Q: Does it impact my current infrastructure performance?
A: No, the decoys are extremely lightweight and don’t interfere with production services.
Q: Do I need to modify my existing infrastructure?
A: No, Veeam Decoys operates independently.
Q: What should I do if I detect suspicious activity?
A: The tool allows you to initiate your incident response process early. And it should be treated as a priority.
Conclusion#
In an environment where attacks are increasingly sophisticated, we need to be proactive in our defense. Veeam Decoys provides an additional security layer, giving you early visibility of potential threats to your backup infrastructure.
