This article discussed key vital infrastructure components, the threats they face, and the measures that can be taken to remediate the risk.
The three components are: SIEM, Virtual Infrastructure, and Backups. All three are targets for Hackers and Ransomware. Consider the scenario where an administrative domain account has been compromised and (the hacker or ransomware) targets the three key systems. The only lines of defence at that point are a) network segmentation (perhaps a jump box is required to reach the target system), and b) the credentials don’t work on the target system. The jump box is a layer of defence but it’s also just another step that the attacker likely has permission to use once they identify the requirement.
SIEM
If the SIEM is compromised, the impact is potentially a) the SIEM can no longer be trusted in an investigation, b) the SIEM contents could be removed, and c) the information contained within the SIEM could be (likely) sensitive and increases risk in the wrong hands.
Virtual Infrastructure
If the Virtual Infrastructure is compromised, the impact is potentially a) no virtual servers, b) deleted VMDK files, and c) exfiltrated VMDK files.
Backups
If the backups are compromised, the impact is potentially a) inaccessible/deleted backups, and b) exfiltrated files.
The following table shows that they share very similar mitigation methods for the hacker and Ransomware threats.
| Item | Mitigation |
| SIEM | Backup. Use local auth. |
| Virtual Infrastructure | Backup. Use local auth. |
| Backups | Backup. Store off-line/off-site. Use local auth. |
The mitigations listed in the table above are not absolute. For example, it might be that staff can retrieve their own backups for self-service restores. For this, they’d sensibly use their own SSO credentials. For risk management, the administrative accounts would be disconnected from SSO and be local only.
The rule is: Accounts with administrative or elevated privileges authenticate locally.