Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Comprehensive threat detection analysis, malware scanning, and Recon Scanner 3.0 on Veeam Data Platform
As cyberattacks, especially ransomware, become more sophisticated, backup infrastructure has become a prime target for attackers. In many modern scenarios, before implementing extensive encryption, an attacker will attempt to:
- Gain administrative access to backup servers
- Delete or destroy backups
- Infect restore points
In response to these threats, Veeam has introduced a multi-layered, behavior-driven, threat-analysis-based approach to Veeam Data Platform that ensures security throughout the data lifecycle: before, during, and after the backup process.
Multi-layered security architecture (Defense-in-Depth)
Veeam’s security model is designed around three main layers:
- Pre-Backup
- Scanning during backup operations (Inline Detection)
- Post-Backup & Restore Validation
This structure allows even if one layer passes detection, other layers will still detect it.
Pre-infection threat detection – Recon Scanner 3.0
Introduction
Recon Scanner 3.0 is Veeam’s advanced behavioral analysis engine that detects suspicious activity in your backup infrastructure before a destructive attack occurs. The tool is now seamlessly integrated into Veeam Data Platform and does not require a separate installation.
Technical performance (SOC team specific)
Recon Scanner works by collecting and analyzing the following data:
- Windows Event Logs
- Privilege Escalation
- Authentication Logs
- PowerShell Activities
- Creating or executing known attacker tools
- Unusual network connection patterns
Findings based on the framework:
MITRE ATT&CK
They are categorized and each event is mapped to a specific Tactic and Technique (such as Initial Access, Credential Dumping, Lateral Movement).
Key Features of Recon Scanner 3.0
Centralized dashboard for managing alerts with the ability to:
- Prioritization based on severity
- Classification by attack tactic
- False Positive Removal
- Archive of reviewed events
- Reconstructing the attack timeline
- Identifying the first sign of intrusion
- Determine the last healthy restore point
Indicators of Compromise are automatically updated before each scan.
Ability to send alerts to:
- Veeam ONE
- Microsoft Sentinel
- Other SIEM platforms
Malware scanning during backup operations (Inline Detection)
At this stage, the data is checked simultaneously with the backup process.
Technical mechanisms
- Analysis of the sudden increase in encrypted blocks
- Check for unusual file changes
- Identify high entropy patterns (sign of mass encryption)
- Detecting ransomware-like behaviors
Immutable Backup
Immutable Repositories prevent the backup file from being deleted or modified for a specified period of time. This feature is usually implemented on Linux Hardened Repository or Object Storage with Object Lock capability.
Scanning after backup and during restore
The goal of this step is to prevent the restoration of infected data.
Scan Backup feature
Ability to scan Restore Points without the need to fully restore the VM.
Supported scan engines:
- Veeam Threat Hunter (Signature-Based)
- YARA Rules
- Third-party antiviruses
- IOC Tool Detection
A corrupted restore point can be flagged so that it is not selected in the restore process.
Practical ransomware attack scenario
Step 1: Initial Access
Recon Scanner detects brute force attempts.
Step 2: Lateral movement
Log analysis indicates Privilege Escalation.
Step 3: Attempt to delete the backup
Immutable Repository prevents deletion.
Step 4: Encrypt data
Inline Scan detects abnormal increases in entropy.
Step 5: Recovery
Scan Backup identifies the last healthy Restore Point.
Result: Quick recovery without paying the ransom.
Comparison with traditional approaches
| Veeam | Traditional Approach |
|---|---|
| Scan only during Restore | Scan before, during and after backup |
| Signature-based | Combining Behavior + IoC + Signature |
| No attack phase analysis | Full mapping to MITRE ATT&CK |
| No Timeline Analysis | Complete forensic analysis |
Key Benefits for Organizations
- Increasing Data Resilience
- Reduce Mean Time to Detect (MTTD)
- Reducing Mean Time to Recover (MTTR)
- Preventing the restoration of infected data
- Alignment with SOC operations
Conclusion
In the modern cybersecurity architecture, backup is no longer just a stored copy of data; it is an organization’s last line of defense against ransomware attacks.
Veeam with integration:
- Advanced Behavioral Analysis
- MITRE ATT&CK Framework
- Multi-stage malware scanning
- Immutable Storage
- Forensics capabilities
It has provided a complete Cyber Resilience platform .
This approach ensures that:
Below is a practical, step-by-step checklist for implementing cybersecurity in Veeam . This checklist is designed for backup, infrastructure, and SOC teams and is built on the capabilities available in Veeam Data Platform.
Veeam Cybersecurity Implementation Checklist
Hardening the backup infrastructure
- Separating the Backup Server from the Domain Controller
- Using a separate management network (Management VLAN)
- Not joining the Linux Hardened Repository to the domain
- Restrict RDP access only through Jump Server
- Using a dedicated Service Account for Veeam
- Remove unnecessary membership in Domain Admins
- Enable MFA for manager accounts
- Enabling Role-Based Access Control in the Veeam console
- Install the latest version of Veeam
- Installing operating system security patches
- Review of CVEs related to Backup Infrastructure
Implementing Immutable Backup
- Installing Repository on Standalone Linux
- Enabling immutability (chattr +i)
- Specify an unchangeable retention period (e.g. 14–30 days)
- Disable SSH Password Login
- Activating Object Lock
- Setting Governance Mode or Compliance Mode
- Object deletion prevention test
Recon Scanner 3.0 activation
- Enabling Recon Scanner from the Veeam console
- Ensuring automatic IoC updates
- Defining the Monitoring Scope (up to 10 servers)
- Enable Windows Event Logs monitoring
- PowerShell Logging Monitoring
- Privilege Escalation Detection Review
- Brute Force Detection Review
- Configuring Triage Inbox
- Determining Severity Threshold
- Definition of a Playbook for Incident Response
Integration with SOC and SIEM
- Enabling Syslog Forwarding
- Connecting to Microsoft Sentinel
- Connect to the organization’s SIEM
- Check mapping to MITRE ATT&CK
- Defining Correlation Rules in SIEM
- Alert Trigger testing with simulated scenario
Enable malware scanning
- Enabling Malware Detection in Job Settings
- Setting the Threshold for Encryption Anomaly Detection
- Encryption simulation scenario testing
- Enabling Veeam Threat Hunter
- Importing Custom YARA Rules
- Connecting to third-party antivirus (if needed)
- Restore Point Scan Test
Forensic analysis and secure recovery
- Check the Attack Timeline
- Determining First Malicious Activity
- Identifying the Last Known Good Restore Point
- Running SureBackup
- Sandbox Restore Test
- Check VM healthy boot
Attack Scenario Testing (Tabletop Exercise)
- Brute Force Simulation
- Simulate the execution of a suspicious tool
- Simulate backup deletion
- Extensive encryption simulation
Objective: Review the response of Recon Scanner, SIEM and SOC team
Continuous monitoring
- Daily Triage Inbox Review
- Weekly review of high severity alerts
- Monthly review of Immutability status
- Periodic Restore Test
Key Performance Indicators (KPI)
It is recommended that the SOC team measure the following:
- Mean Time To Detect (MTTD)
- Mean Time To Response (MTTR)
- Number of infected restore points
- Percentage of Immutable Backups
- Number of False Positives
Periodic security review
- Review access every 3 months
- Annual internal penetration testing
- Review Veeam security settings
- Check the version and new features
Executive summary
If all of the above is implemented, your Veeam infrastructure:
- Resilient against backup deletion
- Detects attacks before widespread destruction
- Enables clean and fast recovery Aligns
- with SOC operations
