M0953: Data Backup
Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans [1], including the management of 'gold-copy' back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.
Analyst context for executives and security teams
Data Backup is a foundational ICS resilience control: it determines whether an organization can restore critical servers, end-user systems, and “gold-copy” configurations when adversary activity affects control, view, or availability. For executives, the issue is not whether backups exist, but whether they are hardened, separated from the corporate network, and exercised through incident response plans so recovery is practical under pressure.
Executive priority
Prioritize this as an operational continuity and cyber-physical resilience control. The ATT&CK relationships tie it to ICS outcomes including data destruction, denial or loss of control/view, loss of availability, manipulation of control/view, loss of productivity and revenue, and credential changes. Leadership should ask for evidence that backup scope covers key systems, recovery images and configurations are current, backup infrastructure is protected from the same compromise path as production, and incident response exercises prove recovery timelines are achievable.
Technical view
For SOC, IR, and engineering teams, validate backup readiness around the systems that matter to ICS operations rather than treating backup as a generic IT control. Confirm critical servers, end-user systems, key system images, and configurations are backed up; confirm backup and storage systems are hardened and separated from the corporate network; and confirm incident response plans include restoration from gold-copy images. Because ATT&CK provides no detection text and no specific platforms or tactics for this mitigation, coverage should be assessed through local architecture, asset criticality, backup configuration, and restore-test evidence.
Likely telemetry
- Backup job success, failure, and retention logs for critical servers and end-user systems
- Inventory of gold-copy images and key system configuration backups
- Restore test and incident response exercise records
- Administrative access logs for backup and storage systems
- Network segmentation or separation evidence for backup infrastructure relative to the corporate network
Detection direction
- Do not treat successful scheduled backup jobs as sufficient evidence; validate restore testing and recovery of key configurations.
- Review whether backup systems are monitored as critical assets, since compromise of backup infrastructure can undermine recovery.
- Tune operational monitoring to alert on backup failures, unexpected backup deletion or modification, and unauthorized administrative access where local tooling supports it.
- Map backup coverage to the related ICS impact scenarios: data destruction, loss or denial of control/view, loss of availability, manipulation of view/control, credential changes, and productivity or revenue disruption.
- Account for blind spots created by unspecified ATT&CK platforms and missing official detection guidance; local asset inventory and ICS process criticality must drive validation.
Mitigation priorities
- Identify critical end-user systems, servers, images, and configurations required to restore ICS operations.
- Maintain current backups and gold-copy images for those systems.
- Harden backup and storage systems and keep them separate from the corporate network as described by ATT&CK.
- Exercise incident response plans that include backup restoration and configuration recovery.
- Use compliance mappings such as IEC 62443 SR/CR 7.3 and NIST SP 800-53 CP-9 as evidence anchors, but validate operational recovery through testing rather than paperwork alone.
Analyst notes and limits
This is a mitigation object, not a technique. Its value is strongest when assessed as a recovery and resilience control for ICS environments where control, visibility, availability, and productivity outcomes matter. The relationship set makes this especially relevant to incident response readiness and business continuity planning.
Official ATT&CK detection guidance is not provided, and platforms and tactics are not specified. This take therefore cannot assert specific sensor coverage, affected technologies, or guaranteed detection. Organizations must validate scope, restore capability, and backup isolation against their own ICS architecture and recovery requirements.
Data Backup
Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans [1], including the management of 'gold-copy' back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| ICS | T0813 | Denial of Control | Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans CitationDepartment of Homeland Security October 2009, including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability. |
| ICS | T0831 | Manipulation of Control | Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans CitationDepartment of Homeland Security October 2009, including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability. |
| ICS | T0827 | Loss of Control | Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans CitationDepartment of Homeland Security October 2009, including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability. |
| ICS | T0809 | Data Destruction | Utilize central storage servers for critical operations where possible (e.g., historians) and keep remote backups. For outstations, use local redundant storage for event recorders. Have backup control system platforms, preferably as hot-standbys to respond immediately to data destruction events. CitationNational Institute of Standards and Technology April 2013 |
| ICS | T0892 | Change Credential | Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans CitationDepartment of Homeland Security October 2009, including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability. |
| ICS | T0826 | Loss of Availability | Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans CitationDepartment of Homeland Security October 2009, including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability. |
| ICS | T0815 | Denial of View | Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans CitationDepartment of Homeland Security October 2009, including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability. |
| ICS | T0832 | Manipulation of View | Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans CitationDepartment of Homeland Security October 2009, including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability. |
| ICS | T0828 | Loss of Productivity and Revenue | Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans CitationDepartment of Homeland Security October 2009, including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability. |
| ICS | T0829 | Loss of View | Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans CitationDepartment of Homeland Security October 2009, including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 857da87ee33d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Department of Homeland Security October 2009
Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17
Open source URL -
[2]
mitre-attack M0953Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.