M1053: Data Backup
Data Backup involves taking and securely storing backups of data from end-user systems and critical servers. It ensures that data remains available in the event of system compromise, ransomware attacks, or other disruptions. Backup processes should include hardening backup systems, implementing secure storage solutions, and keeping backups isolated from the corporate network to prevent compromise during active incidents. This mitigation can be implemented through the following measures:
Regular Backup Scheduling: - Use Case: Ensure timely and consistent backups of critical data. - Implementation: Schedule daily incremental backups and weekly full backups for all critical servers and systems.
Immutable Backups: - Use Case: Protect backups from modification or deletion, even by attackers. - Implementation: Use write-once-read-many (WORM) storage for backups, preventing ransomware from encrypting or deleting backup files.
Backup Encryption: - Use Case: Protect data integrity and confidentiality during transit and storage. - Implementation: Encrypt backups using strong encryption protocols (e.g., AES-256) before storing them in local, cloud, or remote locations.
Offsite Backup Storage: - Use Case: Ensure data availability during physical disasters or onsite breaches. - Implementation: Use cloud-based solutions like AWS S3, Azure Backup, or physical offsite storage to maintain a copy of critical data.
Backup Testing: - Use Case: Validate backup integrity and ensure recoverability. - Implementation: Regularly test data restoration processes to ensure that backups are not corrupted and can be recovered quickly.
Analyst context for executives and security teams
Data Backup matters because many ATT&CK impact behaviors are designed to make data unavailable, untrusted, or unrecoverable. For leaders, this is less about “having backups” and more about proving the organization can restore critical services after ransomware, destruction, defacement, recovery inhibition, or disk wiping. The business decision value is whether backups are current, isolated, immutable where appropriate, encrypted, and regularly tested.
Executive priority
Treat this as an operational resilience and incident decision-making control. Executives should ask which critical servers, end-user systems, cloud storage locations, and externally visible services have recoverable backups; whether attackers with network or cloud access could delete or alter those backups; and whether restore testing provides audit-ready evidence of recovery capability. Priority should go to systems whose loss would interrupt service delivery, compliance obligations, customer trust, or business continuity.
Technical view
MITRE does not provide detection text for this mitigation, so SOC and IR teams should validate backup resilience through control evidence rather than technique detection alone. Confirm scheduled incremental and full backups exist for critical systems, backups are encrypted in transit and storage, backup repositories are hardened and isolated from the corporate network, immutable or WORM storage is used where needed, and restore tests are performed. Relationship context makes this especially relevant to impact techniques including Data Destruction, Lifecycle-Triggered Deletion in IaaS storage, Data Encrypted for Impact, Inhibit System Recovery, Defacement, and Disk Wipe.
Likely telemetry
- Backup job success, failure, duration, and coverage logs
- Restore test results and recovery time evidence
- Backup repository access and administrative audit logs
- Encryption configuration and key management evidence for backup data
- Immutable or WORM storage configuration records
Detection direction
- Do not treat backup presence as detection coverage; validate whether monitoring would show failed backups, stopped backup services, deletion attempts, policy changes, or unauthorized administrative access to backup systems.
- Tune alerting around backup control-plane changes, especially deletion, retention reduction, lifecycle policy modification, immutability changes, and backup job disablement.
- Correlate backup anomalies with impact-oriented events such as encryption, destructive file activity, disk wipe indicators, defacement changes, or recovery-feature inhibition when those data sources exist.
- Watch for blind spots where backup systems, cloud storage policies, or offsite repositories are administered outside normal SOC visibility.
- Account for false positives from planned maintenance, storage migrations, retention policy updates, and disaster recovery exercises by requiring change records and approved maintenance windows.
Mitigation priorities
- Define critical data and systems first, then map them to daily incremental and weekly full backup schedules where appropriate to business recovery needs.
- Harden and isolate backup systems so compromise of the corporate network does not automatically compromise recovery copies.
- Use immutable or WORM-style backup storage for high-value recovery data to reduce risk from deletion or encryption.
- Encrypt backups before storage or transfer to protect confidentiality and integrity.
- Maintain offsite or cloud-based copies for resilience against onsite breach or physical disruption.
Analyst notes and limits
This object is a mitigation, not a detection analytic. Its strongest ATT&CK relationship value is with impact behaviors that destroy, encrypt, wipe, deface, or prevent recovery of data and systems. For Glexia-style assessment, the key question is whether backup design survives the same incident conditions that damage production systems.
The supplied ATT&CK object does not specify platforms or detection guidance for the mitigation itself. Related techniques include platform context such as IaaS, ESXi, Linux, macOS, Windows, containers, and network devices, but local applicability depends on the customer environment. Actual recovery confidence requires local backup architecture, access control, retention, and restore-test evidence.
Data Backup
Data Backup involves taking and securely storing backups of data from end-user systems and critical servers. It ensures that data remains available in the event of system compromise, ransomware attacks, or other disruptions. Backup processes should include hardening backup systems, implementing secure storage solutions, and keeping backups isolated from the corporate network to prevent compromise during active incidents. This mitigation can be implemented through the following measures:
Regular Backup Scheduling: - Use Case: Ensure timely and consistent backups of critical data. - Implementation: Schedule daily incremental backups and weekly full backups for all critical servers and systems.
Immutable Backups: - Use Case: Protect backups from modification or deletion, even by attackers. - Implementation: Use write-once-read-many (WORM) storage for backups, preventing ransomware from encrypting or deleting backup files.
Backup Encryption: - Use Case: Protect data integrity and confidentiality during transit and storage. - Implementation: Encrypt backups using strong encryption protocols (e.g., AES-256) before storing them in local, cloud, or remote locations.
Offsite Backup Storage: - Use Case: Ensure data availability during physical disasters or onsite breaches. - Implementation: Use cloud-based solutions like AWS S3, Azure Backup, or physical offsite storage to maintain a copy of critical data.
Backup Testing: - Use Case: Validate backup integrity and ensure recoverability. - Implementation: Regularly test data restoration processes to ensure that backups are not corrupted and can be recovered quickly.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1491.001 | Internal Defacement Sub-technique | Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.CitationReady.gov IT DRP Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. |
| Enterprise | T1561.001 | Disk Content Wipe Sub-technique | Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.CitationReady.gov IT DRP Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. |
| Enterprise | T1485.001 | Lifecycle-Triggered Deletion Sub-technique | Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.CitationReady.gov IT DRP Ensure backups are stored off system and protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. |
| Enterprise | T1485 | Data Destruction | Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.CitationReady.gov IT DRP Ensure backups are stored off system and protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. |
| Enterprise | T1491 | Defacement | Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.CitationReady.gov IT DRP Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. |
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.CitationReady.gov IT DRP Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. |
| Enterprise | T1561 | Disk Wipe | Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.CitationReady.gov IT DRP Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. |
| Enterprise | T1491.002 | External Defacement Sub-technique | Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.CitationReady.gov IT DRP Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. |
| Enterprise | T1486 | Data Encrypted for Impact | Consider implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data.CitationReady.gov IT DRP Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. Consider enabling versioning in cloud environments to maintain backup copies of storage objects.CitationRhino S3 Ransomware Part 2 |
| Enterprise | T1490 | Inhibit System Recovery | Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.CitationReady.gov IT DRP Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. In cloud environments, enable versioning on storage objects where possible, and copy backups to other accounts or regions to isolate them from the original copies.CitationUnit 42 Palo Alto Ransomware in Public Clouds 2022 On ESXi servers, ensure that disk images and snapshots of virtual machines are regularly taken, with copies stored off system.CitationCrowdstrike Hypervisor Jackpotting Pt 2 2021 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | d83575296110… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1053Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.