Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.
All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
Implements immutable backup strategy using restic with S3-compatible storage and object lock for ransomware-resistant data protection. Automates backup creation, integrity verification via restic check --read-data, snapshot retention policy enforcement, and restore testing. Integrates with AWS S3 Object Lock, MinIO, and Backblaze B2 for WORM (Write Once Read Many) storage that prevents backup deletion or encryption by ransomware actors.
cybersecurity
ransomware-defense
restic
backup
immutable
ransomware
s3
object-lock
worm
recovery
1.0.0
mahipal
Apache-2.0
MEASURE-2.7
MAP-5.1
MANAGE-2.4
AML.T0070
AML.T0066
AML.T0082
PR.DS-11
RS.MA-01
RC.RP-01
PR.IR-01
Implementing Immutable Backup with Restic
When to Use
Establishing ransomware-resistant backup infrastructure with cryptographic integrity verification
Implementing 3-2-1-1-0 backup strategy where the extra 1 is an immutable copy
Automating backup verification workflows that test restore capability on a schedule
Protecting backup repositories from deletion or modification by compromised admin accounts
Meeting compliance requirements for data retention with tamper-proof storage
Do not use as the sole backup solution without also maintaining offline/air-gapped copies. Object lock protects against logical deletion but not physical storage failure.
AWS CLI or MinIO client (mc) configured for bucket access
Sufficient storage for backup repository (typically 2-3x source data with deduplication)
Workflow
Step 1: Initialize Restic Repository with Encryption
Create an encrypted restic repository on S3-compatible storage with object lock enabled. Restic uses AES-256-CTR for encryption with Poly1305-AES for authentication, ensuring backup data is both confidential and tamper-evident.
Step 2: Configure Object Lock Retention
Enable S3 Object Lock in Compliance mode on the backup bucket to prevent any principal (including root) from deleting or modifying objects during the retention period. Set retention to match your backup window requirements (typically 30-90 days).
Step 3: Automate Backup and Verification
Schedule backup operations with post-backup integrity verification using restic check --read-data which downloads and verifies every data blob against its stored checksum. Log results and alert on any integrity failures.
Step 4: Test Restore Procedures
Periodically restore random files from backup snapshots to a temporary location and compare checksums against the original to validate end-to-end backup integrity. Document restore times for RTO planning.
Key Concepts
Term
Definition
Object Lock
S3 feature that prevents object deletion or overwrite for a specified retention period
Compliance Mode
Object Lock mode where even the root account cannot delete objects before retention expires
Deduplication
Restic stores data in content-addressable chunks, deduplicating across all snapshots
3-2-1-1-0
3 copies, 2 media types, 1 offsite, 1 immutable, 0 errors in verification
Tools & Systems
restic: Fast, secure, cross-platform backup tool with built-in encryption and deduplication
resticpy: Python wrapper for restic CLI operations
AWS S3 Object Lock: WORM storage for tamper-proof backup retention
MinIO: Self-hosted S3-compatible storage with Object Lock support
mukul975
efca3ec611