N-able Anomaly Detection Stops Credential-Based Threats
▼ Summary
– N-able has enhanced its Cove Data Protection with new Anomaly Detection features to counter identity-driven attacks on backup systems.
– The feature provides real-time alerts for suspicious changes to backup policies, offering an early warning against credential-based tactics used to sabotage backups before ransomware deployment.
– Identity-based attacks, often using stolen credentials, are a major threat, with attackers or employees able to subtly alter retention policies or delete data, potentially going unnoticed for months.
– This capability builds on existing defenses like Honeypots and gives IT teams critical visibility to take just-in-time action, protecting data resilience and recovery posture.
– Industry experts emphasize that backups are now prime targets, and real-time alerts for even minor changes are a powerful step forward in guarding against both malicious actors and accidental misconfigurations.
N-able has significantly enhanced the Anomaly Detection features within its Cove Data Protection platform to address the alarming rise in identity-focused cyberattacks. These attacks specifically aim to compromise backup systems, which are critical for organizational recovery. The latest update provides real-time alerts for suspicious or unauthorized modifications to backup policies, creating an essential early warning mechanism. This directly counters the strategy where attackers use stolen credentials to disable or corrupt backups before executing a ransomware attack.
The threat landscape has shifted dramatically, with identity-based attacks now a primary vector for successful breaches. The use of artificial intelligence has made these schemes particularly deceptive and effective. By obtaining credentials through phishing or theft, cybercriminals can infiltrate backup management software to subtly weaken an organization’s safety net. Research, including findings from a major 2025 data breach report, indicates that stolen credentials play a role in an overwhelming majority of web application breaches. Once inside a system, malicious actors, or even employees making errors, can make harmful changes. These actions include altering data retention rules, excluding vital servers from backup schedules, or deleting protected devices entirely. Such modifications are often subtle and can remain undetected for extended periods, leaving an organization vulnerable until a ransomware attack is finally triggered.
This new layer of event-based monitoring delivers crucial visibility for IT teams. The system generates immediate notifications for potential indicators of compromise or configuration mistakes, enabling organizations to respond swiftly. This just-in-time intervention helps preserve recovery capabilities and uphold data resilience. The feature expands upon previous Anomaly Detection tools, such as Honeypots, which are designed to identify brute-force attacks targeting backup infrastructure.
Industry experts emphasize the critical nature of this development. “Backup systems are now a primary target, not just an afterthought,” explained Neil Douglas, CIO at a managed IT services provider. “Attackers who gain access to a backup platform don’t always act immediately. They may operate quietly for weeks, manipulating backups and changing policies, so that when they do strike, recovery becomes impossible. Previously, we lacked visibility into these subtle, behind-the-scenes changes. Now, with real-time alerts for even minor alterations, we are notified the moment something suspicious occurs. This protects us from both malicious activity and accidental administrative errors, representing a major advance in securing our data resilience.”
Chris Groot, General Manager for Cove Data Protection, echoed this sentiment. “Businesses are facing a new wave of threats propelled by stolen identities,” Groot stated. “Providing immediate alerts for backup policy changes offers customers significant peace of mind. It safeguards them from risky alterations that could jeopardize recovery, regardless of whether the change originated from an attacker or an employee. By identifying these changes as they happen, companies can prevent identity-driven attacks and configuration errors from compromising their ability to restore operations.”
(Source: HelpNet Security)
