Modern Cyberattacks and the Power of Immutabil

Modern cyberattacks are measured in minutes, not days. The line between a contained incident and a catastrophe is often drawn before the security team even receives the first alert. In a recent Black Hat webinar, we deconstructed a real-world breach where sophisticated attackers, later attributed to the threat actor Silk Typhoon, compromised a network in minutes. Their attack was swift, silent, and effective—until they hit one unbreakable defense: immutability.

The Timeline of Compromise

Minute 0-1: The Initial Breach It began with a single, deceptive link clicked by a support admin. The phishing page quietly stole a valid session token, allowing the attackers to bypass multi-factor authentication and conditional access policies as if they were the legitimate user. The perimeter was gone in under 60 seconds. Minute 2: Privilege Escalation With the stolen token, the attackers exploited a zero-day vulnerability to deploy a web shell inside a Kubernetes pod within an Azure cluster. A single command dumped Microsoft 365 service principal secrets, instantly granting them delegated administrative rights across dozens of tenants. No alarms were triggered.

The Attacker’s Playbook: Destroy the Safety Net

With high-level credentials secured, the attackers initiated a classic anti-forensics strategy designed to make recovery impossible. They knew that as long as backups exist, the victim has a path back. Their objectives were simple and brutal:

• Purge Audit Logs: Erase any trace of their activity.
• Delete Backups: Send bulk deletion commands to wipe out all restore points.

By removing the evidence and the safety net, they aimed to leave the organization with no choice but to negotiate.

The Turning Point: The Immutable Wall

At approximately minute five, the attack unraveled. When the attackers’ high-privilege delete commands hit the backup storage repository, the system responded not with compliance, but with a hard stop: Error 403, Object Locked. The backup storage layer was configured with WORM (Write Once, Read Many) immutability, applied at the moment of data ingest. This meant that once a backup was written, it could not be altered or deleted by anyone—regardless of their administrative permissions—until its predefined retention period expired. The attackers’ stolen credentials were useless. They were bouncing off a digital wall that refused to honor their commands.

The Aftermath: The Gift of Time

The attackers’ failure to destroy the backups was the critical break in the kill chain. While the initial breach moved at machine speed, immutability stretched the incident response window from minutes into days. In cybersecurity, that is a lifetime. This gift of time allowed the defenders to:

• Investigate the breach without pressure.
• Rotate all compromised secrets.
• Confidently contain the scope of the incident.
• Restore clean data and resume business operations.

Instead of negotiating with attackers on a leak site, the team was executing a controlled recovery.

Key Takeaways for Security Leaders

This case study offers a clear lesson: your backups are a primary target. A determined attacker will not stop at your perimeter; they will go after your last line of defense first. When backups are truly immutable, even the most powerful stolen credentials cannot lead to their destruction. In this real-world scenario, the difference between containment and catastrophe was immutability, full stop.

Disaster recovery isn’t a one-time task—it’s an ongoing commitment. Mounting cyber threats, hybrid attacks, and strict regulatory oversight means recovery planning is no longer optional. It’s the foundation for business resilience. 

 

Disasters are broader than you think 

Natural disasters still top the list of major disruptions—fires, floods, earthquakes, and storms can cripple operations by severing infrastructure. But increasingly, it’s not just nature that brings systems down. 

 

Recent examples show how vulnerable businesses are to the failure of underlying services. A severed submarine cable, a telecom outage disabling emergency lines, or a botched software update that halts transportation—these aren’t hypothetical scenarios. They’re modern-day reminders that global infrastructure dependencies are fragile and easily disrupted. 

 

To mitigate this, organizations must identify their most vulnerable points and build redundancy into systems—both technically and operationally. 

 

The silent threat: Human error 

While cyberattacks and natural events make headlines,  Misconfigured retention policies, accidental deletions, and administrative oversights continue to plague enterprises of all sizes. The most sophisticated IT environments are not immune. 

 

Often mistakes aren’t discovered until it’s too late. And when data is lost, relying on SaaS vendors for recovery is a gamble. Native restore features may exist, but they’re typically limited, difficult to test, and not built to guarantee full-scale business continuity. 

 

Having independent, regularly tested backups is the only reliable way to safeguard against the full range of human-induced incidents. 

 

Culture is a security tool 

Mistakes happen. What matters is how organizations respond. A mature security culture ensures that employees feel empowered to report issues promptly—without fear of blame. The worst-case scenario isn’t a mistake—it’s a mistake that goes unreported and escalates. 

 

Security isn’t just about firewalls and patches. It’s about communication, education, and trust. Training must be real, relevant, and engaging. Employees should understand what phishing looks like in their specific business context. Developers should practice spotting malicious code. Security isn’t a one-size-fits-all effort; it’s a cultural investment. 

 

When vendors fail 

Cloud vendors aren’t perfect. History shows that even the largest players occasionally lose customer data due to bugs, misconfigurations, or internal errors. From lost security logs to deleted pension data, these incidents underscore a hard truth: shared responsibility doesn’t mean guaranteed protection. 

 

Whether it’s a coding bug deep within a service stack or a botched update affecting core systems, customers bear the brunt when data is lost—and they’re often powerless to recover without third-party backups. The only remedy is to assume failure is inevitable and prepare accordingly. 

 

Rising risks: Shadow IT, AI, and supply chains 

Security perimeters are dissolving. Shadow IT introduces unmanaged apps into corporate networks, often housing sensitive data unknown to IT teams. Employees, in a bid for productivity, may upload proprietary data into generative AI tools without realizing the risk. 

 

Supply chains also present growing vulnerabilities. Software delivered through trusted channels can be compromised, as seen in high-profile breaches where malicious updates slipped past defenses undetected. 

 

The antidote? Intelligent monitoring, rigorous classification, and a thorough understanding of where sensitive data resides. 

 

The case for testing—and testing again 

Every plan is theoretical until it is tested. Recovery strategies must be validated in real-world conditions—not just once, but regularly. Testing isn’t an inconvenience. It’s how businesses discover gaps before attackers do. 

 

Regulations like  and  now demand evidence of effective, recurring testing. It’s not enough to have a plan on paper—organizations must prove their ability to recover. Fortunately, with the right tools and automation, testing can be simple, even mobile-friendly. 

 

Modern disaster recovery must be as agile as DevOps. Recovery tests should be frequent, frictionless, and minimally disruptive. 

 

Defining what matters most 

You can’t protect everything. But you can protect what matters most. —identifying the systems, data, and applications that are most critical to business continuity. 

 

With hundreds of SaaS applications in use across a typical enterprise, organizations must prioritize recovery based on business impact, not just IT ownership. Recovery isn’t a single push-button event. It’s a sequence. Knowing what to bring online first—whether it’s payroll, CRM, or security tools—is key to minimizing downtime and revenue loss. 

 

Ownership also matters. Risk needs to be assigned, not just acknowledged. When system and data owners are accountable, they’re more likely to engage in the planning process. 

 

What good looks like 

A robust recovery strategy includes: 

 

• Clear classification of critical systems and data 
• Prioritized recovery plans that reflect actual business dependencies 
• Regular, automated testing of restore capabilities 
• Tamper-proof, immutable backups in a separate, secure cloud 
• Risk ownership embedded in every department 
• Training programs that are engaging, continuous, and context-specific 

 

Recovery is more than just technology. It’s culture, governance, and foresight. 

Restore and recover are often used interchangeably, but they shouldn’t be. While they’re closely related (and for good reason), their meanings vary across industries and tech. For SaaS data protection, they can be used to describe different stages of getting your data — and your business — back to an operational state. Understanding the difference in a SaaS data context is useful to building effective backup, restoration, and disaster recovery .   

In this blog, we’ll look into how we can consider the terms and help frame them with some context — and why planning for both restoration and recovery is essential for true resilience. 

Let’s get into some definitions.  

Restore: Bringing back data or systems 

Data restoration is the act of retrieving data or systems from a backup and returning it to a previously known good state. 

You restore when: 

• A file has been accidentally deleted. 
• A system becomes corrupted and needs to be rolled back. 
• A virtual machine or database needs to be reinstated from a snapshot. 

Restoration focuses on bringing back what was lost, damaged, or compromised — whether that’s a single file or an entire application. 

Restore = the process of putting data or systems back into place. 

For a deeper technical definition, see . 

Recover: Bringing back business operations  

Recovery is about achieving the state where systems, data, and operations are functional again — not just technically restored, but ready for use. 

You have recovered when: 

• Systems and services are running smoothly. 
• Users have full access to the resources they need. 
• Operations can resume without disruption. 

Recovery often involves multiple steps — validation, reconfiguration, testing — to ensure that everything works as expected after a disruption. 

Recover = reaching full operational readiness. 

 

 

Jakob Østergaard is CTO at Keepit, a leading cloud backup and recovery solution. He has an M.Sc. in Computer Science and Applied Mathematics and has worked with software development since 1998. The early career started on massively parallel supercomputers but soon transitioned to more reasonably sized equipment.

He has played a key role in the design and implementation of several cross platform networked software systems and is the principal designer of the object storage system that underlies the Keepit business. Today he leads the development, operations, and security organizations of the company.

He still writes code. Find Jakob on .

Restore vs. recover: Why the distinction matters 

Restoration is often one part of a larger recovery process — and as such restoring alone doesn’t guarantee recovery. But, sometimes it does (yes, this is part of why recover and restore are often used interchangeably. 

In the common data loss case involving small amounts of data or files, your entire recovery is completed when clicking “restore in place.” It’s super easy, that is, if you have a backup. If you don’t have backup, it’s suddenly not that easy. In fact, it’s not even possible in that situation. 

Let’s consider these larger recovery processes, such as disaster recovery (DR). For example, in a Microsoft 365 environment, restoring data like SharePoint documents or Exchange mailboxes isn’t enough if Microsoft Entra ID (identity and access management) hasn’t been restored first. That’s because without Entra ID operational, users won’t be able to authenticate and access the restored data — meaning that even though the information is back, business operations are still stuck. You’ve effectively restored, but not yet recovered. You have your data, but you don’t have your business operations. 

In large (or complicated) , restoration must happen in a well-calibrated fashion by restoring the right systems, in the right order, to achieve recovery. And by the definition above, recovery is the state of the business being “back.” 

Of course, to make matters complicated, sometimes a restore is “simultaneously” a recovery. Typically, these are small, simple data loss scenarios. Let’s say, for instance, there’s a data loss event involving a single employee overwriting a key budget spreadsheet. With certain third-party backup solutions, a shareable link can be sent to this employee, who can then restore the spreadsheet in place with a couple of clicks. In this moment, the data has been restored, and the “business is back” to how it was. That’s a recovery. The flow is: Back up -> restore -> recover. 

Building a resilient strategy 

To build real resilience, you need to: 

• Ensure you can restore individual files, systems, and services quickly.  
• Design processes that lead to full recovery — not only data restoration.  
• Test both restore procedures (for precision) and recovery plans (for complete readiness). 

Getting your data back is only part of the battle. Real recovery means regaining full operational strength — with systems restored, access reestablished, workflows intact, and confidence that your business can keep moving forward. 

Restoration and recovery work together 

In any data protection strategy, restoration and recovery are closely linked — but they aren’t the same thing. 

Restoring data is a necessary step, but true resilience is about fully recovering operations and services. Restoration brings the pieces back; recovery reconnects them, validates them, and ensures your business can move forward without missing a step. What good is having your data back if you can’t do anything with it? 

By planning for both, you strengthen your ability to bounce back from disruptions and keep your business running strong. 

In today’s high-risk digital landscape, storing data isn’t enough. You need to protect it—actively, intelligently, and independently. At Keepit, we’ve redefined what data storage means for the cloud era. We don’t just offer storage. We deliver cyber storage: a  built specifically to safeguard your SaaS data from the growing threat of cyber attacks and operational disruption.

Let me explain what that really means—and why it matters. 

Independent and dedicated: The foundation of real resilience 

Independence isn’t a buzzword. It’s a foundational requirement. Most backup solutions today are still entangled in the same infrastructure used for production data—especially when they rely on public cloud providers like Microsoft or AWS. That shared infrastructure model might look convenient on paper, but it creates a single point of failure in practice. 

Keepit is different. We’re . Our cloud doesn’t live inside the same hyperscaler platforms it’s meant to protect you from. We built our own infrastructure from the ground up, and we own every layer—from hardware to application. That means we’re not at the mercy of another company’s supply chain, network behavior, or internal vulnerabilities. 

What does “dedicated” mean in this context? It means that once your data enters a Keepit region, it never leaves that region. Your backups are replicated across two data centers in that region, ensuring not just compliance with data sovereignty but maximum resilience in the face of regional outages. 

Cyber storage = Storage + Protection 

Data storage alone doesn’t equal data protection. Cyber storage does. That’s why Keepit combines long-term, efficient backup storage with built-in, proactive protection mechanisms. 

Our architecture is . Once backup data enters our system, it’s immediately encrypted and can’t be altered—not by us, not by your admins, not by attackers. There’s also a 30-day delete lock on all data, protecting against accidental deletion, insider threats, and ransomware tactics. 

And we don’t stop there. Our Merkle tree-based architecture ensures that every version of your data is intact, accessible, and verifiable—without relying on legacy full/incremental backup structures. We call it “incremental forever,” and it gives you access to every backup like it’s a full snapshot, while minimizing load and risk. 

Security first, Zero Trust always 

Security isn’t a feature—it’s our architecture. Keepit is secure by design. We’ve embedded Zero Trust principles across our platform, infrastructure, and operations. 

Let’s be clear:  isn’t a checklist. It’s a mindset—and a moving target. You start with identity and context. You assume breach. And you design controls that minimize exposure at every level: user, device, network, application, and data.

From a Keepit perspective, this means role-based access controls, strict SAML-based identity management, secure device access, and IP-based controls at the platform level. It means nobody—not even Keepit employees—can access customer data unless explicitly authorized. 

It also means we can help our customers move closer to their own Zero Trust goals by ensuring the storage layer doesn’t become a blind spot. When storage is also part of your protection posture, Zero Trust has a stronger backbone. 

Full stack control = Full stack visibility 

Most vendors outsource key parts of their operations to hyperscalers. Keepit doesn’t. We own our entire stack. That gives us unmatched visibility into performance, anomalies, and potential risks—across software, hardware, and operations. 

With our , we flag suspicious patterns like spikes or drops in backup volume, mass deletions, or unexpected behavior across monthly snapshots. It’s built-in threat monitoring—not a bolt-on tool—and it’s tuned to detect precisely the kinds of subtle threats that evade traditional alerting systems. 

This is part of our Intelligent Threat Monitoring and Instant Response framework. Because when you own the stack, you don’t just wait for threats to appear—you go find them. 

Built-in risk governance 

We’ve built governance into the core of our product—not layered it on as compliance theater. Our secure and logged access controls offer fine-grained administrative roles, auditable logs, and immutable audit trails accessible through the platform or via integration with your SIEM (e.g., Splunk or Microsoft Sentinel). 

And with no subprocessors and no third-party access to data, we eliminate weak links in the chain. Everything stays in-region, encrypted, and controlled. 

Why cyber storage now? 

The reality is, businesses are under siege. You’re managing more data across more platforms, and the threat landscape is getting more sophisticated by the day. Breaches, insider threats, supply chain compromise—it’s all in play. 

Traditional backup models weren’t designed for this world. They assume trust where there shouldn’t be any. They treat storage as a static, low-risk layer. We know better. At Keepit, we’ve built cyber storage as an active participant in your cyber resilience strategy. Not just something you “have”—but something you use to stay protected, stay operational, and stay in control. 

To wrap up: The storage story has changed 

Cyber attacks don’t discriminate. They don’t wait. And they don’t stop at the edge of your infrastructure. Your backups need to be more than safe—they need to be ready. That’s why cyber storage is the new standard. 

At Keepit, we live and breathe data protection. That’s why we didn’t build on someone else’s cloud. We built our own. Because your data deserves its own home—and your organization deserves a partner that’s all-in on keeping it safe. 

Ready to shift from traditional storage to cyber storage? 

Let’s talk. 

Atlassian’s suite of collaboration tools—Jira, Confluence, and others—has become mission-critical for countless teams across the globe. From software development to IT service management, Atlassian’s cloud products are the central nervous system of modern project execution: whether it’s tracking tickets and development workflows or storing vital knowledge in pages and spaces. Under Atlassian’s shared responsibility model, it’s up to you to safeguard your own data. 

 

Shared responsibility: How effective is Atlassian’s native backup and recovery service?  

Backing up your data in a separate infrastructure from your production data is an industry best practice to secure business continuity and comply with increasing regulations. 

 

Although the offered, native backup and recovery service is useful for some Jira and Confluence customers, it has some major limitations: for starters, it’s not generally available for all Atlassian customers.  

 

On top of that, the native backup solution only stores your data for up to 30 days, after which it expires and can’t be restored. Atlassian’s backup also has a limit to how much data you can restore on your own, without the help of customer support: backups larger than 60GB need Atlassian support assistance for restoration.  

 

Reasons why you should independently back up Jira and Confluence Cloud 

As companies become more and more dependent on SaaS applications, independent backup —and the capability to recover instantly — has become a basic element of cyber readiness. 

 

Keepit backup and recovery for Jira and Confluence Cloud will ensure and support 

 

• Business continuity 
  Regular backups are a must to mitigate risk of business disruption, financial loss, damage to a company’s reputation, and even legal action. 
• Protection against human error 
  Mistakes happen every day. Your users and administrators have access to your most vital data, and one accidental deletion means losing data you rely on the most. Human error is still the leading cause of data loss. 
• Confidence during systems updates and migration 
  Having secure backups makes migration easier and more secure. 
• Cyber resilience 
  Data loss from security breaches, such as ransomware and malicious deletion, are on the rise. Without a backup in place, your SaaS data can be lost forever. 
• Compliance 
  To comply with increasing regulation such as NIS2 or GDPR, you need uninterrupted access to your data, and any data loss or disruption may lead to failures to comply. 

 

Keepit backup and recovery for Jira and Confluence Cloud 

Keepit backup and recovery for Jira and Confluence Cloud enables companies to secure their project management data, with assurance that it can always be recovered. Some of the key features of Keepit’s solution include 

 

• Automated backups — have all your data at your fingertips, always, with comprehensive, automated backups of your Jira and Confluence Cloud. 
• Granular restore capabilities — quickly identify the correct Jira and Confluence data to recover with Keepit’s Smart search and Previewer for projects, issues, files, and attachments. 
• Storage — immutable backup and retention. 
• 100% cloud based: no hardware, no upgrades. 
• Secure platform architecture, built on a robust, cloud-native design with AES-256 encryption for data protection. 
• End-to-end certifications: ISO 27001, ISAE 3402, and GDPR-compliant, ensuring the highest security standards. 
• Independent cloud: Keepit’s vendor-neutral cloud stores backup data separately from SaaS providers. 
• Monitoring of snapshot data to automatically detect anomalies. 
• Compare backup snapshots to identify records added, modified, or deleted over time, enabling precise recovery. 

 

Final thought: Your project management tools deserve the same protection as your source code or customer records 

Imagine a product team losing its entire Jira roadmap, or a customer success team being cut off from the service history logged in Confluence. The ripple effects affect every part of the business.

 

That’s why backup isn’t a “nice to have” for Atlassian—it’s essential. 

 

 tailored to Atlassian workloads ensures that your teams can innovate confidently, collaborate securely, and recover instantly—no matter what happens.