Partner POV | Hunt for Threats Within Backups to Minimize Data Loss and Downtime
Article written by Vir Choksi, Senior Product Marketing Manager, Rubrik.
Mike Tyson famously said, "Everybody has a plan until they get punched in the mouth." After falling victim to a cyberattack, it is crucial for organizations to respond promptly and effectively to minimize damage, recover operations, and prevent future incidents. One of the most critical elements of responding to an incident is the recovery and restoration of affected systems so that business as usual can be restored as quickly and safely as possible. Incorporating the right methods and tools into your cyberattack response plan can help keep downtime and data loss to a minimum. But how is this done?
The most common way to restore impacted systems is to recover directly from backups. After all, that's what backups are for. However, this is easier said than done. Which specific parts of your environment need to be recovered? And how far back in time do you need to go? Oftentimes, this is a guessing game with trial and error. If you recover from too recent a backup, you risk reintroducing the bad actor into your environment, further prolonging the remediation process. If you recover from too old a backup, you can hurt productivity through excessive data loss. Imagine losing a month's worth of data due to recovering from old backups when two weeks would have been adequate to avoid reinfection.
So how can you solve this problem? During an incident, you need to identify the most recent clean recovery point for each impacted part of your environment. Fortunately, your own backup data may have the answer.
Rubrik organizes backup snapshots into a time-series that can be scanned and analyzed on-demand to find indicators of compromise (IOCs). With Threat Hunting, you can surgically hunt for specific IOCs within this time-series history of backup snapshots. This allows you to more accurately pinpoint the initial point, scope, and time of infection. You can hunt for threats present on Windows servers, Linux servers, and NAS filesets, as well as VMware, Nutanix AHV, and Microsoft Hyper-V virtual machines. Backups can be scanned using file patterns, file hashes, and YARA rules to look for IOCs.
In addition, Threat Hunting supports hunting within relics and replicas, if needed. This is especially relevant during an active security incident. Backups are converted into relics if, for example, VMs are disconnected from the network during a cyberattack. And if the primary site is unavailable during an incident, investigations can continue by hunting within replicas (i.e., copies generated from the primary copy through the replication process). Said another way, hunts need not be limited to live objects.
In summary, the ability to accurately pinpoint the malware entry point for each part of your environment that was impacted means you can "turn back the clock" exactly the right amount to keep your environment safe, minimize data loss, and minimize downtime. Cyberattack response plans must include such a strategy so that you can get your business operations back to normal with little interruption.