Camp Rubrik: Data Security Foundations
  • Camp Rubrik: Data Security Foundations
    • Lab environment
    • Welcome to Zaffre
      • Tools you will be leveraging
      • SLA driven policy engine
      • Role Based Access Control (RBAC)
      • In-place Recovery Plans
    • Identify and Recover from an attack
      • The attack
        • Navigate the two storefronts
        • Ransom note
      • Anomaly Detection
        • Accessing Anomaly Detection
        • Visibility into the attack
        • Investigations page
        • Determining blast radius
        • Instant file recovery
      • Threat Hunting
        • Identifying the entry point of an adversary
        • Building a threat hunt
        • Monitoring a threat hunt in progress
        • Review a completed hunt
      • Sensitive Data Monitoring
        • Accessing Sensitive Data Monitoring
        • Visibility into sensitive data
        • Cyber incident response
        • Business as usual
        • Policies
        • Analyzers
        • Custom analyzers & policies
        • Reporting
      • All Clear To Recover
      • Cyber Recovery
        • Accessing Cyber Recovery
        • Forensic Analysis
        • Recovery Plans
        • In-Place recovery
      • Data Security Command Center
        • Accessing Data Security Command Center
        • Platform Security
        • Anomaly Detection
        • Data Security Posture
        • Data Protection and Recovery
        • Multi-factor Authentication (MFA) with Time-based One-Time Passwords (TOTP)
      • Conclusion
Powered by GitBook
On this page
Export as PDF
  1. Camp Rubrik: Data Security Foundations
  2. Identify and Recover from an attack
  3. Cyber Recovery

Forensic Analysis

PreviousAccessing Cyber RecoveryNextRecovery Plans

Zaffre has the Rubrik Enterprise Edition suite, and now you will leverage the Cyber Recovery to kick off a recovery in an isolated recovery environment (IRE) to run forensic analysis. You can also use this to validate your clean snapshots before recovering into your production environment to ensure you don't reinfect your production environment.

  • To do this, first click the Objects tab if you are not already there.

  • Click Start Cyber Recovery.

  • Click Start to kickstart the Cyber Recovery wizard.

  • Next, from the dropdown menu for Ransomware Monitoring Outcome, select Anomalous.

  • You will now see that Rubrik has automatically selected the anomalous snapshots for both VMs.

The automatic identification of anomalous or non-anomalous snapshots saves you a lot of time and effort and allows you to run forensic analysis and recovery quickly to get up and running quickly!

  • To assign compute resources, select the default vCenter from the dropdown menu.

  • Select the default Datacenter from the dropdown menu

  • Select esx2.rubrik.lab as the compute cluster.

  • Click Next.

  • To select the Isolated network for all the VMs, select Fast Fill.

  • From the dropdown menu, select IsoLAN and select Apply.

  • You will observe that the Isolated Network is automatically selected for the VMs.

  • Click Next.

  • Assign 2nd Priority Group to haverford-webapp-01.

  • Click Next.

  • Click Next.

Post-recovery customs scripts are used for testing ransomware or disaster recovery scenarios in any environment. This helps identify potential recovery weaknesses before the real threat re-occurs in your production environment.

  • Toggle the button (A) to save the recovery plan to use in the future

  • Type Demo-CR (B) as the Recovery Plan Name.

  • Click Confirm (C).

Saving Recovery Plans enables you to kick start cyber recovery in the future without needing to identify and define resources again.

  • Click Monitor Recovery to see the progress.

  • Click Demo-CR_* to start monitoring the isolated recovery progress

  • Ensure the recovery is completed without errors.

Congratulations, you have now set up an IRE environment for your team to conduct forensic analysis using anomalous snapshots. You can also validate recovery snapshots by using non-anomalous and non-quarantined snapshots before you recover your production environment!

Using Cyber Recovery and a few clicks, you get an IRE environment up and running within the hour vs. days or weeks!

Cyber Recovery - Object list
Start Cyber Recovery
Cyber Recovery Wizard