Camp Rubrik: Data Security Foundations
  • Camp Rubrik: Data Security Foundations
    • Lab environment
    • Welcome to Zaffre
      • Tools you will be leveraging
      • SLA driven policy engine
      • Role Based Access Control (RBAC)
      • In-place Recovery Plans
    • Identify and Recover from an attack
      • The attack
        • Navigate the two storefronts
        • Ransom note
      • Anomaly Detection
        • Accessing Anomaly Detection
        • Visibility into the attack
        • Investigations page
        • Determining blast radius
        • Instant file recovery
      • Threat Hunting
        • Identifying the entry point of an adversary
        • Building a threat hunt
        • Monitoring a threat hunt in progress
        • Review a completed hunt
      • Sensitive Data Monitoring
        • Accessing Sensitive Data Monitoring
        • Visibility into sensitive data
        • Cyber incident response
        • Business as usual
        • Policies
        • Analyzers
        • Custom analyzers & policies
        • Reporting
      • All Clear To Recover
      • Cyber Recovery
        • Accessing Cyber Recovery
        • Forensic Analysis
        • Recovery Plans
        • In-Place recovery
      • Data Security Command Center
        • Accessing Data Security Command Center
        • Platform Security
        • Anomaly Detection
        • Data Security Posture
        • Data Protection and Recovery
        • Multi-factor Authentication (MFA) with Time-based One-Time Passwords (TOTP)
      • Conclusion
Powered by GitBook
On this page
Export as PDF
  1. Camp Rubrik: Data Security Foundations
  2. Identify and Recover from an attack
  3. Cyber Recovery

In-Place recovery

PreviousRecovery PlansNextData Security Command Center

Last updated 1 year ago

Zaffre has the Rubrik Enterprise Edition suite, and now you will leverage the deep integrations to kick off an in-place recovery.

To do this, first switch to the Anomaly Detection app by clicking the Data Threat Analytics in the app-tray in the top right of your screen.

Click the Investigations tab in the top center of the screen. You can see the Haverford_Site Recovery Plan from Cyber Recovery.

From here, you can clearly see suspicious activity, particularly on the haverford-webapp-01 virtual machine. Check the box to select the Haverford_Site Recovery Plan, then click Start Cyber Recovery.

Notice that when you select the app, you can also download a CSV detailing all suspicious activity detected in the component virtual machines.

You can notice that this defaults to recovering the VM to the closest snapshot to the point in time that you've selected. As Zaffre is recovering from a ransomware attack, it's important that a clean recovery point is selected.

Click the Edit button for the Recovery Plan.

You need to find a clean snapshot.

Hover over the Orange circle with an exclamation mark. You can see the exact time when the anomaly was detected. Click Back.

Update the date to be the same as the date of anomaly detection and the time right before the anomaly detection.

Click View.

You can see that a snapshot is automatically selected with the same date as the anomalous event and the time before the anomalous event.

Click X to close the Recovery points pop-up.

Click Continue to proceed.

You'll now see a warning. As in-place recovery overwrites the existing virtual machines, you have a final check to prevent accidental clicking: click into the free text field and type RECOVERYPLAN. Once this is done, the Recover button is clickable.

You can now see that the recovery has begun and can track the progress on the Recoveries dashboard. Click Go To Recoveries.

The recovery activity may take a moment to be shown under Recoveries.

Monitor the failover through to completion. This may take a few minutes. Once the recovery is successfully completed, you need to validate that the Haverford website is back up and running.

Open a new tab in your browser, and click the shortcut to the Haverford site. You should see it is back up and running.

Using Cyber Recovery and a few clicks, you got Haverford up and running within the hour vs. days or weeks!

Ransomware Investigation Recovery Plan View
In-place recovery wizard
take one of those P62 Anywhere Shirts: what a discount!
Congratulations!