So far, you have helped the various teams to detect that there was a cyber-attack taking place, you have looked at some of the options for recovery, you have provided a clean room recovery for digital forensics, and you have pulled the details of sensitive data within the environment for the legal team to begin their compliance efforts. Now, you will look at one of the tools that can really help to tie things together and restore service quickly.

Let's talk about Cyber Recovery.

Intro to Recovery Plans

Cyber Recovery uses the concept of Recovery Plans to bundle together the virtual machines that make an application. Doing this makes it easy to recover the workload without needing to worry about which virtual machines need to be restored and to which point.

• Click the Recovery Plans tab.

• From the left panel, select the In-Place Recovery radio button.

• You can now access the "Haverford Site" Recovery Plan, which comprises 2 VMs.

You will initiate the in-place recovery next.

Cyber Recovery

Cyber recovery is delivered as a Rubrik Security Cloud-based application. Rubrik Cyber Recovery helps you restore business continuity quickly by effortlessly testing, validating, and orchestrating recovery workflows for business services running in VMware vSphere environments. As a result, IT organizations can eliminate multiple-point solutions and management complexity and avoid unnecessary costs.

Accessing Cyber Recovery

If you haven't already connected to the Rubrik Security Cloud, head back to the lab environment.

Once you're logged in, click the app-tray icon in the top right of the user interface, then select Orchestrated Recovery.

Zaffre has the Rubrik Enterprise Edition suite, and now you will leverage the Cyber Recovery to kick off a recovery in an isolated recovery environment (IRE) to run forensic analysis. You can also use this to validate your clean snapshots before recovering into your production environment to ensure you don't reinfect your production environment.

• To do this, first click the Objects tab if you are not already there.

• Click Start Cyber Recovery.

• Click Start to kickstart the Cyber Recovery wizard.

• Next, from the dropdown menu for Ransomware Monitoring Outcome, select Anomalous.

• You will now see that Rubrik has automatically selected the anomalous snapshots for both VMs.

• To assign compute resources, select the default vCenter from the dropdown menu.

• Select the default Datacenter from the dropdown menu

• Select esx2.rubrik.lab as the compute cluster.

• Click Next.

• To select the Isolated network for all the VMs, select Fast Fill.

• From the dropdown menu, select IsoLAN and select Apply.

• You will observe that the Isolated Network is automatically selected for the VMs.

• Click Next.

• Assign 2nd Priority Group to haverford-webapp-01.

• Click Next.

• Click Next.

• Toggle the button (A) to save the recovery plan to use in the future

• Type Demo-CR (B) as the Recovery Plan Name.

• Click Confirm (C).

• Click Monitor Recovery to see the progress.

• Click Demo-CR_* to start monitoring the isolated recovery progress

• Ensure the recovery is completed without errors.

Congratulations, you have now set up an IRE environment for your team to conduct forensic analysis using anomalous snapshots. You can also validate recovery snapshots by using non-anomalous and non-quarantined snapshots before you recover your production environment!

Zaffre has the Rubrik Enterprise Edition suite, and now you will leverage the deep integrations to kick off an in-place recovery.

To do this, first switch to the Anomaly Detection app by clicking the Data Threat Analytics in the app-tray in the top right of your screen.

Click the Investigations tab in the top center of the screen. You can see the Haverford_Site Recovery Plan from Cyber Recovery.

From here, you can clearly see suspicious activity, particularly on the haverford-webapp-01 virtual machine. Check the box to select the Haverford_Site Recovery Plan, then click Start Cyber Recovery.

You can notice that this defaults to recovering the VM to the closest snapshot to the point in time that you've selected. As Zaffre is recovering from a ransomware attack, it's important that a clean recovery point is selected.

Click the Edit button for the Recovery Plan.

You need to find a clean snapshot.

Hover over the Orange circle with an exclamation mark. You can see the exact time when the anomaly was detected. Click Back.

Update the date to be the same as the date of anomaly detection and the time right before the anomaly detection.

Click View.

You can see that a snapshot is automatically selected with the same date as the anomalous event and the time before the anomalous event.

Click X to close the Recovery points pop-up.

Click Continue to proceed.

You'll now see a warning. As in-place recovery overwrites the existing virtual machines, you have a final check to prevent accidental clicking: click into the free text field and type RECOVERYPLAN. Once this is done, the Recover button is clickable.

You can now see that the recovery has begun and can track the progress on the Recoveries dashboard. Click Go To Recoveries.

Monitor the failover through to completion. This may take a few minutes. Once the recovery is successfully completed, you need to validate that the Haverford website is back up and running.

Open a new tab in your browser, and click the shortcut to the Haverford site. You should see it is back up and running.