When an organization is hunting for a threat, the approach involves multiple threads, starting from:
A Security Information & Event Management (SIEM) platform to analyze the log data.
A Security Orchestration, Automation & Response (SOAR) platform to pull together the threat data.
Endpoint Detection & Response (EDR) agents to pull information across the business
File Integrity Monitoring (FIM) to monitor for file tampering.
Intrusion Detection Systems (IDS/IPS) scan for malicious activity.
....There's a lot going on.
What if you could mine the backups of your environment, hunting for the indicators of compromise (IoC) that your adversary has left, like a breadcrumb trail? You could identify the where, when, and what easily. Even better, because you're hunting with the data held in Rubrik, your adversary has no idea that they are being hunted! This is exactly what Rubrik Threat Hunting enables.
You have become aware of a potential breach. The leadership team needs to know where and when the attacker might have gained a foothold. Once this is known, you Rubrik to roll back to a clean point in time.
Rubrik Threat Hunting provides the ability to scan across points in time. Not only can you scan multiple points in time for a single server, but you can also scan across your entire environment. This allows you to determine exactly when and where an Indicator of Compromise was first seen.
While every attack is unique, the MITRE Cyber Attack Lifecycle shown above maps the overall pattern. As you can see, there's a period of time between the point that the bad actor gains runtime in the environment (the Exploit) and the point of Execution (when the payload is activated: for example, when files start to be encrypted in a ransomware attack). When recovering from an attack, it is vital that you not also recover the initially exploited state, leaving the door open for the adversary to execute their payload again.
Once you know the Indicators of Compromise, Rubrik Threat Monitoring & Hunting can search through time and space to identify your clean recovery point. In this way, you can surgically recover with confidence.
As your time is precious, we're not going to make you wait for the hunt to complete, and you should see an already completed hunt based on similar criteria in your dashboard. Click into this.
How many IoCs are returned? Where have the IoCs been found in your environment? Can you see what parameters were used for this threat hunt?
Armed with this information, the Zaffre security team can formulate a plan to recover from such an attack now and regularly test their preparedness for any future attacks. How would you use this in your environment?
Note that this page is optional - if you are short on time, please feel free to move on to the next page, where we explore the results of a threat hunt that is already completed.
At this stage, the definitions of the Threat Hunt are pushed down from the Rubrik control plane, down to the CDM cluster. The Rubrik control plane has no access to the data in the backups, and so the scan is executed on the appliance on-premises (or in the cloud, if using Cloud Cluster).
You can monitor the progress of the threat hunt in the Events tab in Data Protection.
From the app-tray in the top-right of the interface, launch Data Protection
Click on the Events tab and then to Events Logs
In the filter field, Select "Rubrik-Demo1" (A) from the Clusters section and select Threat Hunt (B) from the Event Type section.
It may take a minute or two for the hunt details (C) to appear, as they are first composed on Rubrik, then pushed down to the cluster for execution
After a few minutes (dependent on the parameters that you specified for the hunt), you should see the hunt move to Completed status. You can then move back to the Threat Hunt interface to explore the findings of the hunt.
Time to build a threat hunt, so you can find the entry point of the adversary!
If you haven't already connected to the Rubrik Security Cloud, head back to the lab environment.
Once logged in
Click the app tray in the top right
Launch Data Threat Analytics app
Click the Threat Hunts tab
From this window, we can start to build out our threat hunt.
Click Start Threat Hunt to launch the wizard. From here, you define the criteria for your hunt. You can specify a fully-fledged YARA rule, or you can specify a file hash (such as md5, sha256) or file pattern (such as a path or paths or a specific file extension).
Select YARA Rule
Click Next.
You now specify a YARA rule. The rule provided by the Zaffre team is sourced from the open-source infosec community and can be seen below.
Use the copy button to copy the entire YARA rule and paste it into RSC.
This YARA rule searches for a string based on a regular expression (which Rubrik stores as $eicar_regex), identifying the commonly used EICAR virus test file.
Note that for the purposes of this lab, the hunt is for a benign target and demonstrates the capabilities of this feature without unleashing malware into the lab. In the real world, you're probably searching for something malicious!
Once pasted the above rule into the field, click Next
Select the Rubrik-Demo1 cluster by checking the radio button
Click Next to continue
Check the box to select all objects protected by the cluster, then click Next.
Give your search a name, then select a timeframe for the search - either the most recent snapshot, or specify start and end dates to scan a time range. If you opt for the latter, you can also limit the number of snapshots scanned per object to complete the hunt in a shorter timeframe. For this lab, you may opt for either option on this screen. Click Next.
On the next screen, you can apply filters to be more specific with your hunt. The more specific you can be, the quicker the hunt will complete. You can leave these as defaults in this lab.
Click Next.
You can add file exclusions, file size, etc., on this page. For now, leave them as default. Click Next.
Review your Threat Hunt parameters, then click Start to begin the hunt.
