Accessing Data Threat Analytics

If you haven't already connected to the Rubrik Security Cloud, head back to the lab environment.

Once you're logged in, click the app-tray icon in the top right of the user interface, and select Data Threat Analytics.

Anomaly Detection

As Rubrik collects each backup snapshot’s metadata, it leverages machine learning to build a perspective of what is going on with the workload. The model is trained to identify trends that exist across all samples and classify new data by their similarities without requiring human input. The result is that Anomaly Detection detects anomalies, analyzes the threat, and helps accelerate recovery with a few clicks.

Anomaly Detection is available in the Rubrik Security Cloud as an application.

Anomaly Detection has a dedicated page that lists potential anomalous incidents with their location, cluster, file details, and snapshot time. If you have Cyber Recovery (discussed in a later section) enabled, objects that are part of a recovery plan will be grouped under that recovery plan.

By looking at this page, you now have an understanding of which systems and applications have been affected by the cyber attack.

Now, let's dive deeper into which folders and files are impacted.

The SecOps team wants to understand the blast radius of the attack. Currently, they can't figure out when the attack started, which applications were affected, and if there is a clean copy to recover from.

You have access to the Rubrik Enterprise edition, so let's start with Data Threat Analytics to see how you can help the SecOps team.

Having access to this kind of information is invaluable. Keeping track of all the anomalies in your environment means that you can take the actions required to find the location of the anomalies and use clean snapshots to recover from the anomalies. There are multiple options for recovery, which we will discuss in the next section.

• Expand the Haverford_site recovery plan and click on haverford-webapp-01 VM.

• Navigate to Browse.

• Expand the Suspicious filter from the left side and select Suspicious as the file type.

• Browse and see exactly which files and folders have been affected. In this case, drilling down to var > www > html > wp-content > plugins.

• You can now see that there are several files that have been encrypted.

Now that you have determined the blast radius, we can proceed to recovery.

Many ransomware recovery plans are based on restoring entire VMs. A ransomware attack doesn’t encrypt every file, so customers shouldn’t need to restore every file to recover. Normal day-to-day business functions routinely change data. These changes are coordinated across multiple files, databases, or even VMs. If you restore files that weren’t affected by a ransomware attack, you may lose transactions or even get out of sync with other systems.

A far better approach would be to incorporate a multi-layered approach such as Rubrik’s instant file recovery into a recovery plan that can make it easy to recover only what you need.

Let's discuss how Zaffre can take advantage of this.

• The IT team can navigate to Haverford_Site > haverford-webapp-01 > var > www > html > wp-content > plugins folder as explained in the previous "Determining the blast radius" section.

• Clear all the previously selected Suspicious and File Changes filters from the left panel.

• Select all the rows of files on the page by selecting the box in the top row next to Name.

• After selecting the files, notice that the Recover button becomes available.

• Click on Recover and observe the various options available to recover the files.

For now, exit out of the recovery option. We will perform the recovery in a later section.

From the Data Threat Analytics dashboard, you can see the critical events that were discovered over the past 24 hours. The Theat Summary section displays the number of anomalies detected, the number of malicious objects, and any matched threat hunts in the last 24 hours. You can also filter the data for the past 7 days, or 30 days.

Next, at the bottom-left, the Anomalies card displays the total percentage of anomalous and non-anomalous objects for the past 24 hours, 7 days, and 30 days.

Next, at the bottom center, the Threats card displays the total percentage of objects with and without threats for the past 24 hours, 7 days, and 30 days.

At the bottom-right, the Timeline analysis chart shows the number of anomalies and threats found over the past 7 days and 30 days.

Click on the Anomaly Detection in the banner on the top.

Rubrik Threat Hunting provides the ability to scan across points in time. Not only can you scan multiple points in time for a single server, but you can also scan across your entire environment. This allows you to determine exactly when and where an Indicator of Compromise was first seen.

While every attack is unique, the MITRE Cyber Attack Lifecycle shown above maps the overall pattern. As you can see, there's a period of time between the point that the bad actor gains runtime in the environment (the Exploit) and the point of Execution (when the payload is activated: for example, when files start to be encrypted in a ransomware attack). When recovering from an attack, it is vital that you not also recover the initially exploited state, leaving the door open for the adversary to execute their payload again.

Once you know the Indicators of Compromise, Rubrik Threat Monitoring & Hunting can search through time and space to identify your clean recovery point. In this way, you can surgically recover with confidence.

When an organization is hunting for a threat, the approach involves multiple threads, starting from:

• A Security Information & Event Management (SIEM) platform to analyze the log data.

• A Security Orchestration, Automation & Response (SOAR) platform to pull together the threat data.

• Endpoint Detection & Response (EDR) agents to pull information across the business

• File Integrity Monitoring (FIM) to monitor for file tampering.

• Intrusion Detection Systems (IDS/IPS) scan for malicious activity.

....There's a lot going on.

What if you could mine the backups of your environment, hunting for the indicators of compromise (IoC) that your adversary has left, like a breadcrumb trail? You could identify the where, when, and what easily. Even better, because you're hunting with the data held in Rubrik, your adversary has no idea that they are being hunted! This is exactly what Rubrik Threat Hunting enables.

You have become aware of a potential breach. The leadership team needs to know where and when the attacker might have gained a foothold. Once this is known, you Rubrik to roll back to a clean point in time.

Following this recent attack, the leadership team is keen to explore whether you can proactively scan the backups and identify the most prevalent cyber threats within critical infrastructure before receiving a ransomware note. This proactive approach could expedite investigations, minimize the impact of significant cyber incidents, and mitigate the risk of reinfection.

You have access to the Rubrik Enterprise edition, so let's start with Threat Monitoring to see how you can help the SecOps team.

Accessing Threat Hunting

If you haven't already connected to the Rubrik Security Cloud, head back to the lab environment.

Once logged in

• Click the app tray in the top right

• Launch Data Threat Analytics app

• Click the Threat Hunts tab

From this window, we can start to build out our threat hunt.

• Click Start Threat Hunt to launch the wizard. From here, you define the criteria for your hunt. You can specify a fully-fledged YARA rule, or you can specify a file hash (such as md5, sha256) or file pattern (such as a path or paths or a specific file extension).

• Select YARA Rule

• Click Next.

• You now specify a YARA rule. The rule provided by the Zaffre team is sourced from the open-source infosec community and can be seen below.

rule eicar_av_test {
    /*
       Per standard, match only if entire file is EICAR string plus optional trailing whitespace.
       The raw EICAR string to be matched is:
       X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    */

    meta:
        description = "This is a standard AV test, intended to verify that BinaryAlert is working correctly."
        author = "Austin Byers | Airbnb CSIRT"
        reference = "http://www.eicar.org/86-0-Intended-use.html"

    strings:
        $eicar_regex = /^X5O!P%@AP\[4\\PZX54\(P\^\)7CC\)7\}\$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!\$H\+H\*\s*$/

    condition:
        all of them
}

rule eicar_substring_test {
    /*
       More generic - match just the embedded EICAR string (e.g. in packed executables, PDFs, etc)
    */

    meta:
        description = "Standard AV test, checking for an EICAR substring"
        author = "Austin Byers | Airbnb CSIRT"

    strings:
        $eicar_substring = "$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!"

    condition:
        all of them
}

This YARA rule searches for a string based on a regular expression (which Rubrik stores as $eicar_regex), identifying the commonly used EICAR virus test file.

• Once pasted the above rule into the field, click Next

• Select the Rubrik-Demo1 cluster by checking the radio button

• Click Next to continue

• Check the box to select all objects protected by the cluster, then click Next.

• Give your search a name, then select a timeframe for the search - either the most recent snapshot, or specify start and end dates to scan a time range. If you opt for the latter, you can also limit the number of snapshots scanned per object to complete the hunt in a shorter timeframe. For this lab, you may opt for either option on this screen. Click Next.

• On the next screen, you can apply filters to be more specific with your hunt. The more specific you can be, the quicker the hunt will complete. You can leave these as defaults in this lab.

• Click Next.

• You can add file exclusions, file size, etc., on this page. For now, leave them as default. Click Next.

• Review your Threat Hunt parameters, then click Start to begin the hunt.

At this stage, the definitions of the Threat Hunt are pushed down from the Rubrik control plane, down to the CDM cluster. The Rubrik control plane has no access to the data in the backups, and so the scan is executed on the appliance on-premises (or in the cloud, if using Cloud Cluster).

You can monitor the progress of the threat hunt in the Events tab in Data Protection.

• From the app-tray in the top-right of the interface, launch Data Protection

• Click on the Events tab and then to Events Logs

• In the filter field, Select "Rubrik-Demo1" (A) from the Clusters section and select Threat Hunt (B) from the Event Type section.

• It may take a minute or two for the hunt details (C) to appear, as they are first composed on Rubrik, then pushed down to the cluster for execution

After a few minutes (dependent on the parameters that you specified for the hunt), you should see the hunt move to Completed status. You can then move back to the Threat Hunt interface to explore the findings of the hunt.

As your time is precious, we're not going to make you wait for the hunt to complete, and you should see an already completed hunt based on similar criteria in your dashboard. Click on the completed hunt.

How many IoCs are returned? Where have the IoCs been found in your environment? Can you see what parameters were used for this threat hunt?

Armed with this information, the Zaffre security team can formulate a plan to recover from such an attack now and regularly test their preparedness for any future attacks. How would you use this in your environment?

Rubrik Threat Monitoring automatically scans the backup for the most active IOCs based on the Rubrik Threat Intelligence feed. In case of a match, the object and IOC details are displayed on the Threat Monitoring dashboard. The Rubrik Threat Monitoring consists of intelligence in the form of YARA rules and Hashes and combines intelligence from third-party threat feeds with proprietary intelligence from Rubrik Zero Labs (Rubrik’s data threat intelligence unit) and Rubrik’s InfoSec team. The feed is automatically updated with the latest active IOCs.

Accessing Threat Monitoring

If you haven't already connected to the Rubrik Security Cloud, head back to the lab environment.

Once logged in

• Click the app tray in the top right

• Launch the Data Threat Analytics app

• Click the Threat Monitoring tab

As mentioned earlier, you can see the object details on the Threat Monitoring dashboard if there are any IOC matches.

Threat Monitoring has identified an object with an IOC match derived from the Rubrik Threat Intelligence feed.

On the dashboard, you will observe details (A) such as:

• Object name

• The number of files matches

• The time when the match was detected

• Match Type

Now, to get the details of the IOC, click on Windows File Share.

You can also observe details (A) such as:

• File name and size

• The first matched snapshot

• Match Type

• The time when the match was detected

On the right panel, you can observe the details (B) such as:

• The path for the specific file

• Indicators of compromise (IOC) details including the IOC name, the threat intelligence source, the file hashes of the malicious file, the author of the IOC, and the IOC description

• The affected snapshots indicated by Threat Monitoring

Armed with this information, the Zaffre security team can formulate a quarantine plan and recover from a clean snapshot.

Based on the direction from the SOC team, you will now quarantine the threat to ensure you don't use this snapshot for recovery and avoid any reinfection.

To get started:

• Select the eicar.com file.

• Click QUARANTINE next to the (...) ellipses.

• On the Quarantine Objects wizard, click QUARANTINE.

• Click DONE.

Congratulations on quarantining the threat!

You can now use the Hash values (MD5, SHA256, SH1) to run a complete Threat Hunt to ensure no other older snapshots are affected by the IOC.