CyberSense Guide for Cyber Recovery

Contents

Introduction

This guide describes using Index Engines’ CyberSense when deployed in a Dell EMC Cyber Recovery environment. CyberSense is integrated with Cyber Recovery to streamline deployment and administration options.

CyberSense provides two distinct capabilities:

  1. CyberSense audits the data managed by Cyber Recovery to detect signs of corruption due to trojans and ransomware. CyberSense does this through its use of analytics and machine learning. When CyberSense detects any sign of corruption, it delivers an alert to the Cyber Recovery dashboard.
  2. When data is corrupted due to a cyberattack, CyberSense provides a number of post-attack forensic reports for diagnosis and recovery from the attack.

Configuration and Administration

The first step is to add CyberSense to Cyber Recovery:

  • Please refer to Cyber Recover documentation on Adding a Vault Application.
  • Add Index Engines CyberSense as an application in Cyber Recovery.Config

Next, add a CyberSense analytics policy to scan data:

  • Refer to Cyber Recover documentation on Adding a Schedule for CyberSense.
  • Define the policy for scans of the Cyber Recovery data source and define the schedule.

 2

Monitor CyberSense jobs:

  • Refer to Cyber Recovery documentation on Monitoring Jobs.

 3

CyberSense Alerts

CyberSense alerts appear as Critical alerts in the Cyber Recovery dashboard.

  • NOTE: In the current implementation, CyberSense delivers alerts via email. This option is typically used in environments that have a data diode installed and configured for SMTP traffic, with one-way communication out of the vault while maintaining the air-gapped environment.

Refer to the Cyber Recovery User Manual for information about alerts. An example of a CyberSense Critical alert is shown below:

4

 

Post-Attack Forensics

CyberSense includes a number of reports that help in the diagnosis and recovery from a cyberattack. These reports are available through the Index Engines user interface.

Once an alert is detected, the user can leverage the information to determine the steps for a recovery plan.

Detailed Analytics

If email alerts are enabled, CyberSense sends an email alert stating that an infected backup set was detected. The email includes an attached text file. The text file contains a full listing of all the statistics generated by CyberSense analytics. Also included is information on the specific attack vector that was detected.

The attack vector is determined using the analytics, knowledge of how these analytics change over time, and then by processing the data with machine-learning algorithms. The email includes a number that corresponds to the specific attack vector.

5a

5b

Attack Vectors

As of this writing, there are 27 classes of attack vectors. The attack vector provides the details about the corruption caused by the current cyberattack. Find the current list of attack vectors in the Appendix.

The six attack vectors listed below are the most common; others are more obscure:

  1. Strong Encrypt w/ Original Filename
  2. Partial Strong Encrypt w/ Original Filename
  3. RMS/MS_EFS Strong Encrypt
  4. Strong Encrypt w/ New Known Extension
  5. Partial Strong Encrypt w/ New Known Extension
  6. Strong Encrypt w/ Obfuscated Filename

Diagnosis of Data Corruption

CyberSense provides several detailed reports that will assist in the diagnosis of and recovery from an attack.

Corrupt Files Listing

  • To access these reports, log in to the Index Engines CyberSense web-based user interface. Use the IP address or hostname defined during the installation with the provided username and password.
  • Open the Search page by clicking Search located along the top right side of the page.

 6

Query for Corrupt Documents that Index Engines tagged as suspect”

First search for documents suspected to have caused the corruption.

  • Click Queries to expand the Queries panel, located toward the bottom left below the Filters panel:

7

  • In the Index Preferences panel for the Known Files option, uncheck “Ignore NIST files” which allows the search to return files of this type if they are corrupted.

8

  • Type this query into the Current Query box: tag:/suspect and then click Search:

Download the List of Corrupt Files

  • A complete listing of likely corrupt files is displayed:

9

  • This listing can be customized, and also downloaded to a text file. To download, select all the files you wish to export. Then click the Select Action drop-down menu. Choose a download option.

10

Get Summary Reports

Next you can choose from standard summary reports for more detailed forensic analysis. Select the reports you are interested in on the Search->Preferences page. Each report organizes the list of corrupt files based on your selection:

11

  • Click Search.
  • On the Reports tab, click the drop-down Report menu to select a summary report, such as the
    File Type report:

12

  • The File Type report shows the true file type (based on the file header) of the corrupt files:13
  • A report on Hosts shows the location of all the corrupt files:

14

  • An Owner report shows the owner of the corrupt files:

15

  • An Extension report shows the extension (which could include .lol, .encrypted, etc) of the corrupt files:

16

  • All the different reports you chose on the Search->Preferences page can be downloaded in PDF or CSV format, or you can download only the currently selected report:

17

Last Good File Listing

  • Click to open the Queries panel. Type this query: tag:/previous and then click Search. A listing of the last good version of all files (prior to corruption) is displayed:

18

  • The listing of files can be downloaded to a CSV text file. You can customize the metadata fields to be included in the text file.
  • Click the Preferences tab. Under CSV Fields, select the file properties to be included in the CSV, including those that provide information about the backup.

19

More detailed reports on the last good backup sets containing the last good version of a file are provided in the next two sections: Event Logs Analysis and Last Good Backup Analysis.

Event Logs Analysis

CyberSense provides event logs that indicate the last user account that modified a file as well as the executable that was used. For example, if 1,000 files were encrypted, 3rd party event log tools could determine which user account was utilized for the encryption and could identify the executable (malware) that was employed.  

  • Select the Preferences tab.

20

  • Under CSV Fields, select any metadata fields you wish to export into a CSV file, such as the file name, path, owner, last modified date, etc.
  • Click Save.
  • Click Search to run the tag:/suspect query.
  • Select all the files you would like to include in the analysis:

21

  • Under Selection Action, choose an option to download a full file listing to a CSV. It will include the file name and path.

22

  • Import the CSV to the 3rd party Event Log analysis tool to determine the user account and executable that performed the data corruption.

Get Custom Reports

Create a custom report that will show the corrupt files by backup set.

Last Good Backup Analysis

CyberSense can report on the last good backup set. These backup sets can exist on several different incremental backups that were run over a period of time. Index Engines identifies the last good backup set based on analytics and machine learning. This good backup set will have no signs of data corruption.

  • Note: The ransomware executable could still exist within the backup set.

Begin by creating a custom report.

  • Select the Preferences tab.
  • Under Custom Reports, select Add New Report:

23

  • The Custom Report Builder opens:

24

  • Click and drag the properties you wish to see in the report. In this example, the fields Hosts and Path were added to the left column, and Backup Time, BackupSet ID and # of Files added to the top row.25
  • Provide a name for the report and click Save.
  • Select the Preferences tab. On the list of custom reports, make sure the report you created is checked. Then click Save.

26

  • Select the Custom tab.

27

  • Click to open the Queries panel. Type this query: tag:/previous and then from this page, click Search.

28

  • A complete listing of the last good version of all files (prior to corruption) is displayed.
  • Open the Report Name drop-down menu, and select the name of the report you created:

 29

  • The report runs and makes the results available for download:

30

  • Download the CSV. The CSV report will include the metadata fields you selected for the report

31

  • The report can be imported to Excel or other reporting tools.

32

Appendix: Attack Vectors

Each attack vector is associated with a number as shown in the following list:

  1. Benign
  2. Strong Encrypt w/ Original Filename
  3. Partial Strong Encrypt w/ Original Filename
  4. RMS/MS_EFS Strong Encrypt
  5. Strong Encrypt w/ New Known Extension
  6. Partial Strong Encrypt w/ New Known Extension
  7. Strong Encrypt w/ Obfuscated Filename
  8. Partial Strong Encrypt w/ Obfuscated Filename,1,"
  9. Individual Archival
  10. Decoy Replacement
  11. Group Archive
  12. Wiper
  13. Attack Raw Disk
  14. Encrypt Database Page
  15. New File Extension
  16. Obfuscate Filename
  17. Weak Encrypt w/ New File Extension
  18. Weak Encrypt w/ Original Filename
  19. Partial Encrypt w/ Obfuscate Filename
  20. Inside Encrypt w/ Original Filename
  21. Partial Weak Encrypt w/ Original Filename and File Type
  22. Weak Encrypt w/ Obfuscated Filename
  23. Group Archive Maintaining Wiped Original Filename
  24. Strong Encrypt w/ New Known Extension- Wipes Duplicate Files
  25. Zero-fill w/ New Known Extension
  26. Zero-fill w/ Original Filename
  27. Zero-fill w/ Obfuscated Filename
  28. Unknown