1 of 76

Is my data clean?�Cyber Recovery in action

Daniel.Olkowski@dell.com

Daniel.Olkowski@dell.com

The most fresh ppt version of this document, you will find at:�http://backuprecoveryguy.blogspot.com/2022/07/backup-and-recovery-materials.html

Polish video covering Cyber Recovery:�https://youtu.be/SjmM60ZhPHw

© Copyright 2020 Dell Inc.

1

of 20

Internal Use - Confidential

2 of 76

Daniel.Olkowski@dell.com

Czy dane w mojej firmie są czyste?

Jak zatrzymać atak �hacker / ransomware?

Jak odtworzyć utracone dane?

Dlaczego / Technologia / Demo

© Copyright 2020 Dell Inc.

2

of 20

Internal Use - Confidential

3 of 76

Agenda

  • Cyber Bunker
  • What can we do in Cyber Bunker?
  • What is CyberSense?
  • What does CyberSense provide?
  • Why to check data in Cyber Bunker?
  • CyberSense workflow

© Copyright 2020 Dell Inc.

3

of 20

Internal Use - Confidential

4 of 76

Agenda

  • CyberSense infrastructure
  • CyberSense unique points
  • CyberSense Forensic analysis
  • CyberSense reports
  • Licensing

© Copyright 2020 Dell Inc.

4

of 20

Internal Use - Confidential

5 of 76

Video – CyberSense

  • CyberSense – How to recover after hacker/ransomware attack?�https://youtu.be/ul5PHkq83Nk

  • CyberSense – Jak się odtworzyć po ataku ransomware/hacker?�https://youtu.be/q0qvfbnzXOw

© Copyright 2020 Dell Inc.

5

of 20

Internal Use - Confidential

6 of 76

What is Cyber Bunker?�Componentes

© Copyright 2020 Dell Inc.

6

of 20

Internal Use - Confidential

7 of 76

Cyber Bunker answers for the following questions:

  • What if I am encrypted?
  • Am I being encrypted?
  • Who encrypts me?
  • How to stop being encrypted?
  • Which copy to use to recover?
  • How to recover?

© Copyright 2020 Dell Inc.

7

Internal Use - Confidential

8 of 76

CyberSense part

  • What if I am encrypted?
  • Am I being encrypted?
  • Who encrypts me?
  • How to stop being encrypted?
  • Which copy to use to recover?
  • How to recover?

© Copyright 2020 Dell Inc.

8

Internal Use - Confidential

9 of 76

Castle strategy

© Copyright 2020 Dell Inc.

9

of 20

Internal Use - Confidential

10 of 76

Castle strategy

© Copyright 2020 Dell Inc.

10

of 20

Internal Use - Confidential

11 of 76

Ambulance

strategy

© Copyright 2020 Dell Inc.

11

of 20

Internal Use - Confidential

12 of 76

IT Infrastructure

Data Domain

Any backup�software

Backup

Recovery

SITE A

IT Infrastructure

Any backup�software

Backup

Recovery

SITE B

Disaster Recovery

1% data transfer

100% recovery

Data Domain

Air Gap

Cyber Bunker

Cyber

Recovery

Checking

ransomware

PLAN B – Secure data & Recovery

Compliance

No possibility to change data

Ransomware

protection

Secure

Historical

backups

Recovery

automation

Data Domain

Separation

from production

Cyber

Sense

Backup

software

Sandbox

Any tests

Ransomware

protection

Management

and automation

Dell - Internal Use - Confidential

12

of Y

Internal Use - Confidential

13 of 76

What can we do in �Cyber Bunker?

© Copyright 2020 Dell Inc.

13

of 20

Internal Use - Confidential

14 of 76

Air Gap

Cyber Bunker

Cyber

Recovery

Checking

ransomware

PLAN B – Secure data & Recovery

Compliance

No possibility to change data

Secure

Historical

backups

Recovery

automation

Data Domain

Separation

from production

Management

and automation

Cyber

Sense

Backup

software

Sandbox

Any tests

We have data

after cyber attack

Check data �if compromised

Restore

Tests

Dell - Internal Use - Confidential

14

of Y

Internal Use - Confidential

15 of 76

What is CyberSense?

© Copyright 2020 Dell Inc.

15

of 20

Internal Use - Confidential

16 of 76

What is CyberSense?

  • What if I am encrypted?
  • Am I being encrypted?
  • Who encrypts me?
  • How to stop being encrypted?
  • Which copy to use to recover?
  • How to recover?

© Copyright 2020 Dell Inc.

16

Internal Use - Confidential

17 of 76

Most common vector attacks

Encryption

Data corruption

Deleting improtant data

...

Dell - Internal Use - Confidential

17

of Y

Internal Use - Confidential

18 of 76

Are cyber attacks bypass our real time protection?

Can we assure our data’s integrity?

How do we know your data is not already corrupted?

CyberSense answers the questions:

Which copy to use to recover?

Dell - Internal Use - Confidential

18

of Y

Internal Use - Confidential

19 of 76

Real time ransomware protection

Essential but can be defeated

Attack vector 1

Attack vector 2

Attack vector 3

Dell - Internal Use - Confidential

19

of Y

Internal Use - Confidential

20 of 76

Dell - Internal Use - Confidential

20

of Y

Internal Use - Confidential

21 of 76

Dell - Internal Use - Confidential

21

of Y

Internal Use - Confidential

22 of 76

What is CyberSense?

Detects

Diagnose

Allow to

recover

Dell - Internal Use - Confidential

22

of Y

Internal Use - Confidential

23 of 76

What does CyberSense provide?

© Copyright 2020 Dell Inc.

23

of 20

Internal Use - Confidential

24 of 76

Value of CyberSense

Checking

data integrity

All the time monitors data for signs of corruption

Diagnose and Recover

Post attack tools to take action on damage

Dell - Internal Use - Confidential

24

of Y

Internal Use - Confidential

25 of 76

Why to check data in �Cyber Bunker?

© Copyright 2020 Dell Inc.

25

of 20

Internal Use - Confidential

26 of 76

Production

Air Gap

Cyber Bunker

Cyber

Recovery

Checking

ransomware

PLAN B – Secure data & Recovery

Compliance

No possibility to change data

Secure

Historical

backups

Recovery

automation

Data Domain

Separation

from production

Cyber

Sense

Backup

software

Sandbox

Any tests

Management

and automation

Encrypted?

Exploit?

Dell - Internal Use - Confidential

26

of Y

Internal Use - Confidential

27 of 76

IT Infrastructure

Data Domain

Any backup�software

Backup

Recovery

SITE A

Air Gap

Cyber Bunker

Cyber

Recovery

Checking

ransomware

PLAN B – Secure data & Recovery

Compliance

No possibility to change data

Secure

Historical

backups

Recovery

automation

Data Domain

Separation

from production

Cyber

Sense

Backup

software

Sandbox

Any tests

Ransomware

protection

Management

and automation

Isolation

Why shall we scan data at Cyber Bunker?

Out of

criminal eyes

Consistent data

Load

Dell - Internal Use - Confidential

27

of Y

Internal Use - Confidential

28 of 76

IT Infrastructure

Data Domain

Any backup�software

Backup

Recovery

SITE A

Air Gap

Cyber Bunker

Cyber

Recovery

Checking

ransomware

PLAN B – Secure data & Recovery

Compliance

No possibility to change data

Secure

Historical

backups

Recovery

automation

Data Domain

Separation

from production

Cyber

Sense

Backup

software

Sandbox

Any tests

Ransomware

protection

Management

and automation

There was a virus, which in specific type of activates (protection software) was moving to somewhere else.

In Cyber Bunker we have a photo. No escape.

Please note that even now, in films – where there super technology – still camera snapshot is used as investigation method. The criminal can not escape, gold ring under the desk cannot be removed and can be proof, source for deduction.

Why shall we scan data at Cyber Bunker?

Real case

Dell - Internal Use - Confidential

28

of Y

Internal Use - Confidential

29 of 76

CyberSense workflow

© Copyright 2020 Dell Inc.

29

of 20

Internal Use - Confidential

30 of 76

CyberSense Workflow

Dell - Internal Use - Confidential

30

of Y

Internal Use - Confidential

31 of 76

1. Scan

CyberSense scans critical data sources in Cyber Bunker.

What is scanned?

  • Files
  • Databases
  • Metadata

The result creates observation

Dell - Internal Use - Confidential

31

of Y

Internal Use - Confidential

32 of 76

Status of previous checks

Scanning existing production copies in Cyber Bunker

Dell - Internal Use - Confidential

32

of Y

Internal Use - Confidential

33 of 76

Dell - Internal Use - Confidential

33

of Y

Internal Use - Confidential

34 of 76

We can schedule scanning

Dell - Internal Use - Confidential

34

of Y

Internal Use - Confidential

35 of 76

Dell - Internal Use - Confidential

35

of Y

Internal Use - Confidential

36 of 76

2. Analytics

Over 100 stastistcs

based on the observation

  • Entropy
  • Similarity
  • Corruption
  • Massive deletion / creation

Dell - Internal Use - Confidential

36

of Y

Internal Use - Confidential

37 of 76

Data types

Files

Core Infrastructure:

  • DNS
  • Active Directory
  • LDAP

Databases / App:

  • Oracle
  • SQL
  • DB2
  • SharePoint
  • Epic Cache

Dell - Internal Use - Confidential

37

of Y

Internal Use - Confidential

38 of 76

Backup software

Databases / Apps

AD / LDAP / DNS

Filesystems

Backup format

CyberSense

Understands backup �application format

Dell - Internal Use - Confidential

38

of Y

Internal Use - Confidential

39 of 76

3. Analysis

Stastistics are analyzed by Machine Learning

Indication if a data �attack took place

We see results in Cyber Recovery panel

Dell - Internal Use - Confidential

39

of Y

Internal Use - Confidential

40 of 76

Status of previous checks

Info from Machine Learning

Dell - Internal Use - Confidential

40

of Y

Internal Use - Confidential

41 of 76

4. Repeat

The process repeats:

  • Cyber Bunker gets new production copies
  • Statistics -> observation
  • Machine Learning analysis
    • Comparison with previous observations to see how data changes

Dell - Internal Use - Confidential

41

of Y

Internal Use - Confidential

42 of 76

5. Invstigate

Anaylysis, reports to

  • Find corrupted data
  • Diagnose type of ransomware
  • Recover

Dell - Internal Use - Confidential

42

of Y

Internal Use - Confidential

43 of 76

CyberSense Infrastructure

© Copyright 2020 Dell Inc.

43

of 20

Internal Use - Confidential

44 of 76

CyberSense requirements

CyberSense

Virtual Machine

or federated

Virtual Machines

Working

together

Requirements:

6-20 CPUs

128GB-400GB memory

Sizer:

* Exact specification

* Number of VMs

Depends on

* number of scanned front end data

* change rate

* type of data (databases?)

Dell - Internal Use - Confidential

44

of Y

Internal Use - Confidential

45 of 76

CyberSense �Unique points

© Copyright 2020 Dell Inc.

45

of 20

Internal Use - Confidential

46 of 76

Structure of file (document / database)

File Metadata

Name, extensions,

size, time, path, …

Document Metadata

Type, Structure

Content

Change extension, file size, ..

File type mismatch, Corrupt file structure, …

Partial encryption, Corrupted content, …

More

sophisticated

attacks

Dell - Internal Use - Confidential

46

of Y

Internal Use - Confidential

47 of 76

Let’s compare 2 files

© Copyright 2020 Dell Inc.

47

of 20

Internal Use - Confidential

48 of 76

Metadata only analytics will not detect corruption

© Copyright 2020 Dell Inc.

48

of 20

Internal Use - Confidential

49 of 76

Content analytics detects attack

Requires algorytms and power

© Copyright 2020 Dell Inc.

49

of 20

Internal Use - Confidential

50 of 76

Attack vectors that maintain valid file extensions

© Copyright 2020 Dell Inc.

50

of 20

Internal Use - Confidential

51 of 76

CyberSense �Forensic analysis

© Copyright 2020 Dell Inc.

51

of 20

Internal Use - Confidential

52 of 76

CyberSense Workflow

Comprehensive index

Changes on content over time

Security Analytics

100+ statistics indicative of cyber attack

Machine Learning

Trained against attack vectors

Dell - Internal Use - Confidential

52

of Y

Internal Use - Confidential

53 of 76

CyberSense Workflow

Comprehensive index

Changes on content over time

Security Analytics

100+ statistics indicative of cyber attack

Machine Learning

Trained against attack vectors

Attack vector

The result of CyberSense job

Dell - Internal Use - Confidential

53

of Y

Internal Use - Confidential

54 of 76

CyberSense Workflow

Comprehensive index

Changes on content over time

Security Analytics

100+ statistics indicative of cyber attack

Machine Learning

Trained against attack vectors

Attack vector

The result of CyberSense job

Detailed list of corrupted files

Dell - Internal Use - Confidential

54

of Y

Internal Use - Confidential

55 of 76

CyberSense Workflow

Comprehensive index

Changes on content over time

Security Analytics

100+ statistics indicative of cyber attack

Machine Learning

Trained against attack vectors

Attack vector

The result of CyberSense job

Detailed list of corrupted files

Source of the attack

Dell - Internal Use - Confidential

55

of Y

Internal Use - Confidential

56 of 76

CyberSense Workflow

Comprehensive index

Changes on content over time

Security Analytics

100+ statistics indicative of cyber attack

Machine Learning

Trained against attack vectors

Attack vector

The result of CyberSense job

Detailed list of corrupted files

Source of the attack

Last good copy

Dell - Internal Use - Confidential

56

of Y

Internal Use - Confidential

57 of 76

Main page

Dell - Internal Use - Confidential

57

of Y

Internal Use - Confidential

58 of 76

Status of previous checks

Info from Machine Learning

Dell - Internal Use - Confidential

58

of Y

Internal Use - Confidential

59 of 76

Job status

Last good copy

Dell - Internal Use - Confidential

59

of Y

Internal Use - Confidential

60 of 76

Email notyfication

Dell - Internal Use - Confidential

60

of Y

Internal Use - Confidential

61 of 76

CyberSense reports

© Copyright 2020 Dell Inc.

61

of 20

Internal Use - Confidential

62 of 76

CyberSense detailed reports

Statistics

Observations

Machine Learning

  • Entropy
  • Similarity
  • Deletions
  • Creations
  • File corruptions
  • File type mismatch
  • Ransomware exetensions

© Copyright 2020 Dell Inc.

62

of 20

Internal Use - Confidential

63 of 76

Deleted files entropy count

© Copyright 2020 Dell Inc.

63

of 20

Internal Use - Confidential

64 of 76

Ransmoware extension count

File type mismatch count

Enropy scores

Backup size comparing to previous backup size (high value means small de-duplication)

© Copyright 2020 Dell Inc.

64

of 20

Internal Use - Confidential

65 of 76

Ransmoware extension count

File type mismatch count

Enropy scores

Backup size comparing to previous backup size (high value means small de-duplication)

We do not need to look into that

If there is attack, CyberSense analysis all the info and provides deterministic attack vector

We have this report for every observation

© Copyright 2020 Dell Inc.

65

of 20

Internal Use - Confidential

66 of 76

Attack vectors

  1. Strong Encrypt w/ Original Filename
  2. Partial Strong Encrypt w/ Original Filename
  3. RMS/MS_EFS Strong Encrypt
  4. Strong Encrypt w/ New Known Extension
  5. Partial Strong Encrypt w/ New Known Extension
  6. Strong Encrypt w/ Obfuscated Filename
  7. Partial Strong Encrypt w/ Obfuscated Filename,1,"
  8. Individual Archival
  9. Decoy Replacement
  10. Group Archive
  11. Wiper
  12. Attack Raw Disk
  13. Encrypt Database Page
  1. Strong Encrypt w/ Original New File Extension
  2. Obfuscate Filename
  3. Weak Encrypt w/ New File Extension
  4. Weak Encrypt w/ Original Filename
  5. Partial Encrypt w/ Obfuscate Filename
  6. Inside Encrypt w/ Original Filename
  7. Partial Weak Encrypt w/ Original Filename and File Type
  8. Weak Encrypt w/ Obfuscated Filename
  9. Group Archive Maintaining Wiped Original Filename
  10. Strong Encrypt w/ New Known Extension- Wipes Duplicate Files
  11. Zero-fill w/ New Known Extension
  12. Zero-fill w/ Original Filename
  13. Zero-fill w/ Obfuscated Filename

Dell - Internal Use - Confidential

66

of Y

Internal Use - Confidential

67 of 76

Attack vectors

  1. Strong Encrypt w/ Original Filename
  2. Partial Strong Encrypt w/ Original Filename
  3. RMS/MS_EFS Strong Encrypt
  4. Strong Encrypt w/ New Known Extension
  5. Partial Strong Encrypt w/ New Known Extension
  6. Strong Encrypt w/ Obfuscated Filename
  7. Partial Strong Encrypt w/ Obfuscated Filename,1,"
  8. Individual Archival
  9. Decoy Replacement
  10. Group Archive
  11. Wiper
  12. Attack Raw Disk
  13. Encrypt Database Page
  1. Strong Encrypt w/ Original New File Extension
  2. Obfuscate Filename
  3. Weak Encrypt w/ New File Extension
  4. Weak Encrypt w/ Original Filename
  5. Partial Encrypt w/ Obfuscate Filename
  6. Inside Encrypt w/ Original Filename
  7. Partial Weak Encrypt w/ Original Filename and File Type
  8. Weak Encrypt w/ Obfuscated Filename
  9. Group Archive Maintaining Wiped Original Filename
  10. Strong Encrypt w/ New Known Extension- Wipes Duplicate Files
  11. Zero-fill w/ New Known Extension
  12. Zero-fill w/ Original Filename
  13. Zero-fill w/ Obfuscated Filename

Attack vectors are based on the impact of data:

  • Encryption
  • Entropy change
  • Deletton / creation
  • File extension change

Dell - Internal Use - Confidential

67

of Y

Internal Use - Confidential

68 of 76

The six attack vectors that are the most common

  1. Strong Encrypt w/ Original Filename
  2. Partial Strong Encrypt w/ Original Filename
  3. RMS/MS_EFS Strong Encrypt
  4. Strong Encrypt w/ New Known Extension
  5. Partial Strong Encrypt w/ New Known Extension
  6. Strong Encrypt w/ Obfuscated Filename

© Copyright 2020 Dell Inc.

68

of 20

Internal Use - Confidential

69 of 76

The six attack vectors that are the most common

  1. Strong Encrypt w/ Original Filename
  2. Partial Strong Encrypt w/ Original Filename
  3. RMS/MS_EFS Strong Encrypt
  4. Strong Encrypt w/ New Known Extension
  5. Partial Strong Encrypt w/ New Known Extension
  6. Strong Encrypt w/ Obfuscated Filename

99.5% of the attacks are based on this 6 attack vectors

Attack vector 4 numer �is the most common

Encryption of file with new file extension

© Copyright 2020 Dell Inc.

69

of 20

Internal Use - Confidential

70 of 76

Attack vectors

  1. Strong Encrypt w/ Original Filename
  2. Partial Strong Encrypt w/ Original Filename
  3. RMS/MS_EFS Strong Encrypt
  4. Strong Encrypt w/ New Known Extension
  5. Partial Strong Encrypt w/ New Known Extension
  6. Strong Encrypt w/ Obfuscated Filename
  7. Partial Strong Encrypt w/ Obfuscated Filename,1,"
  8. Individual Archival
  9. Decoy Replacement
  10. Group Archive
  11. Wiper
  12. Attack Raw Disk
  13. Encrypt Database Page
  1. Strong Encrypt w/ Original New File Extension
  2. Obfuscate Filename
  3. Weak Encrypt w/ New File Extension
  4. Weak Encrypt w/ Original Filename
  5. Partial Encrypt w/ Obfuscate Filename
  6. Inside Encrypt w/ Original Filename
  7. Partial Weak Encrypt w/ Original Filename and File Type
  8. Weak Encrypt w/ Obfuscated Filename
  9. Group Archive Maintaining Wiped Original Filename
  10. Strong Encrypt w/ New Known Extension- Wipes Duplicate Files
  11. Zero-fill w/ New Known Extension
  12. Zero-fill w/ Original Filename
  13. Zero-fill w/ Obfuscated Filename

We have detailed info about the source o the attack

Dell - Internal Use - Confidential

70

of Y

Internal Use - Confidential

71 of 76

Corrupt data report

Corrupted file

vs

Last good copy

© Copyright 2020 Dell Inc.

71

of 20

Internal Use - Confidential

72 of 76

We can dig deeper

© Copyright 2020 Dell Inc.

72

of 20

Internal Use - Confidential

73 of 76

Index Engines report on corrupt data using info from Event Logs

© Copyright 2020 Dell Inc.

73

of 20

Internal Use - Confidential

74 of 76

Index Engines report on corrupt data using info from Event Logs

Finds last user to modify corrupted files

Looks for patterns

(f.e. Same user to delete all files)

Identify application that modified the file

Potentially detect and find malware

© Copyright 2020 Dell Inc.

74

of 20

Internal Use - Confidential

75 of 76

Licensing

© Copyright 2020 Dell Inc.

75

of 20

Internal Use - Confidential

76 of 76

Daniel.Olkowski@dell.com

Questions

© Copyright 2020 Dell Inc.

76

of 20

Internal Use - Confidential