Overview
The Recovery Intelligence (Cyber Recovery) feature provides an overview of Cyber Resiliency features specifically for EC2 and EBS resources, leveraging insights from the Druva console. Understanding these capabilities is crucial for maintaining a strong security posture and ensuring rapid, secure recovery from cyber threats like ransomware. For more information, see How to use the Cyber Recovery feature.
βImportant:
To view and access the Cyber Recovery feature, you must have either an Accelerated Ransomware Recovery or a premium license.
To view and access the Cyber Recovery details for the Threat Hunting feature, the Premium license is mandatory.
Cyber Recovery feature is supported only for Air-Gapped resources.
Access Path
For EC2 resources
To access this feature for EC2 resources, navigate to the Cyber Recovery tab using the following procedure:
From the Druva Cloud Platform Console, go to the Global Navigation menu -> Enterprise Workloads > AWS. You will be redirected to the AWS Workloads page.
From the top menu bar, select your organization if organizations are enabled.
From the top menu bar, select your AWS Account using Accounts tab.
Navigate to Resources and click EC2.
The Resources page lists all the configured EC2 resources.From the Resources tab, click on the Resource Name for which you want to perform a restore. The resource Summary page appears. For Cyber Recovery restore, click Recovery Points tab > Cyber Recovery tab.
For EBS resources
To access this feature for EBS resources, navigate to the Cyber Recovery tab using the following procedure:
From the Druva Cloud Platform Console, go to the Global Navigation menu -> Enterprise Workloads > AWS. You will be redirected to the AWS Workloads page.
From the top menu bar, select your organization if organizations are enabled.
From the top menu bar, select your AWS Account using Accounts tab.
Navigate to Resources and click EBS.
The Resources page lists all the configured EBS resources.From the Resources tab, click on the Resource ID for which you want to perform a restore. The resource Summary page appears. For Cyber Recovery restore, click Recovery Points tab > Cyber Recovery tab.
How to use the Cyber Recovery feature
You can do the following using the Cyber Recovery tab:
Cyber Recovery tab: Get a comprehensive view of your configured EC2 and EBS recovery points.
Run Threat Hunt: Initiate an on-demand Threat Hunt scan for backed-up data to search for indicators of compromise (IOCs). You can view the created Threat Hunt Job details from the DCP Console > Global Navigation menu > Ransomware Recovery > Threat Hunting > Threat Hunting dashboard job listing page.
You must have the Druva Cloud Admin role to access this feature.
You can auto-quarantine the impacted recovery points from the Cyber Resiliency > Threat Hunting UI. For more information, see Auto-Quarantine Snapshots.
Cyber Restore : Select a recovery point and perform a Cyber Restore. This feature allows for the restoration of EC2 and EBS resources with an emphasis on security. It is distinct from standard operational recovery and is typically used when there is a suspicion of compromise.
Filters: Sort and view specific Cyber Recovery details based on the following criteria:
Date Range: Specify the start and end date
Indexed - Recovery Point indexing state - Threat Hunt scan eligibility for Snapshots. Specifies if a backed-up snapshot meets the requirements to be scanned for threats. The Threat Hunt scan results are displayed only for the indexed recovery points
Quarantine state of the recovery point
Recovery points according to the scan status
Understanding the Cyber Recovery dashboard
The Cyber Recovery dashboard provides a comprehensive view of your configured EC2 and EBS backups that helps you quickly ascertain:
Total Air-Gaped Recovery Points: The total number of available Air-Gapped recovery points for restore.
Indexed: Threat Hunt scan eligibility for Snapshots - Specifies if a backed-up snapshot meets the requirements to be scanned for threats. The Threat Hunt scan results are displayed only for the indexed recovery points.
Size: The size of backed up data for a recovery point.
Scan Status: Details of the scan status for each recovery point. The status can be as follows:
Not Scanned: The recovery point was not scanned for malicious data.
No Matches Found: The recovery point does not contain malicious files and is deemed safe for restore. Click to view the details. It displays Zero if no matches are found.
Matches Found: The recovery point contains malicious files. Click to view the file matches details, download the scan report for further investigation, and take appropriate action. The Scan Status pop-up is displayed with the details such as the date and time of the scan; the feature used for scan (Scan Source) which can be Threat Hunt or Cyber Restore (Restore Scan); total count for file matches found in the scan job.
Click Download Report to download Threat Hunt File Level and/or Snapshot level details or Restore Scan Job details report for offline investigation and auditing purposes.
Understanding Cyber Restore feature
Druva offers specialized recovery options designed for cyber incident scenarios - Cyber Restore.
This feature allows for the restoration of EC2 and EBS resources with an emphasis on security. It is distinct from standard operational recovery and is typically used when there's a suspicion of compromise.
Use the Cyber Restore feature in the EC2 and EBS restore workflow to recover a specific recovery point, preceded by an antivirus scan. You can certify whether the selected recovery point is clean and safe for restore based on the scan results.
Cyber Restore for EC2 resources:
On the Cyber Recovery tab, select the EC2 resource and click Cyber Restore.
On the Restore pop-up, select the Restore as an Instance option and click Proceed. The Restore AMI pop-up is displayed. Click Confirm to initiate a Cyber Restore.
On the Restore Scan pop-up, do the following:
In the Restore Scan section, toggle the Enable Restore Scan to scan the EC2 recovery point for malware using predefined file hashes and antivirus engine. If this option is enabled, the scan job will also be created on the Ransomware Recovery > Restore Scan Jobs page, mapping it to the restore job that has been triggered.
The Quick Scan option is enabled as a scan option.
πNote:
This option is available only if the Allow Admin to Disable Server Scan checkbox is selected in the Restore Scan > Override Scanning section.
Select the Allow restore of recovery point even if malicious files are found checkbox if you want to proceed with restore with infected data. By default, this is selected.
Click Proceed to Restore. The time taken to restore the data increases when the scan is enabled.
You can view the progress of the scan job from the Restores Jobs page of EC2/EBS and also from the Restore Scan > Scan Jobs page. Click on the Job ID to view details.
Cyber Restore for EBS resources:
On the Cyber Recovery tab, select the EBS resource and click Cyber Restore.
On the Restore pop-up, select either the Restore as an Instance or Restore as a Volume option as per your requirement and click Proceed. The Restore pop-up for the selected option is displayed. Provide the requested details and proceed to initiate a Cyber Restore.
On the Restore Scan pop-up, do the following:
In the Restore Scan section, toggle the Enable Restore Scan to scan the EC2 recovery points for malware using predefined file hashes and antivirus engine. If this option is enabled, the job will also be created on the Ransomware Recovery > Restore Scan Jobs page, mapping it to the job that has been triggered.
The Quick Scan option is enabled as a scan option.
πNote:
This option is available only if the Allow Admin to Disable Server Scan checkbox is selected in the Restore Scan > Override Scanning section.
Select the Allow restore of recovery point even if malicious files are found checkbox if you want to proceed with restore with infected data. By default, this is selected.
Click Proceed to Restore. The time taken to restore the data increases when the scan is enabled.
You can view the progress of the scan job from the Restores Jobs page of EC2/EBS and also from the Restore Scan > Scan Jobs page. Click on the Job ID to view details.
Actionable Insights for Security Administrators
Based on the console's insights, security administrators should take the following actions:
Configure and verify Scan Status: Ensure that all critical EC2 and EBS backups are being scanned for malware and ransomware. The Not Scanned status (as seen in the Recovery Points tab) indicates a significant security gap. Implement and monitor your scanning policies. For more information, see Threat Hunting, Restore Scan.
Leverage Threat Intelligence: Integrate and utilize Druva's curated Threat Intelligence (IOC Sets) and your custom IOC Sets to enhance detection capabilities during scans.
Utilize Quarantine Bay: Understand and leverage the Quarantine Bay feature to isolate infected snapshots, preventing their accidental restoration and potential re-infection of your environment.
Develop Cyber Recovery Playbooks: Incorporate Druva's Cyber Recovery features (Cyber Restore) into your organization's incident response and disaster recovery playbooks.
Things to consider for Cyber Recovery
Run Threat Hunt: You cannot run two Threat Hunt jobs at a time on the same resource triggered by the same administrator from the Cyber Recovery tab.