Overview
What is Scheduled Cyber Recovery Testing (SCRT) plan?
Think of this as a Fire Drill for your data. The system automatically runs a test on your schedule (Quarterly, semi-annually, or Yearly) to make sure everything works perfectly before an emergency happens.
Key Benefits:
Enhanced Cyber Readiness: Regular testing ensures that your recovery team is prepared and that your backup data is functional before an actual emergency occurs.
Regulatory Compliance: Automated testing provides the documented proof of "recoverability" required by many industry standards and legal regulations.
Prerequisites
To ensure a successful recovery test, the following environment requirements and safety constraints must be met:
For VMware
Requirement | What it is | Why it matters |
Backup Proxy: Reserved Proxy Pool | A dedicated Reserved Proxy Pool must be configured. Using a reserved pool ensures that testing activities do not interfere with your standard production backup window. | Without these, the system cannot move backups into the recovery area. |
Target Environment | A vCenter or ESXi host. | This is the "physical" destination where your recovered virtual machines will live. |
Sandbox Network | A fenced-off, isolated network segment. | Prevents recovered virtual machines from accidentally talking to your live office network. |
Storage Quota | Available space in your recovery destination. | You cannot recover 4TB of data if you only have 2TB of recovery space. |
Threat Scanner | Tools like Cisco Talos Antivirus or similar, IOC Library and Threat Intelligence | Helps the system to scan your data for malware. |
π‘ Tip
Identify Your "Critical 10": Since the Scheduled Cyber Recovery Testing (SCRT) plans are limited to 10 VMs for testing, start with your most vital application (e.g., your Finance software or your Customer Database).
Prepare your Scripts: If your servers need special settings (like a new IP address) to work in the Sandbox, have those PowerShell or Bash scripts ready to upload in Step 5 - Post-restore actions.
Script Requirements:
Allowed file types: .ps1, .sh
Maximum size: 100KB
Naming convention: Script filenames must not contain Unicode characters
For Microsoft 365
Microsoft Tenant must be in a connected state. For more information, see Register M365 tenant.
How to create a Scheduled Cyber Recovery Testing Plan?
Access Path: From the Cloud Platform console dashboard, navigate to Global Navigation icon > Cyber Resiliency > Ransomware Recovery > Cyber Recovery > Get Started with Cyber Recovery > Create a Cyber Recovery > Create Scheduled Recovery Plan.
Following are the steps on how to create a Scheduled Cyber Recovery Testing Plan to proactively test your recovery readiness.
On the Cyber Recovery Plan pop-up, click Create Scheduled recovery Plan and follow the steps mentioned below.
Step 1: General Plan Details - General Tab
Every recovery plan requires basic identification and a schedule to ensure regular testing without impacting active production systems.
Plan Details
Recovery Name: Provide a unique name to identify this plan.
Recovery Description: Briefly explain the purpose of this specific plan.
Testing Frequency
Testing Start Date: The specific date and time when the first recovery test should begin.
Frequency: Choose how often the test should run (Quarterly, Semi-annually, or Yearly) and set the start date and time.
Step 2 : Resource Selection For Recovery - Resources Tab
Select the specific resource that you want to protect and recover. For example, VMware, Microsoft 365 - OneDrive, SharePoint, Exchange Online.
Search Resources for VMware
π Note: In case of VMware, you can select a maximum of 10 VMs per plan.
Filter and search resources for VMware by the following criteria:
Resource Type: Select the required resource type. For example, VMware.
Organizations: Select the required organization from the dropdown.
vCenter/ESXi Hosts (Only for VMware): Select the vCenter/ESXi Hosts from the dropdown.
Match: Select the match criteria by which the resources must be searched. It can be VMware Folders, Resource Name, Tags, DataStore, Host, or Clusters in case of VMware.
Search Criteria: Filter resources by Organization, vCenter/ESXi Hosts, or specific VM Folders.
Search Resources for OneDrive and Exchange Online
π Note: In case of OneDrive and Exchange Online, you are limited to 5% of your total user licenses, up to a maximum of 200. This limit applies to each workload every quarter.
Filter and search resources for OneDrive and Exchange Online by the following criteria:
Resource Type: Select the required resource type. For example, OneDrive or Exchange Online.
Match Criteria: Select the match criteria by which the resources must be searched. It can be Profiles or Users.
Search Resources for SharePoint
π Note: In case of SharePoint, you are limited to 5% of your total user licenses, up to a maximum of 200. This limit applies to each workload every quarter.
Filter and search resources for SharePoint by the following criteria:
Resource Type: Select the required resource type. For example, SharePoint.
Match Criteria: Select the match criteria by which the resources must be searched. It can be Backup Profiles or Attribute-based conditions. In case of Attribute-based conditions selection, filter resources by Site Attribute, Operator, or Value.
Quota for VMware
The interface displays a progress bar showing the total size of selected resources against your available storage quota. You cannot exceed 100% of your allocated recovery storage.
Understanding the Quota Calculation for Scheduled Cyber Recovery Testing plan for VMware
Storage quota is calculated on a quarterly basis.
Example:
If the total backed-up data is 50 TB, and the allowed quota per quarter is 20% of the total backed-up data (10 TB).
Plan Size Distribution Across Quarters:
The total plan size is distributed evenly across quarters, depending on the selected plan frequency:
Plan Frequency | Quarters for Distribution |
Quarterly | 1 quarter - 20% (10 TB) |
Semi-Annually | 2 quarters - 40% (20 TB) |
Yearly | 4 quarters - 80% (40 TB) |
Therefore, the quota for each quarter will be 20% of the total backed-up data.
Quota for Microsoft 365 - Exchange Online, OneDrive, SharePoint
The interface displays a progress bar showing the total number of selected resources (SharePoint sites, OneDrive, Mailbox) per quarter across the plans. You are limited to 5% of your total user licenses, up to a maximum of 200. This limit applies to each workload every quarter.
Understanding the Quota Calculation for Scheduled Cyber Recovery Testing plan for Microsoft 365
Example 1: If you have a license count of 50 users. The plan distribution across quarters will be as follows:
Plan Frequency | Permissible resource count |
Quarterly | 2 |
Semi-Annually | 5 |
Yearly | 10 |
Example 2: If you have a license count of 1000 users. The plan distribution across quarters will be as follows:
Plan Frequency | Permissible resource count |
Quarterly | 50 |
Semi-Annually | 100 |
Yearly | 200 |
Example 3: If you have a license count of 5000 users. The plan distribution across quarters will be as follows:
Plan Frequency | Permissible resource count |
Quarterly | 200 |
Semi-Annually | 400 |
Yearly | 800 |
Step 3: Snapshot Selection For Recovery - Snapshot Tab
A "snapshot" is a saved or backed up version of your data from a specific point in time. Select which snapshot should be used for recovery.
Recovery Window: Choose how far back to look for backups. You can select 7, 15, or 30 days as the recovery window.
Recovery Options: Select the required option.
Latest Snapshot: Automatically selects the most recent backup available.
Latest Clean Snapshot: Performs a Threat Hunt first to find the most recent backup that does not contain known Indicators of Compromise (IOCs).
Threat Hunt Scanning Criteria: You can scan for specific File Hashes (using predefined libraries or custom values) and File Extensions to ensure the restored data is clean.
This recent snapshot without IOC matches is selected for recovery if you select this option.
π‘Tip: Always use Latest Clean Snapshot if you suspect a virus was present in recent backups.
Step 4: Target Environment Details - Target Environment Tab
This section defines where the recovered resource's data will be hosted. This is an isolated environment to prevent re-infection of your production network.
For VMware
Field | Description |
Destination VMware Setup | The vCenter instance where the VMs will be restored. |
Backup Proxy Pool | It is recommended to use a Reserved Proxy Pool. This provides dedicated resources that keep your recovery separate from regular backup tasks to ensure better performance. |
Destination Hypervisor | The hypervisor details for the restored VMs. |
Destination Datastore | The storage location for the restored VMs (must meet minimum disk space requirements). |
Compute Restore | The host, cluster, or a resource pool where you want to restore the virtual disk. You cannot select a data center or a folder. |
Folder | A folder under the data center hierarchy where you want to restore the virtual disk. |
Network | The isolated network segment where the recovered VMs will reside. |
For Microsoft 365
Resource | Target Environment |
Exchange Online | Restore Location: Data is restored as a copy within the inSync Restore folder of the same user's mailbox. |
OneDrive | Restore Location: Data is restored as a copy within the Plan name- inSync Restore folder-date/time under the same user's OneDrive. |
SharePoint | Restore Location: Data is restored to a new site. |
[For VMware Only] Step 5: Post-Restore Actions - Recovery Settings Tab
Once the system is restored, you can automate the clean-up and validation of resources once they are powered on in the recovery environment.
Recovered VM Name
Recovered VM Name Prefix: Add a prefix (e.g. "TEST-") to the names of recovered virtual machines to distinguish them from production.
Post Restore Actions
Detach Network Card: Isolates the recovered virtual machine from your production network upon boot to prevent accidental interference. Keep Detach Network Card active and enabled during testing to avoid IP address conflicts.
Enable OS Boot Configuration: Verifies network connectivity within the guest OS after the virtual machine starts up.
Post-Boot Scripts: Automatically runs custom scripts (PowerShell or Bash) after the virtual machine starts up. You can upload and run up to 5 scripts (e.g.,
.ps1) to reconfigure applications or hostnames. Allowed script file types are .ps1 and .sh, with a maximum file size of 100 KB.Post-Restore Scan: Runs a malware scan on the restored virtual machines and can optionally delete malicious files automatically.
Priority Order for Post Boot script and restore Scans
Select the Run post-Boot scripts after the Post restore scan to prioritize the order for these tasks.
Once you complete all the steps successfully, a new Scheduled Cyber Recovery Testing Plan is created.