šNOTE: The availability of this feature may be limited based on the license type, region, and other criteria. To access this feature, contact support.
Overview
What is Live Incident Recovery plan
A Live Incident Recovery Plan is a high-speed restoration strategy used during an active ransomware attack or cyber emergency. It allows organizations to rapidly restore complex applications into a "Sandbox"āa secure, isolated environmentāto ensure business continuity while the primary production site is compromised.
Unlike testing schedules, this plan is designed for real-time execution to restore critical systems as quickly as possible during a crisis.
The Live Incident Recovery Plan is your organizationās "Emergency Exit." It provides a safe, verified, and isolated path to bring your business back online while ensuring that the malware that caused the initial incident is identified and blocked from the recovered systems.
Key Benefits:
Re-infection Prevention: Built-in security scans verify the health of the data during restoration, ensuring the attack does not spread to the new environment.
Incident Response Alignment: Synchronizes perfectly with your organizationās broader Incident Response (IR) strategy, acting as the technical execution arm of your recovery.
Prerequisites
To ensure a successful and secure recovery during a live incident, the following requirements must be met:
For VMware
1. Infrastructure Requirements
VMware Environment: You must have a functional VMware Virtual Machine target available for the recovery process.
Isolated Recovery Environment (IRE): A dedicated, pre-configured "Sandbox" or Isolated Recovery Environment must be ready. This prevents the recovered data from communicating with the infected production network.
2. Security Configuration
Post-Recovery Automated Scans: By pre-configuring these tools, the plan automatically triggers a malware scan immediately after the systems boot up. This ensures that the restored latest data is clean before users are granted access.
How to create a Live Incident Recovery Plan
Access Path: From the Cloud Platform console dashboard, navigate to Global Navigation icon > Cyber Resiliency > Ransomware Recovery > Cyber Recovery > Get Started with Cyber Recovery > Create a Cyber Recovery > Create Live Incident Recovery Plan.
Following are the steps on how to create a Live Incident Recovery Plan to proactively test your recovery readiness.
On the Cyber Recovery Plan pop-up, click Create Live Incident Recovery Plan and follow the steps mentioned below.
Step 1: General Plan Details - General Tab
Every recovery plan requires basic identification and a schedule to ensure regular testing without impacting active production systems.
Plan Details
Recovery Name: Provide a unique name to identify this plan.
Recovery Description: Briefly explain the purpose of this specific plan.
Step 2 : Resource Selection For Recovery - Resources Tab
Select the specific resource that you want to protect and recover. For example, VMware.
Search Resources
Filter and search resources by the following criteria:
Resource Type: Select the required resource type. For example, VMware.
Organizations: Select the required organization from the dropdown.
vCenter/ESXi Hosts: Select the vCenter/ESXi Hosts from the dropdown.
Match: Select the match criteria by which the resources must be searched. It can be VMware Folders, Resource Name, Tags, DataStore, Host, or Clusters.
Step 3: Snapshot Selection For Recovery - Snapshot Tab
A snapshot is a saved or backed up version of your data from a specific point in time. Select which snapshot should be used for recovery.
Snapshot Recovery Window: Enter a start and end date as the recovery window. The most recent backups between the provided time range will be selected.
Recovery Options: Select the required option.
Latest Snapshot: Automatically selects the most recent backup available.
Manual Selection of snapshot post Threat Hunt: Allows you to manually select a snapshot after viewing threat hunt results.
Latest Snapshot with no IOC matches: Performs a Threat Hunt first to find the most recent backup that does not contain known Indicators of Compromise (IOCs).
Threat Hunt Criteria: You can scan for specific File Hashes (using predefined libraries or custom values) and File Extensions to ensure the restored data is clean.
This recent snapshot without IOC matches is selected for recovery if you select this option.
š”Tip: Always use "Latest snapshot with no IOC matches" if you suspect a virus was present in recent backups.
Step 4: Target Environment Details - Target Environment Tab
This section defines where the recovered VMs will be hosted. This is an isolated environment to prevent re-infection of your production network.
Field | Description |
Destination VMware Setup | The vCenter instance where the VMs will be restored. |
Backup Proxy Pool | It is recommended to use an Isolated Recovery Environment for restore. This provides dedicated resources that keep your recovery separate from regular backup tasks to ensure better performance. |
Destination Hypervisor | The hypervisor details for the restored VMs. |
Destination Datastore | The storage location for the restored VMs (must meet minimum disk space requirements). |
Compute Restore | The host, cluster, or a resource pool where you want to restore the virtual disk. You cannot select a data center or a folder. |
Folder | A folder under the data center hierarchy where you want to restore the virtual disk. |
Network | The isolated network segment where the recovered VMs will reside. |
Step 5: Post-Restore Actions - Recovery Settings Tab
Once the system is restored, you can automate the clean-up and validation of VMs once they are powered on in the recovery environment.
Recovered VM Name
Recovered VM Name Prefix: Add a prefix (e.g. "TEST-") to the names of recovered virtual machines to distinguish them from production.
Post Restore Actions
Detach Network Card: Isolates the recovered virtual machine from your production network upon boot to prevent accidental interference. Keep Detach Network Card active and enabled during testing to avoid IP address conflicts.
Enable OS Boot Configuration: Verifies network connectivity within the guest OS after the virtual machine starts up.
Post-Boot Scripts: Automatically runs custom scripts (PowerShell or Bash) after the virtual machine starts up. You can upload and run up to 5 scripts (e.g.,
.ps1) to reconfigure applications or hostnames. Allowed script file types are .ps1 and .sh, with a maximum file size of 100 KB.Post-Restore Scan: Runs a malware scan on the restored virtual machines and can optionally delete malicious files automatically.
Priority Order for Post Boot script and restore Scans
Select the Run post-Boot scripts after the Post restore scan to prioritize the order for these tasks.
Once you complete all the steps successfully, a new Live Incident Recovery Plan is created.