Overview
Threat hunting is a proactive approach to cybersecurity that involves actively searching for signs of malicious activity within an organization's network or systems. Rather than waiting for alerts or incidents to occur, threat hunting involves systematically looking for indicators of compromise (IOCs) that may indicate an ongoing or potential security threat.
The primary goal of threat hunting is to detect threats that may have evaded traditional security measures and minimize attackers' dwell time within the network. By identifying threats early, organizations can mitigate potential damage and respond more effectively to incidents.
Threat Hunting plays a crucial role in enhancing the overall cybersecurity posture of an organization by complementing traditional security measures with proactive detection and response capabilities.
Key Benefits
Malware IoC Search: Efficiently hunt for malware Indicators of Compromise (IoCs) within your VMware backups. Quickly identify and assess potential threats
Infection Scope and Timelines: Gain insights into the scope of the infection and timelines
Quarantine infected snapshots: Automatically quarantine infected VMware snapshots to prevent reinfection and further spread of malware
Rich Metadata: Use the rich metadata presented in Threat Hunting results to aid investigation and incident response workflows
Our Solution
Threat Hunting is a comprehensive security feature that empowers backup administrators and infosec professionals with advanced threat hunting capabilities with focus on backup data.
The following video provides an overview of the Threat Hunting feature.
With this capability, you can create and initiate an on-demand Threat Hunt for backed-up data to search for indicators of compromise (IOCs). It also allows auto-quarantining of the impacted snapshots.
❗Important: Threat Hunting is available with a Premium Security SKU license. Contact sales or support to procure the license.
Supported Workloads for Threat Hunting
Enterprise Workloads
VMware
Windows -
* Microsoft Windows Server 2022
* Microsoft Windows Server 2019
* Microsoft Windows Server 2016
* Microsoft Windows Server 2012 R2
* Microsoft Windows Server 2012Linux -
* Red Hat Enterprise Linux (RHEL) 7.0 , 7.5
* CentOS 7.0 , 7.5
* Ubuntu 22.04, 20.04, 18.04, 16.04, 14.04
* SUSE Linux Enterprise Server 12, 12 SP3
For supported VMware file types for Threat Hunting, see Disks, partitions and, files for File Level Restore (FLR)
How to use Threat Hunting?
Prerequisites
Ensure that the backup is successfully completed for the required resources on which you want to run the Threat Hunt job. After the successful backup, the data is accessed for Threat Hunting readiness.
At least 1% of the total resources must be Threat Hunt ready to create a Threat Hunt job for them.
For VMware resources Threat Hunting: The VMware backup proxy version installed must be 7.0.2 or higher.
For backup policies with CloudCache configured, only the data synced to the Druva cloud is available for Threat Hunting. Ensure the data is synced.
It takes only 4 steps to get started with this feature:
Step 1: Create a new Threat Hunt to find backed-up suspicious or malicious data.
Step 2: Monitor Threat Hunt jobs from the Threat Hunting dashboard. Use the Download Report option to analyze the scan results reported in detail.
Step 3: Auto-quarantine impacted snapshots to isolate impacted snapshots by default to prevent accidental restores and reinfection.
Step 4: View the Threat Hunt results using the Threat Hunting Dashboard page.