To begin setting up analysis policies for cyber threat anomaly detection, several built-in anomaly detection rules are available from Data Protection Advisor that can be applied to the protection environment. While Data Protection Advisor is not specifically a cybersecurity tool, it can be used to identify anomalies that may be indicators of a cyber-attack. The built-in rules that are likely to be most useful for this use include (but are not limited to):
- Full backup larger than average time window
- Cyber Attack Vector: Ransomware
- Typical modus operandi: Data Encryption
- Rule description: An increase in deviation of “Size” of data sent to server based on that job’s historical average may indicate encryption of production data
- Backup Application Configuration Changed
- Cyber Attack Vector: Insider attack or remote execution
- Modus operandi: Backup Appliance control
- Rule description: During an internal malicious attack (or remote execution), a bad actor might make use stolen credentials to make configuration changes to the backup application.
- Filesystem Utilization High
- Cyber Attack Vector: Ransomware
- Typical modus operandi: Data Encryption
- Rule description: A bad actor encrypting production data will cause the creation of what appears to be new, unique data, dropping the deduplication rate will drop on a PowerProtect DD
- Cyber Attack Vector: Backup Missed or Unavailable
- Typical modus operandi: Data Unavailability
- Rule description: Multiple backups failing within a limited time window can mean clients are offline or under cyberattack
- Cyber Attack Vector: Unavailability or Exposures
- Typical modus operandi: Data Unavailability
- Rule description: A backup client failing, or missing backups consecutively for three days is at higher risk to damage from a cyber attack
- Many backup devices unavailable
- Cyber Attack Vector: Unavailability of Backup appliance
- Rule description: Bad actors often target backup infrastructure or appliances so that the ability to recover data is limited
- No NetWorker bootstrap generated
- Cyber Attack Vector: Restrict Disaster Recovery
- Rule description: A NetWorker bootstrap job is required to recover a NetWorker Server in a DR scenario, and the lack of one may limit the ability to recover from cyber-attack.