CyberSense Post Attack Workflow

Guide for Cyber Recovery

Document Version 09-01-2022

Copyright and Confidentiality

Copyright

Copyright © Index Engines Inc., 2020. All rights reserved.

No part of this document may be reproduced in any form or by any means or be used to make any
derivative work (including translation, transformation or adaptation) without explicit written consent of
Index Engines Inc.

Confidentiality

All information contained in this document is provided in commercial confidence for the sole purpose of
use by an authorized user in conjunction with Index Engine’s products. The pages of this document shall
not be copied, published, or disclosed wholly or in part to any party without prior permission in writing,
and shall be held in safe custody. These obligations shall not apply to information which is published or
becomes known legitimately from some source other than Index Engines Inc.

Index Engines Inc.

960 Holmdel Road
Building One, 1st Floor
Holmdel, NJ07733
Phone: 732.817.1060
Fax: 732.876.0241
www.indexengines.com

CyberSense Guide for Cyber Recovery Page ii

Contents

Change History .......................................................................................................................... 1

Introduction.............................................................................................................................. 1
CyberSense Alerts ...................................................................................................................... 2
Analysis Report.......................................................................................................................... 5
Post-Attack Forensics ................................................................................................................. 6
Step 1 - Identify the Attack Profile ............................................................................................ 7
Step 2 - Identify Hosts and Backupsets Suspect of a Ransomware Attack ........................................ 7
Step 3 - Identify Suspect Files ................................................................................................... 8
Step 4 - Get Reports...............................................................................................................10
Step 5 - Investigate Suspect Files .............................................................................................12
Special case – Attack Profile 14 ............................................................................................12
Step 6 – Perform Recovery Steps .............................................................................................13
Step 7 - Clear Alerts and Tags ..................................................................................................13
Appendix .................................................................................................................................15
Search Preferences for CyberSense..........................................................................................15
Attack Profiles ......................................................................................................................16
Summary of Workflow Steps ...................................................................................................17

CyberSense Guide for Cyber Recovery Page iii

Change History
The table below lists changes to the procedures since the previous version of this guide. The guide version is noted in
this format "mmddyy" on the cover page of each guide. It's a good idea to check this section for changes whenever
installing a release that is new to you. Please incorporate all changes into your procedures.

Guide Changes/Updates
Version

040722 • Added Profile 13 – for HermeticWiper

050122 • Added Profiles 8 and 10

• Added Encrypted Child Percentage and Verbose Flags to
recommended Preferences

061522 • Highlighted – Profile 13 is for Windows VM backups only.

• Beginning with release 7.9.0-1.41 and 7.10.0-1.33, archives
involved in profile 8 and 10 alerts are tagged /suspect. See
changes to the procedure.

082222 • Added some clarification the purpose of clearing CyberSense

indicators.

• Added Profile 5

090122 • Added possible cause of false positive for profile 13.

Introduction
This guide describes how CyberSense when deployed in a Dell EMC Cyber Recovery environment will alert when
indicators of a possible ransomware attack are detected. It describes the steps you should take to qualify the
alerts and identify known good backups. For experienced users, a “Summary of Workflow Steps” provided in the
Appendix.

CyberSense provides two distinct capabilities:

CyberSense Alerts - CyberSense audits the data managed by Cyber Recovery to detect signs of a ransomware
attack. CyberSense does this through its use of analytics and machine learning. When CyberSense detects any
sign of corruption, it delivers an alert to the Cyber Recovery dashboard.

CyberSense Forensic Reports - When data is corrupted due to a cyberattack, CyberSense provides post-attack
forensic reports for diagnosis and recovery from the attack.

CyberSense Guide for Cyber Recovery Page 1

CyberSense Alerts
You can receive alerts in several ways when CyberSense suspects that files have been modified by a
ransomware attack.

1. CyberSense alerts appear as Critical alerts in the Jobs section of the Cyber Recovery dashboard summary.

2. When CyberSense alerts for a suspected ransomware attack, the status for that policy execution will
appear as Critical in the Jobs section of the Cyber Recovery dashboard.

CyberSense Guide for Cyber Recovery Page 2

3. When CyberSense alerts for a suspected ransomware attack, the Last Analysis status for the copy will
appear as Suspicious in the Policies section of the Cyber Recovery dashboard.

CyberSense Guide for Cyber Recovery Page 3

4. The Job Status Details for suspicious copies will indicate that a new infection was found and/or that there
were alerts for “previous” infections for which you did not “Stop Reporting” on the Index Engines Alert
menu.

5. Cyber Recovery emails status at the end of each policy execution to the user who created the schedule.
This option is typically used in environments that have a data diode installed and configured for SMTP
traffic, with one-way communication out of the vault while maintaining the air-gapped environment

CyberSense Guide for Cyber Recovery Page 4

Analysis Report
For each completed Analysis, CyberSense analytic information for every backupset analyzed is logged to an
Analysis Report. You can leverage the information in that report to determine the steps for a recovery plan.

From the Policy->Copies menu of the CyberRecovery GUI, select the copy for which the Last Analysis is marked
“Suspicious”. Then, select an Analysis Report Actions to either download the detailed analysis or have that
.CSV file emailed to you.

The file contains a full listing of all the statistics generated by CyberSense analytics. Also included is
information on the specific attack profile that was detected. If you choose to use the file emailed to you, it will
originate from the CyberSense server and some sensitive information such as hostnames will be obfuscated.
The report downloaded from CyberRecovery will not be obfuscated and will provide hostnames.

CyberSense Guide for Cyber Recovery Page 5

You should first filter the report to show only the backups that are suspect of a ransomware attack.

Alert - The “Alert” column in the Analysis file includes a number that corresponds to the specific attack profile
for that backup if an infection is suspected and blank if the backup is not suspect of an attack. Filter to show
only rows where the “Alert” column is non-blank. In those rows, you can identify the server and backupset
that are suspect.

The attack profile is determined using the analytics collected for each backup, knowledge of how these user
content/analytics change over time, and then by processing the data with machine-learning algorithms.

The attack profile identifier provides the information on the type of corruption caused by the current
cyberattack. Find the current list of attack profiles in the Appendix.

Post-Attack Forensics
CyberSense achieves an exceedingly high detection rate of ransomware activity. A side effect is that a small
number of reports of infection will be determined to be false positives upon closer manual inspection. Upon
receiving an alert, follow your own post-attack procedures. This might include isolating a server(s) and/or
isolating the vault. If you maintain access to the CyberRecovery and CyberSense GUIs, you can begin post
attack forensics to qualify the alert and determine if recovery is required.

You will need access to the CyberRecovery and CyberSense GUIs to perform these

1) Identify the attack profile

2) Identify hosts and backupsets suspect of a ransomware attack
3) Identify a sample of the suspect files
4) Get summary reports
5) Investigate suspected hosts and files
6) Perform needed recovery if an attack is confirmed
7) Clear alerts and tags

The Index Engines Search Guide and Query Operators Guide describe the search capabilities in detail. You may
need to refer to those guides if you are not familiar with some basic search operations. Rather than clutter this
guide with detailed steps and images, we will refer you to the appropriate guide for the detail.

Important: The CyberSense Analysis Engine does not identify a file or files specifically as the reason for
determining that a backup has been infected. Based on its inputs, which are generated from the 180+
observations taken for every backup, the machine learning algorithm generates an output indicating whether it
has identified a suspect “infection” in the analyzed backup. The output includes (based on the training completed
for the ML model) the type/profile of infection. There is nothing in the model that points back to a specific file or
files.

The following procedure attempts to identify sample files that may have been involved in a ransomware attack
of a given attack profile and some information that was gathered during analysis You should start your
investigation with this set of files.

CyberSense Guide for Cyber Recovery Page 6

Step 1 - Identify the Attack Profile

1. Download the Analysis Report (.csv) from the CR GUI for the copy for which a “New Infection was
Found”. Be aware that alerts for “Previous Infections Found” will continue in each report for each
copy until you acknowledge those alerts on the CyberSense GUI. The Analysis report for those copies
will not include information about the previously detected infection.
The Analysis Report from the CR GUI report is preferred over the one that you may have received in an
email from the CyberSense server which has private information such as host name obfuscated.
2. Filter the Analysis Report to rows with non-blank values in the “Alert” column and identify the “attack
profile”. Knowledge of the attack profile can help you perform manual searches in cases where files
could not be tagged as /suspect.
The attack profiles are listed below.:
1 - Strong Encrypt w/ Original Filename
4 - Strong Encrypt w/ New Known Ransomware Extension
5 - Partial Encrypt w/ New Known Ransomware Extension
6 - Strong Encrypt w/ Obfuscated Filename
8 - Individual Archival – Single file now encrypted and moved into an archive.
10 - Group Archive – Multiple files now encrypted and moved into an archive.
13- HermeticWiper – Applies to Windows disk image backups
14 - A profile of 14 is a special case which indicates possible corruption of a database. Special
instructions for following up on a type 14 attack will be provided later in this document.

Step 2 - Identify Hosts and Backupsets Suspect of a Ransomware Attack

Note the values in these columns
Backup Server – Backup Server is the Host name or Host ID of the server that is suspect of a ransomware
attack. The Backup Server is synonymous with “Host” or “Location” when you perform a search.

Backupset ID – The Backupset ID is the ID of the Backupset that was analyzed and found to be suspect of a
ransomware attack. Searches can be limited to a specific Backupset ID.

Compare ID - An Identifier that CyberSense uses to identify earlier Analytic data for the same backupset. This
value will determine what type of search you will perform to identify the suspect files. When the Compare ID is
populated, a “Comparison Observation” was performed, i.e. we have analyzed a backup for this host before.
The tagging of representative files as “/suspect” is more likely, but not guaranteed. When the Compare ID is
blank, a “Single Observation” was performed indicating that this is the first-time analysis of a backup for this
host so there is nothing to compare against. The possibility of a false positive alert in this case is higher than
for a Comparison Observation. Tagging of representative files as /suspect for a Single Observation is not
guaranteed.

After recording these values for one or more suspect backup sets, you can begin to identify suspect files.

CyberSense Guide for Cyber Recovery Page 7

Step 3 - Identify Suspect Files
CyberSense provides several detailed reports that will assist in the diagnosis of and recovery from an attack.
High level reports help you get an idea of which hosts, filetypes and file extensions to investigate and with
what priority. These are accessed from the Search menu of the CyberSense GUI.

Log in to the Index Engines CyberSense GUI.

Open the Search page by clicking Search located along the top right side of the page.

Configure the user’s Search Preferences as described in the appendix in this document. This need only be done
once for each user if they are properly saved.

• If more than one row contains a non-zero value in the Alert column, you can choose to search for the
suspect files on each host individually or all hosts together. We will assume that you will search them
individually.

• Set the Query criteria and Search

o The search criteria should be tag:/suspect.

• Click Search. A complete listing of files matching the search criteria is displayed. Set “Results Per Page”
to see more than 10 per page.

In some cases, suspect files will not have been tagged and you will need to enter a specific query:

For profile 4,5: Find high entropy files with known ransomware extensions.

(ftext:ransom) AND (entropy:>=97) AND (bsid:” <backupset id from analyze report>”)

You may need to reduce or eliminate (entropy:>=97) for Profile 5 since is a partial encryption.

For profile 8 or 10: Search for files tagged /suspect to identify the containers (files) containing a
large number of encrypted content. If you are unable to do so, open a case with Dell support who
can help with an alternate search.

(tag:/suspect) AND (bsid:” <backupset id from analyze report>”)

To identify the content in each container, search for each container by name with preferences set
to objects to see the container and the encrypted content.

CyberSense Guide for Cyber Recovery Page 8

 For profile 13: This applies only to Windows virtual disk backups and be ignored if the backup is
not a Windows virtual disk backup. This is an indication that a backup of the host has the profile
of a backup that was made of the identified host after the HermeticWiper ransomware attack was
enabled. In most cases, the Analysis report will show that there were 0 (blank) files in the “This
File Count column” when the “Prior File Count” was non-zero.

A false positive profile 13 alert might be raised in some cases where the analysis job was canceled
during indexing.

A search for individual files is not relevant in this case. Investigate the host(s) for further evidence
of the HermeticWiper ransomware.

For profile 14: Find database files that were determined to be corrupt.
(st:corrupt) AND (ft:db) AND (bsid:" backupset id from analyze report ")

For other profiles:

(ft:DEF or doc:extmismatch) AND (entropy:>=97) AND (bsid:” <backupset id from analyze
report>”)

ft:DEF – These are file types that CS “tasters” could not identify by analyzing the structure of the
file.

doc:extmismatch – These are files whose type was determined by “tasters” to be different than
their extension implies. Since the recommended preferences includes the flag identifying the cases
where the file extension does not match what CS determined the filetype to be, you will be able to
separate these out of the .CSV with a filter in Excel.

Tasters are programs that analyze a file’s structure to determine the filetype. CS includes hundreds
of tasters and more can be added as needed.

The above examples also limit the search to files with entropy > 97.

• This listing can be downloaded to a .CSV file. To download, select all the files you wish to export. Then
click the Select Action drop-down menu. Choose a download option.

CyberSense Guide for Cyber Recovery Page 9

Step 4 - Get Reports
The search results may contain a very large set of files, but these are typically grouped into manageable set s
based on common paths and file types or extensions. Summary Reports can help you prioritize which files to
investigate first by host, filetype or extension.

On the “Reports” tab of the search screen, click the drop-down Report menu to select a summary report, such
as the File Type report:

The File Type report shows the true file type (based on the file header) of the corrupt files:

CyberSense Guide for Cyber Recovery Page 10

 • A report on Hosts shows the location of all the corrupt files.
• An Owner report shows the owner of the corrupt files.
• An Extension report shows the extension (which could include .lol, .encrypted, etc.) of the corrupt files.

All the different reports you chose on the Search->Preferences page can be downloaded in PDF or CSV format,
or you can download only the currently selected report:

CyberSense Guide for Cyber Recovery Page 11

Step 5 - Investigate Suspect Files
Investigate groups of files in the search results to determine which if any files are encrypted by ransomware
and/or which can be determined to be of high entropy for legitimate reasons, have file types that may be
unknown to CyberSense or have ransomware extensions for legitimate reasons.

Special case – Attack Profile 14

Type 14 indicates a "corrupt" database or page corruption on the host(s) displayed for that row of the Analysis
Report.

1. The Status Messages columns of the search results will provide detail on why the database was
considered “corrupt”.
2. Do an integrity check on that database and ultimately on a recovered copy from the vault.
3. Determine if that database was only partially backed up for any reason (e.g., it was not idle when
backed-up or the backup was not complete when replicated to the vault).
4. If you can show that the database that was on the Mtree was incorrectly flagged as corrupt, open a
case with Dell Support. They will need to collect a log set and answers to these questions:

• Which type(s) of databases is/are being backed up? (Versions?)

• How were the databased backed up and placed on the Mtree?
• Are backups full, incremental or a combination?
• Are the databases encrypted or compressed? Provide details (What type of
encryption/compression? What application was used? What version?
• How frequently are databases backed up?
• Is database backup done in one file or split into multiple files?

CyberSense Guide for Cyber Recovery Page 12

Step 6 – Perform Recovery Steps
If your investigation confirms that a server or servers have been affected by ransomware, perform the needed
recovery of those servers.

Step 7 - Clear Alerts and Tags

1. The alert will continue to show up in the CyberSense email report and on the CR GUI as a “Previous
Infection Found” until you acknowledge it on the ALERTS menu of the CyberSense GUI.

CyberSense Guide for Cyber Recovery Page 13

 2. Clear Cybersense Indication from the Actions dropdown in the Results section of the Search page after
searching for and selecting all /suspect files so that already tagged and investigated files do not
continue to appear as tagged in subsequent searches unless they are again determined to be among
the files that are suspect as the result of a new analysis and alert.

CyberSense Guide for Cyber Recovery Page 14

Appendix

Search Preferences for CyberSense

The Search page is highly customizable to support Index Engines applications other than CyberSense . Below
are the required settings for the CyberSense Post Attack Workflow. Use the orange SAVE buttons to save the
settings for each section.

Settings (Click the lock icon when complete to save this setting)

1. Deduplication – Show All

View – Responsive

Index Preferences

1. Display Backup Properties – Checked

2. Include Backups as Results – Unchecked
3. Local to Engine – Unchecked
4. Global to Index – Checked
5. Ignore Nist Files – Unchecked

Duplicate By – These will be disabled because you selected Deduplication – Show All.

Result modes

1. Attachments – Searched Together with Messages

2. Data Types – Files

Views to Process

1. Deselect Parent, Family, Backupset

CSV Fields – These are the fields that will be included in the CSV file that will contain the results of the search.
Below is a list of recommended settings but the user can choose to add or remove from this list. Changes will
apply to the next search.
Access Time Backup Volume Extension Last Modifier
Author Backupset ID Extension Mismatch Modification Age
Backup Client Type Backupset ID Long Form File Entropy Modification Time
Backup Format Creation Time File Entropy Delta Owner
Backup Host Deactivation Time File Similarity Path
Backup Policy Deduplicated Copies File Type Size
Backup Software Deletion Time File Type Display Name All the “Status Message XYZ”
Backup Time Document Modification Time File Name fields
Encrypted Child Percentage Hosts Tags
Verbose Flags

CyberSense Guide for Cyber Recovery Page 15

Attack Profiles
Each attack profile is associated with a number as shown in the following list:

1. Strong Encrypt w/ Original Filename

4. Strong Encrypt w/ New Known Ransomware Extension
5 - Partial Encrypt w/ New Known Ransomware Extension
6. Strong Encrypt w/ Obfuscated Filename
8 - Individual Archival – Single file now encrypted into Zip or RAR. Original deleted
10 - Group Archive – Multiple files now encrypted into Zip or RAR. Originals deleted
13- HermeticWiper – Applies to Windows disk image backups
14. Corrupt Database Page

CyberSense Guide for Cyber Recovery Page 16

Summary of Workflow Steps
This is provided as a refresher for anyone who knows how to execute the needed steps but needs to be
reminded of the workflow.

1) Identify the attack profile – Download a copy of the Analysis Report for the suspicious copy and get
the non-zero attack profile(s) from the “Alert” column.

2) Identify hosts and backupsets suspect of a ransomware attack – From the Backup Server and
Backupset ID columns of the Analysis Report.

3) Identify suspect files – Make sure that search preferences are properly set. Query for (tag:/suspect)
AND (bsid:”<Backupset ID>”) for each suspect backupset. Download the results to be viewed in Excel
or another .CSV viewer. If there are no files tagged /suspect, perform additional manual searches
described in this document or open a Support case.

4) Get summary reports – Use summary reports to help you prioritize which files to investigate first by
host, filetype or extension and more.

5) Investigate suspect files – Investigate some or all files on the identified server to determine if they are
as expected or if they have been tampered with by ransomware. The files may have been modified in
the manner indicated by the attack profile.

6) Perform Recovery Steps – If your investigation confirms that a server or servers have been affected by
ransomware, perform the needed recovery of those servers.

7) Clear alerts and tags – Clear Cybersense Indication from the Actions dropdown in the Results section
of the Search page after searching for and selecting all /suspect files so that already tagged and
investigated files do not continue to appear as tagged in subsequent searches unless they are again
determined to be among the files that are suspect as the result of a new analysis and alert.

CyberSense Guide for Cyber Recovery Page 17

Index Engines Inc.
960 Holmdel Road

Building One, 1st Floor

Holmdel, NJ 07733

Phone: 732.817.1060

Fax: 732.876.0241

www.indexengines.com

Copyright Notice

© 2020 Index Engines Inc., All rights reserved.

CyberSense Guide for Cyber Recovery Page 18

No part of this document may be reproduced in any form or by any means or be used to make any derivative
work (including translation, transformation or adaptation) without explicit written consent of Index Engines
Inc. The information in this manual is distributed on an “As Is” basis, without warranty. While every precaution
has been taken in the preparation of the manual, neither the authors nor Index Engines shall have liability to
any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by
the instruction contained in this document.

Trademark Acknowledgements

Power Over Information is a trademark of Index Engines Inc. Docker is a registered trademark of Docker, Inc. in
the United States and/or other countries. Linux® is a registered trademark of Linus Torvalds in the U.S. and
other countries. Red Hat and Enterprise Linux are registered trademarks of Red Hat, Inc. All other brand,
product names, or service marks are trademarks or registered trademarks of their respective owners.

CyberSense Guide for Cyber Recovery Page 19