(Part 3) Backup is good. Restore is great. But test your data is even better: the script : security checks.


As I mentioned in the previous posts (click here : post 1 : the concept, post 2 : the script), “Backup” is one of the key pilars in terms of security.

It will not only help you in case you did a mistake (so restore the data to fix it), but also cope with security attacks.

Most of the countries all around the world have security agencies here to help you, not only as a company but also as a citizen.

In France, ANSSI (https://www.ssi.gouv.fr/entreprise/precautions-elementaires/dix-regles-de-base/) reminds you the 10 rules of security which of course, contains the backup Pilar.

 

FBI, in the USA also recommends “Cloud Backup” to face Ransomware problems : https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise

 

If you think “hybrid infrastructure”, you can easilly turn this very standard “Backup” concept into something more modern and more efficient.

Then, you will not only lower your costs by storing your data in Microsoft Datacenters, but you will also embrace the power of hybrid to add more “value” in this backup scenario.

 

In the previous posts I introduced in details the concept I wanted to cover in this suite of 3 articles :

1) Ability to backup in the Cloud leveraging Azure Backup (servers and workstation) : no more tapes, no more devices to read these tapes, no more expensive external storage, etc.

2) Now that data is stored and secured in Azure, you can automate the restore tests on a monthly basis to validate at 100% that your data is ready to be used in case of a problem. Backup is good, restore is better ! and it can be totally automated. Some regulations ask you to “test” restore to be compliant. This will be done from Azure (storage) to Azure (a VM automating this), same Datacenter, so extremly quick.

3) But let’s go higher, why don’t we leverage this restored data and run on them security checks, just to make sure that we have not in this data some threats that were not detectable in the past.

 

If you combine all the layers (backup, restore, securitychecks) of this approach, you are really in an hybrid world !

 

What are these checks ?

It is always interesting to see that if you are asking the same question to different people (so with different roles in a team), you may have different answers. In fact the sum of their answers make the global concept even bigger. Here is my quick experience on this question :

 

1) Some people told me that they wanted technical statistics about the data itself, in terms of quantity, type, volume : why don’t you run solutions such as TreeSize or others?  

2) Security folks asked me to run an Antivirus Scan, a deep one. As you may know, by default, Windows 2016 (the OS I selected for my VM in Azure) contains by default Defender. This product is also scriptable, we will leverage this too.

3) Some others will ask to check for ransomware, and not only on servers, but also on workstations.. Especially VIPs.

 

.. but sky is the limit.

 

For your company, you really need to go though this brainstorming phase, and identify what makes sense for you, in fact for all members of the team. But let’s see how to implement these 3 examples :

 

Example 1 : data statististics

There are many products on the market to analyze data (a disk, a volume, ..).

I choosed for this article to use TreeSize  (I installed the free/Eval version which is scriptable), a powerfull application that can generate reports and bring benefits to your team.

 

Here is the code I used :

 

$programme="Treesize.EXE"
$params="/SAVE d:\Myreport.txt /NOHEADERS /EXPAND 5 /SIZEUNIT 3 /NOGUI /SORTTYPE 1 c:\"
Set-Location -Path "c:\Program Files\JAM Software\TreeSize"
Start-Process $programme $params

 

Once the report is generated, I can just “Add” the file to an automated email for that will contain the result of all my checks, including the ones below.

 

Example 2 : Virus (and stuffs) deep search

As I mentioned, Windows 2016 has by default Defender installed. You can also script this great product with this code below :

 

"Updating definition file"
Update-MpSignature
"Starting SCAN, Custom"
Start-MpScan  -ScanType CustomScan -ScanPath "D:\RESTAURE"

"Extracting detected problems. Criteria is 'detected today'"
#Get-MpThreatDetection | Where {$_.InitialDetectionTime.Date -eq (Get-Date).Adddays(0).Date}
$AVFound=Get-MpThreatDetection | out-string
The line in remark is an example of what you can add to the search. In this example “Adddays” could be 0 (today), –1 (yesterday.

 

Example 3 : anticipate Ransomware attacks

That is not an easy topic.

Browsing arround for expert feedback, I found this article : https://www.netfort.com/blog/methods-for-detecting-ransomware-activity/.

The Author mentioned that it could be interesting to look for some specific file extensions, in fact the most common ones used by developpers of such bad product.

 

So it took just a few seconds to add a search in the global script :


$ransom=Get-ChildItem d:\RESTAURE -Filter *.* -Force -Include *.enc, *.R5A, *.R4A, *.encrypt, *.locky, *.clf, *.lock, *.cerber, *.crypt,  *.coverton, *.enigma, *.czvxce, *.scl, *.crinf, *.crjoker, *.encrypted, *.code, *.CryptoTorLocker2015!, *.crypt, *.ctbl,  *.locked, *.ha3, *.enigma, *.cry, *.crime, *.btc, *.kkk, *.fun, *.gws, *.keybtc@inbox_com, *.kimcilware.LeChiffre, *.crime, *.oor, *.magic, *.fucked, *.KEYZ, *.KEYH0LES, *.crypted, *.LOL!, *.OMG!, *.porno, *.RDM, *.RRK, *.RADAMANT, *.kraken, *.darkness, *.nochance, *.oshit, *.oplata@qq_com, *.relock@qq_com, *.crypto, *.helpdecrypt@ukr, *.pizda@qq_com, *.dyatel@qq_com_ryp, *.nalog@qq_com, *.chifrator@qq_com, *.gruzin@qq_com, *.troyancoder@qq_com, *.encrypted, *.cry, *.AES256, *.enc, *.hb15, *.vscrypt, *.infected, *.bloc, *.korrektor, *.remind, *.rokku, *.encryptedAES, *.encryptedRSA, *.encedRSA, *.justbtcwillhelpyou, *.btcbtcbtc, *.btc-help-you, *.only-we_can-help_you, *.sanction, *.sport, *.surprise, *.vvv, *.ecc, *.exx, *.ezz, *.abc, *.aaa, *.zzz, *.xyz, *.biz, *.micro, *.xxx, *.ttt, *.mp3, *.Encrypted, *.better_call_saul, *.xtbl, *.enc, *.vault, *.xort, *.trun, *.CrySiS, *.EnCiPhErEd, *.73i87A, *.p5tkjw, *.PoAr2w, *.xrtn, *.vault, *.PORNO -Recurse  | out-string

 

Conclusion

So it is extremly easy to write a script that will both restore data, and also run several security checks. At the end, you will receive an email with all the informations you need.

 

This can be done in Powershell leveraging of course Azure Backup scripting, but also the power of Powershell in general.

 

In this last post, I showed you a few basic example of “security checks” you can add in your process. This way, you are not only checking if restored worked, but also check the data.

 

Feel free to send me some example of your checks, I will add them on this page with cudos !

 

Comments (0)

Skip to main content