#CyberFit Academy

Cyber Protect Cloud

Cloud Tech - Advanced Security

#CyberFit

#CyberFit Academy
Cyber Protect Cloud
Introductions

#CyberFit Academy
Today`s Speaker

Steve Brining

Partner Technology Evangelist – Cyber Protect

Acronis

Steve Brining serves as the partner technology evangelist for Acronis

Cyber Protect at Acronis. Prior to Acronis, Mr. Brining honed his skills
for over 25 years as a cybersecurity expert at PatchLink, McAfee,
BeyondTrust and other technology companies. Mr. Brining holds a
Masters in Business Administration in E-Business and Masters in
Science in Technology and Innovation Management with
specialization in Cybersecurity and is a Commanding Officer in the
Arizona Army National Guard.

#CyberFit Academy
Course Summary

Instructor-led technical training

Introductory course and designed to help establish a
baseline knowledge
Assessment:

20 MCQ questions 60 Minutes working 70% Passing Grade Two Attempts given Open Book
time

#CyberFit Academy
Target Persona

Tech Leader (along with employees on team)

Service Provider
• Wants to improve the managed services offerings
with vendor solutions that understand service
providers ability to deliver, automate, train, support
and manage these solutions while integrating them
into stack of tools
• Interested in Training, Updating, Automating
Processes and Cybersecurity Issue focused on pain
points

#CyberFit Academy
Learning Objectives

After finishing this instruction you will be able to

• Understand technical aspects of the
Advanced Security Pack
• Understand the features (core security versus advanced
security pack), what they mean and how they are utilized
• Support and maintain clients on Advanced Security Pack

#CyberFit Academy
Course Modules

1. High Level Overview and Benefits

2. Core Solution - Security Components
3. Advanced Security - Technical Discussion
Part 1, 2, 3
4. Scenarios and Examples

#CyberFit Academy
Certification Track

Cloud Tech Fundamentals

STEP

1 Already Should Have Taken

#CyberFit Academy
Certification Track

Cloud Tech Fundamentals

STEP

1 Already Should Have Taken

Cloud Tech Associate

STEP (Security/Backup/
2 Disaster Recovery)
Next Step

#CyberFit Academy
Certification Track

Cloud Tech Fundamentals

STEP

1 Already Should Have Taken

Cloud Tech Associate

STEP (Security/Backup/
2 Disaster Recovery)
Cloud Tech Professional
You Are Here STEP
Final Step 3

#CyberFit Academy
Certification Track

STEP
STEP Acronis #CyberFit Cloud Tech Associate Certifications
211 Consists of the following courses (specializations)
Let’s start here

Optional:

#CyberFit Academy
Cyber Protect Cloud
High Level Overview and Benefits

#CyberFit Academy
 Best-in-breed backup combined
with integrated security and management

Protect every Best-in-breed backup Strengthens your AV Accelerate security

workload
#CyberFit at no charge
Academy included against zero-day threats and manageability
 Add Advanced packs: Security, Management, Backup,
Disaster Recovery, Email Security, File Sync and Share

Optimize for every Easy to upsell Vendor consolidation

#CyberFit Academy workload
Cyber Protect Cloud
Core Solution
Security Components

#CyberFit Academy
Core Solution – Security Components

1. #CyberFit Score
2. Vulnerability Assessment
3. Device Control
4. Quarantine
5. Active Protection
6. Anti-Virus (without local signature-based
engine)

#CyberFit Academy
Cyber Protect Cloud
#CyberFit Score

#CyberFit Academy
Acronis #CyberFit Score
Simplify MSP operations and service upselling
Assess the level of protection
of any machine:

• Is backup enabled?
• Is anti-malware installed?
• Is the firewall in place?
• Are HDDs encrypted?
• Is a VPN in use?

Suggests remediation options

based on assessment

#CyberFit Academy
CyberFit Score

#CyberFit Academy
CyberFit Score

CyberFit
score
#CyberFit Academy
CyberFit Score

#CyberFit Academy
CyberFit Score

CyberFit
score

#CyberFit Academy
CyberFit Score

#CyberFit Academy
CyberFit Score

Help and
Options

#CyberFit Academy
#CyberFit Score for machines

Based on security assessment of a #CyberFit scoring mechanism

machine (max 850):

• Supported OS: Windows 7,

• Anti-malware protection: 0-275
Windows Server 2008 R2 and
• Backup protection: 0-175
above
• Firewall: 0-175
• Encryption 0-125
• Recalculated: Protection Plan
• VPN: 0-75
applied or any module in Protection
• NTLM Traffic 0-25
Plan is run

#CyberFit Academy
#CyberFit Score

Following ratings apply to machine:

• 0-579: Poor
• 580-669: Fair
• 670-739: Good
• 740-799: Very Good
• 800-850: Excellent

#CyberFit Academy
Cyber Protect Cloud
Vulnerability Assessment

#CyberFit Academy
Vulnerability Assessment
Discover an issue before an issue happens

• Information from NVD (National

Vulnerability Database)
• CPOC sends information via agent
• Another vulnerability assessment tool:
• Great way to validate patching
• Loss leader Opportunity
• Patching service opportunity

#CyberFit Academy
Vulnerability Assessment
• CVE: Common Vulnerabilities and Exposures
• CVSS Score (Common Vulnerability Scoring
System)
• Assigns severity scores: prioritize
responses/resources
• Low, Medium and High Severity Levels
a) Low: CVSS score of 0.1 – 3.9
b) Medium: CVSS score of 4.0 – 6.9
c) High: CVSS score of 7.0 – 10.0
d) None: 0

• Example: GitHub February 2021 (CVE-2021-21276)

• Score: 9.3 Critical
• Feel free to search: https://nvd.nist.gov/vuln/search

#CyberFit Academy
Vulnerability Assessment

What Can Be
Scanned

Scheduling
Options

#CyberFit Academy
Cyber Protect Cloud
Device Control

#CyberFit Academy
Device Control

Protection/ Allowed/ Option: let end USB or Firewire Choose devices

Prevention on Read- user know trying Port options and regardless of
data leakage only/Denied to utilize a port redirected type permissions
options blocked devices (exclusion type
list)

#CyberFit Academy
Device Control

#CyberFit Academy
Device Control

Device Control
settings

#CyberFit Academy
Device Control

Access settings
devices list
permission

#CyberFit Academy
Device Control

USB and FireWire

Ports

Redirected
devices

#CyberFit Academy
Device Control

Device types
allowlist

#CyberFit Academy
Cyber Protect Cloud
Quarantine

#CyberFit Academy
Quarantine

Special isolated folder on a machine's hard

disk where the suspicious files detected by
Antivirus and Antimalware protection are
placed to prevent further spread of threats

Quarantine location on machines:

• Windows: %ProgramData%\%product_name%\Quarantine
• Mac/Linux: /usr/local/share/$product_name%/quarantine
• To view, go to Anti-malware > Quarantine tab

#CyberFit Academy
Actions with Quarantined Files

Deleted Restored Added to

whitelist

1. Non-malicious – add file to whitelist and restore

2. One-time action (antivirus added specific file: example keygen) – use restore
3. Restore malicious file: detect during next scan and quarantine

Files automatically deleted after time period defined in

Anti-malware module (default 30 days)

#CyberFit Academy
Quarantine

#CyberFit Academy
Quarantine

Quarantined files

#CyberFit Academy
Quarantine

#CyberFit Academy
Quarantine
Actions with
quarantined files

#CyberFit Academy
Cyber Protect Cloud
Active Protection

#CyberFit Academy
Active Protection
Backup industry’s most advanced anti-ransomware
technology
Acronis provided
excellent performance, is
easy to use and has a rich
Persistently guards files Relentlessly defends feature set. On top of that
including local backups backups from alteration it is
from unauthorized by hardening the Acronis the only solution in the
modification and/or agent application from test to provide dedicated
encryption attacks protection from
ransomware attacks. This
earned Acronis the first
Instantly restores files Actively future-proofs ever approved backup &
to the most recently your data protection data security certificate of
backed up version because AV-TEST.
should ransomware it is based on a behavioral
manage to get through heuristic approach
the defense and white-listing David Walkiewicz
Director Test Research,
av-test.org

#CyberFit Academy
Active Protection

Protects against:

• Ransomware (AI-based and

process behavior)
• Process injection and cryptomining
• Malicious intent against Acronis
backup files and software
• External drive protection
• Network folder protection and
server side protection

#CyberFit Academy
Active Protection

Trusted or blocked processes

and folders

• Specify certain processes never

considered malware
• Home grown application example
• Microsoft processes always trusted
(still verified)
• Specify certain processes to always
be blocked

#CyberFit Academy
Active Protection

#CyberFit Academy
Active Protection
Protects collaboration and
communications applications:

• Zoom, Cisco WebEx, Microsoft Teams, Citrix

Workspace
• Client updates can be installed automatically
• Protect application processes from code
injections
• Preventing suspicious operations by application
processes
• Protecting “hosts” file from adding domains
related to application
• Supported OS: Windows and macOS

#CyberFit Academy
Active Protection

Monitoring processes

• Third party process tries to encrypt files (or

mine cryptocurrency): goes into action
• Prevents unauthorized changes to Acronis
processes, registry, configuration files,
executables and backups located in local
folders
• Utilizes behavioral heuristics

#CyberFit Academy
Active Protection

Ransomware blocks access to data

• Unless ransom paid, threatens to delete

or make public
• Double extortion: not just encrypting but
threatening to publicize data
• Different ways
• Open attachment: downloads malicious
payload and encrypts
• Utilize software exploits and flaws (or other
vulnerabilities) to gain access
• Internet facing servers or remote desktop
logins. Hunt network until they control as
much as they can before encrypting.

#CyberFit Academy
Active Protection

Process Injection

• Used for legitimate uses

• Debuggers hook to application
• Anti-Virus services inject into browsers to investigate browser
behavior, website content, and internet traffic

• Used for malicious purposes

• Hiding true nature of actions (hide existence)
• Mask to look like ok processes

• DLL injection most common to appear

• Others like Portable Execution (PE) injection, process hollowing,
and registry modification: we cover the gamut

#CyberFit Academy
Active Protection
Things to help

Active Protection Manage access control and Whitelisting inside

running privileges Cyber Protect
Actively monitors local Grant minimal privileges to users Help prevent unvetted
drives and prevent software running
No elevation of privileges without
backup files from being
administrators consent
modified by malicious
means Process launched by standard user:
inherits permissions and limited to
system level changes.
Prevent malware turning off firewall or
modifying registry settings

#CyberFit Academy
Active Protection
Behavior and how we respond

In place overwrite, rename or new file behavior

Opens and modifies in place, renames or creates new file (copies

original, modifies new file and deletes older)

Driver provides file access notification to service with

heuristics data. Performs copy-on-write of
suspicious activities.
Service detects case: suspend ransomware and
driver rolls back file from cache

#CyberFit Academy
Active Protection
Behavior and how we respond

Master boot record (MBR) overwrite

Then system rebooted after overview and encrypted on reboot

(chkdsk disguised).

Drives watches WRITE/SCSI operations to MBR via

Raw FS and notifies service. Service verifies process
and makes decision

#CyberFit Academy
Active Protection
Behavior and how we respond

In place, rename or new file with injection into known good

process

Ransomware injects into good and well known process. Performs

malicious action like above.

Driver provides injection attempt notification to

service. Service tells driver to watch process without
performing copy-on-write. Suspicious pattern
detected, user instructed to recover files from the
cloud

#CyberFit Academy
Active Protection
Threat actors

Monitor local drives and prevents backup files

being modified maliciously

End to end encryption:

• Restricts access to file modification activities to

signed and authorized Acronis agent software
• Criminals going after backup files
• Attack agent on devices (acts as gateway to data in
the cloud).
• Many ways to inject malicious code in local agents
and compromise cloud backup data

#CyberFit Academy
Cyber Protect Cloud
Anti-virus (without local signature-based engine)

#CyberFit Academy
Antivirus

#CyberFit Academy
Antivirus
Not part of the
core solution

Quarantined files

#CyberFit Academy
Antivirus – Core Solution
Supports Windows and
macOS (malware)
• 3rd party antivirus present
when applying Protection Plan
Anti-malware module: alert
generated and on-access
protection stopped to prevent
conflicts
• To enable full functionality:
disable/uninstall 3rd party
antivirus
#CyberFit Academy
Quick / Full scans Exclusions can be
configurable configured
• Full scan: checks all files on • Trust certain files, folders and
machine processes
• Quick scan: checks only • Block specific processes
machine system files
• Detected threats
quarantined and
automatically deleted after
30 days (default)
Antivirus – Core Solution
Cloud Based Signature Detection (File Reputation
Services (FRS))
• Working specific hash-based small signatures
• Cloud look-up can help for an on-demand scan when something is
not executed
• If executed we can look it up but it might have already started
• FRS is hash only: not much data sent to look up
• No sandbox analyst at this time and no files sent
• Our own FRS being used
• FRS determined if file is good or bad
• Using (among other things) VirusTotal: doing hash checking against
cloud database
• Update our list for the FRS (expanding in future other services)

#CyberFit Academy
Antivirus – Core Solution
Cloud Based Signature Detection (File Reputation
Services (FRS))

• Example: VirusTotal says 10 other AV Vendors detected the file

1. Some plausibility checking and add to our list for blocking
with FRS right away
2. 10 not the magic number
3. Taking statistic guess on VirusTotal so not a fixed number
(Symantec and McAfee can have higher weights on this)
• One concern: may take awhile until first “victim” uploads a file.
Benefit to advanced pack.
• Behavior-based detection and other layers might help but not
guaranteed

#CyberFit Academy
Stacktrace AI Analyzer

ML based malware detection technology

Recognize legitimate/malicious injections
Analysis of 25B+ processes
100M+ unique stacktrace database
Advantages:
• Trusted processes monitoring
• Lightweight GBM ML model
• Fast response time: ~10 ms

#CyberFit Academy
Section Summary

• CyberFit Score: security posture of a machine

• Vulnerability assessment: scanning to determine vulnerabilities
existing for applications. Loss leader to introduce patch
management and validation tool after patching
• Device control: assist preventing data leakage information /
intellectual property. Fine tune abilities (lock down USB port but
allow webcam to be used).

#CyberFit Academy
Section Summary

• Malicious items (or reported as malicious) enter system, quarantine

allows to review what was triggered. Determine what to do: delete,
restore or add to allowlist.
• Active Protection helps with ransomware attacks, video
conferencing attacks, external drive protection, network folder and
server side protection. Can do trusted or blocked processes and
folders (help with home grown applications).
• AI-based behavior heuristics: Protects against unauthorized
changes to Acronis processes, alteration to back up agent,
registry, configuration files, executables and backups located in
local folders.

#CyberFit Academy
Section Summary

• Anti-virus protection (core solution) provides

• Behavior based protection
• Cloud based file reputation services and
• Quick and full scans.
• Trust certain files, folders and processes. Block certain processes
to (reduce false positives).
• 3rd party anti-virus present and apply in protection plan: alert
generated and on-access protection is disabled (stop system
conflicts).

#CyberFit Academy
Cyber Protect Cloud
Advanced Security
Technical Discussion
Part 1

#CyberFit Academy
Advanced Security Components Part 1

1. Forensic backup
2. URL Filtering
3. Corporate allowlist (automatic and manual)
4. Backup Scanning (scanning cloud backups for
malware)

#CyberFit Academy
Cyber Protect Cloud
Forensic Backup

#CyberFit Academy
Forensic Backup

#CyberFit Academy
Forensic Backup

Enable collection
of forensic data in
Backup options

#CyberFit Academy
Forensic Backup

#CyberFit Academy
Forensic Backup

Recover forensic
data

#CyberFit Academy
Forensic Backup

#CyberFit Academy
Forensic Backup

Select forensic
data to recover

#CyberFit Academy
Forensic Backup – What Is It?

US-CERT (Computer Emergency Readiness Team) Main Goal:

Identify Collect Preserve Analyze

Preserve integrity of evidence collected to be used in legal cases

#CyberFit Academy
Forensic Backup – What Is It?
Capture original data in unaltered state

Image VS Clone

▪ Not for working ▪ Working copies for

copy (evidence analysis (could be
preservation for preservation
purpose) purposes)
▪ Bit by bit copy is
an image

#CyberFit Academy
Hash
Hash signature
• Cryptographically secure checksum to
prove byte stream did not change
• Difference in hash value between original
and a copy? Confirms not exact copies
• Hash applied to entire image
Used to establish chain of custody
• Evidence preservation: chain of custody
fulfills this
• Evidence collected: need to be protect
against tampering

#CyberFit Academy
Forensic Backup
• Supports Windows 8.1, Windows Server 2012 R2 and
above
• Backup destinations: Cloud, external drive, network folders
• Entire machine backup only
• Snapshot of unused disk space and running processes along with full memory
dump1

• Automatically notarized
• Protection Plan with forensic data enabled cannot be
disabled
• Recovery:
• Recovered as entire machine

1 Full memory dump may contain sensitive data such as passwords

#CyberFit Academy
Forensic Backup Process

Data can be selected for recovery:

• CSV file of processes, threads and modules and DMP file of memory dump can be downloaded

.DMP

1.Collects raw memory 2.Reboots machine 3. Creates backup 4. Notarizes backup 4. Reboots into OS
dump and then list of into bootable (occupied and and continue plan
running processes environment unoccupied space) execution

#CyberFit Academy
Forensic Backup

• Notarization certificate download:

• Entire machine recovery task from forensic backup
• Select Get certificate from Disk mapping view1

• tibxread command-line tool:

• Used for manual checking of the integrity of the
backed up data

1 No need to perform recovery if purpose is to obtain notarization certificate

#CyberFit Academy
Forensic Backup

Notarization:
prove authentic and unchanged since backup

2. Send hash root

tree to notary service 3. Saves hash tree root
Agent
1. Agent calculates
hash code of full
Blockchain
image backup, Builds Acronis
Database
hash tree (Merkle Notary Cloud
(Ethereum)
Tree): saves tree in
backup
4. Verifying authenticity

Match > Authentic

Backup with Not Match > Not Authentic
forensic data

#CyberFit Academy
Forensic Backup

When you setup forensic in backup options

and save plan. You cannot switch back and
can only delete plan.

• When needed
a) Create a protection plan with machine to select for forensic
backup and turn forensics on
b) Perform backup process and verify certificate produced
c) One can delete the protection plan (only purpose was
forensic backup at that time) for that machine

#CyberFit Academy
Cyber Protect Cloud
URL Filtering

#CyberFit Academy
URL Filtering

#CyberFit Academy
URL Filtering

URL filtering
settings

#CyberFit Academy
URL Filtering

Warning alert
when URL is
blocked

#CyberFit Academy
URL Filtering

Wildcard: no need for

subdomains or http/https/www

#CyberFit Academy
URL Filtering
Malware distributed by malicious or infected sites.
Use drive-by-download methods to infect machine

• Checks HTTP/HTTPS connections against URL

filtering database
• URL deemed malicious: user prevented from
accessing or warning alert shown
• URL filtering database includes sites sourced from
URLhaus1
• URLs manually added as Trusted or Blocked sites

1 URLhaus database https://urlhaus.abuse.ch/browse/ includes submissions from

Google Safe Browsing (GSB), Spamhaus DBL and SURBL

#CyberFit Academy
Cyber Protect Cloud
Corporate Allowlist

#CyberFit Academy
Corporate Allowlist

#CyberFit Academy
Corporate Allowlist

Enable Automatic
generation of
whitelist and level of
heuristics

#CyberFit Academy
Corporate Allowlist
• Applications detected as false positive by antivirus solutions
• Need to add manually as trusted application to whitelist (avoid
unwanted errors and disruptions)

• Automate the process to whitelist by scanning cloud

backups:
• Scan backups: two or more machines and enable
Automatic generation of whitelist
• Level of heuristic detection configurable:
Default | Low | High
• Automatic generation of allowlist enabled, manual adding
of applications will be available (seven days to run)
• Allowlist used by all agents during anti-malware scanning

#CyberFit Academy
Cyber Protect Cloud
Backup Scanning

#CyberFit Academy
Backup Scanning

#CyberFit Academy
Backup Scanning

Create
backup
scanning
plan

#CyberFit Academy
Backup Scanning

Backup
scanning
plan settings

#CyberFit Academy
Backup Scanning
Cloud storage scanned for malware
(prevent restoring infected files):

• Windows OS:
• Only Entire machine or disks/volumes backups
scanned
• Volumes using NTFS file system with GPT or MBR
partitioning
• Cloud backups scanned in Acronis Cloud
• After backup scanning plan created, placed in queue
for execution
• May take time for scan to start/complete depending
on queue; will show Not scanned status until scanning
complete
• Status of backup once completed:
No malware | Malware detected

#CyberFit Academy
Section Summary

• Forensic backup goal: identify, collect (in unaltered state),

preserve, and analyze data. Enables investigation in the event of
security incident.
• Takes snapshot of unused disk space, full memory dump,
snapshot of running processes and entire machine backup.
Automatically notarized.
• URL filtering: helps with malware distributed by malicious or
infected sites or drive-by-download methods. Checks http and
https connections. Provides opportunity to allow or block.

#CyberFit Academy
Section Summary

• Allowlist: helps reduce false positives. Two or more machines with

backup scanning is required. Automatic list take seven days to
produce results.
• Backup scanning scans backups stored in Acronis cloud storage
for malware. Volumes the NTFS file system with GPT or MBR
partitioning. Cloud backups placed in queue for execution.

#CyberFit Academy
Cyber Protect Cloud
Advanced Security
Technical Discussion
Part 2

#CyberFit Academy
Advanced Security Components Part 2

1. Safe Recovery
2. Windows Defender Antivirus/Microsoft Security
Essentials integration
3. Remote Wipe
4. Smart Protection Plans

#CyberFit Academy
Cyber Protect Cloud
Safe Recovery

#CyberFit Academy
Safe Recovery

Enable safe
recovery

#CyberFit Academy
Safe Recovery
Anti-malware scanning and deletion performed as part of recovery
(prevent reinfection if malware is present):

• Windows physical or virtual machine with Agent for Windows installed

• Supported backup types: Entire machine or disks/volumes backup of
NTFS volumes
• Backups scanned: determine if malware present: Backup storage tab to
show these options:
• No malware
• Malware detected
• Not scanned
• Backup recovered and detected malware deleted

#CyberFit Academy
Cyber Protect Cloud
Windows Defender Antivirus

#CyberFit Academy
Windows Defender Antivirus/Essentials

#CyberFit Academy
Windows Defender Antivirus/Essentials

Windows
Defender
Antivirus
settings

#CyberFit Academy
Windows Defender Antivirus/Essentials

Microsoft
Security
Essentials
settings

#CyberFit Academy
Windows Defender Antivirus/ Security Essentials

Can be configured and managed from

service console:

• Single place for managing/viewing

Windows Defender Antivirus (Win 8 and
above) and Microsoft Security Essentials
(before Win 8) configurations and
statuses
• Configure Scheduled scans, default
actions, real-time protection and
exclusions

#CyberFit Academy
Cyber Protect Cloud
Remote Wipe

#CyberFit Academy
Remote Wipe

#CyberFit Academy
Remote Wipe

Remote wipe
setting in
machine Details

#CyberFit Academy
Remote Wipe
Deletion of all data on remote machine
(loss or theft):

• Windows 10
• Select machine click on Details >
Wipe data 1
• Remote wipe initiated when machine is
turned on and connected to Internet
• All data deleted and machine returned to
factory default state

1 Remotewipe uses RemoteWipeCSP and requires Windows Recovery Environment

(windows RE) to be enabled on the machine in order to function

#CyberFit Academy
Cyber Protect Cloud
Smart Protection Plans

#CyberFit Academy
Smart Protection Plans

#CyberFit Academy
Smart Protection Plans

Cyber Protection
widgets

#CyberFit Academy
Smart Protection Plans

#CyberFit Academy
Smart Protection Plans

Security alert details

with recommended
actions

#CyberFit Academy
Smart Protection Plans

Select
recommended
actions to take

#CyberFit Academy
Smart Protection Plans
Acronis Cyber Protection Operations Center (CPOC)
generates security alerts sent to related geographic regions

• Provides information about malware, vulnerabilities, natural

disasters, public health and other types of global events that
may affect users
• Can include recommended actions provided by security
experts to resolve security alert
• Alerts automatically cleaned up the following time periods:
• Natural disasters: 1 week
• Vulnerability: 1 month
• Malware: 1 month
• Public health: 1 week

#CyberFit Academy
Section Summary

• Safe recovery can be performed as part of recovery to prevent

reinfection if malware is present in backup. Physical or virtual
Windows machines with agent installed needed and backup types
are entire machine or disk/volumes in NTFS format.
• Single place to manage, view, and configure Windows Defender
and Security Essentials inside protection plans.

#CyberFit Academy
Section Summary

• Remote wipe: ability to set Windows 10 machine back to factory

default settings (lost/stolen machine).
• Security alerts generated from Acronis CPOC for geographic
regions related to malware, vulnerabilities, natural disasters, public
health and other type of events that may affect clients systems and
data.

#CyberFit Academy
Cyber Protect Cloud
Advanced Security
Technical Discussion
Part 3

#CyberFit Academy
Advanced Security Components Part 3

1. Exploit prevention
2. Local signature-based detection anti-virus
3. Real-time anti-virus protection

#CyberFit Academy
Cyber Protect Cloud
Exploit Prevention

#CyberFit Academy
Exploit Prevention

#CyberFit Academy
Exploit Prevention
Detects and prevents malicious processes from
exploiting software vulnerabilities on a system

• Memory protection
• Code injection
• Privilege escalation and
• ROP protection (return-oriented programming)

#CyberFit Academy
Exploits

Memory protection Code Injection

Stop attacks based on modification Malicious code into remote

of execution rights or memory processes. To hide malicious intent
pages looking suspicious. Made to of an application behind clean
enable shellcode execution from processes (also evade detection
areas like stacks and heaps. by antimalware solutions).

#CyberFit Academy
Exploits

Privilege escalation Return-oriented

programming (ROP)
Stop elevation of privileges made Allows attacker to use code in
by unauthorized code or presence of security defenses like
application. code signing and space protection
Goal: Prevent unauthorized code
to access system resources or
modify system settings.

Note: More is covered in details and some examples in professional course

#CyberFit Academy
Cyber Protect Cloud
Local Signature-Based Detection

#CyberFit Academy
Local Signature Based Detection

Used for known threats, higher processing

speed and low false positive rates
Must be known threat (example: zero-day
exploits)
Cloud based in core solution: look-up can help
for on-demand scan when something is not
executed. If executed: looked up but might have
already started (signature based benefit).
Slow internet connection benefit

#CyberFit Academy
Cyber Protect Cloud
Real-time anti-virus scanning

#CyberFit Academy
Real-time Antivirus Scanning

Real-time: Runs in background Constantly checks malicious

depending on scan mode threats entire time system is
powered on (unless paused by
computer user)

On-access On-execution Applying protection plan when

(default)
turned on and another solution
Scanned when
Scan only running: will not enable real-
accessed for
reading or writing
executables when time scanning to protect
launched
(or launching machine from conflicts
program)

#CyberFit Academy
Section Summary

• Exploit Prevention detects and prevents different malicious

processes from exploiting various vulnerabilities on a system
including memory protection, code injection, privilege escalation
and return oriented programming.

• Local signature based detection used for known threats. Since

running local on machine can process at a higher speed and
produce low false positive rates to known threats. Slow internet
connections benefit.
• Real-time anti virus scanning runs in background depending on
scan mode setting of on-access(default) or on-execution.

#CyberFit Academy
Cyber Protect Cloud
Advanced Security Pack
Scenarios and Examples

#CyberFit Academy
Topics for Scenarios and Examples

1. Forensic Backup
2. Active Protection (Existing solutions already installed)
• Ransomware – Live Malware
• Self protection – MS Teams exploited
• Cryptomining - XMRig
3. URL Filtering
• Live malicious URL’s and trusted and blocked
4. Device Control
• Lock down of USB port yet use other items on port
• Protection of intellectual property being stolen by
internal threat

#CyberFit Academy
 Forensic Backup

#CyberFit Academy
Scenarios and Examples – Forensic Backup

Going after bad actors:

Objection:
Disaster Recovery is too complex
• Ransomware distributors
• Intellectual property theft cases
• Espionage
• Fraud
• Employment disputes
• Using email/messaging services for
inappropriate things
• Other reasons
• Bankruptcy investigations
• Issues surrounding regulatory compliance

#CyberFit Academy
Scenarios and Examples – Forensic Backup

Laws and regulations:

Objection:
Disaster Recovery is too complex

• Requiring companies to safeguard personal

data (and privacy)
• Companies prove complying with security
practices
• Incident affected critical data: show followed
sound security policy
• Potentially avoid lawsuits or regulatory audit

#CyberFit Academy
Scenarios and Examples – Forensic Backup

Already attacked?
Objection:
Disaster Recovery is too complex
Answer questions like:
• What systems/files/applications/networks
involved and/or affected?
• How did it occur?
• What data stolen or accessed?
• Hackers still on network?

#CyberFit Academy
Scenarios and Examples – Forensic Backup
Company victim to recent cyber
Objection:
attack?
Disaster Recovery is too complex
Overall forensics investigations:
• Safeguarding digital evidence used in attack
• Search for data access and/or exfiltration
• Identify cause and possible intent
• Retrace hackers steps
• Help prevent some future attack: detect gaps
to be filled
• Opportunity to see additional security
weaknesses

#CyberFit Academy
Scenarios and Examples – Forensic Backup

CERT statement
Objection:
Disaster Recovery is too complex

“Should an intrusion lead to a court case,

the organization with computer forensics
capability will be at a distinct advantage”

• Cybersecurity and forensics go

hand in hand

#CyberFit Academy
Scenarios and Examples – Forensic Backup
FlipObjection:
Side – show something
did NOT happen
Disaster Recovery is too complex
• 2006 - US Dept of Veterans Affairs
• Laptop recovered and analyzed
• Determined sensitive files “probably” not
viewed
• Examined access and modification times
with each file
• Files not opened by conventional means

#CyberFit Academy
Scenarios and Examples – Forensic Backup
Final Thought

Whoever collects evidence: able to

Need to be authenticated (SAPAS)
testify during direct examination

Evidence not be authenticated? Authentication: record of who

Usually inadmissible collected evidence needs to be kept

#CyberFit Academy
 Active Protection

#CyberFit Academy
Scenarios and Examples – Active Protection

• Malware example (video_codex)

• Video conferencing attack (MS Teams Video or show live)
• Cryptomining video or show XMRig live

#CyberFit Academy
 URL Filtering

#CyberFit Academy
Scenarios and Examples – URL Filtering

• Deny social sites category

• Put Facebook.com as a trusted site
• Block ESPN
• Block and allow user options?
• Other URL examples to display

#CyberFit Academy
 Device Control

#CyberFit Academy
Scenarios and Examples – Device Control

• USB shutdown - webcam and mouse utilized still

• Show alert on usb restriction
• Intellectual property theft (engineers AutoCAD
drawings/sales rep taking client information in
excel file)

#CyberFit Academy
What’s Next?

#CyberFit Academy
Review the Materials

Download and review

the course materials

Re-watch the videos as

many times as you’d like

#CyberFit Academy
Take the Exam

20 Multiple-choice questions

60 Minutes working time

70% Passing grade

Two attempts given

Open book

#CyberFit Academy
Certification Track

Cloud Tech Fundamentals

STEP

1 Already Should Have Taken

#CyberFit Academy
Certification Track

Cloud Tech Fundamentals

STEP

1 Already Should Have Taken

Cloud Tech Associate

STEP
2
(Security)

#CyberFit Academy
Certification Track

STEP
STEP Acronis #CyberFit Cloud Tech Associate Certifications
211 Consists of the following courses (specializations)

Optional:

#CyberFit Academy
Certification Track

Cloud Tech Fundamentals

STEP

1 Already Should Have Taken

Cloud Tech Associate

STEP
2
(Security)
Cloud Tech Professional
STEP
Final Step 3

#CyberFit Academy
Other Acronis Resources

• Inside Sales
• Field Sales
• Partner Success Managers
• Solution Engineers
• Sales Enablement Team
• Partner Portal for More #CyberFit
Academy Training Courses and easy-to-
use Marketing materials

#CyberFit Academy
Supplemental Materials

The Evangelism Team at Acronis will be periodically releasing

new content
Please check back often
Check email for #CyberFit Academy Updates
https://kb.acronis.com/academy
Social Media Accounts
• Instagram: https://www.instagram.com/acronis
• Facebook: https://www.facebook.com/acronis
• Twitter: https://twitter.com/Acronis
• Reddit: https://www.reddit.com/r/acronis
• YouTube: https://www.youtube.com/user/Acronis

#CyberFit Academy
Cyber Foundation
Building a More
Knowledgeable Future

Create, Spread and Protect

Knowledge with Us!
www.acronis.org
Building New Schools
Publishing Education Programs
Publishing Books

#CyberFit Academy