Defining Malicious Behavior on NBU
Hi Admins, hope everyone's well.
Student coming from the side of security, currently working on a project with Veritas NetBackup. I'm designing some indicators to alert on malicious behavior in the context of the SW [Using Endpoint Detection and Response]. I was thinking to share with you some ideas that I have thought about implementing and I would be really appreciated if you could challenge/ give feedback on them. Your knowledge of what constitutes normal behavior and what isn't is crucial for me. So here are the ideas (if you have some by any means pls share)_
#1 - Deletion of images from the image catalog
#2 - Deletion of media entries from the EMM Database
#3 - Deletion/Tampering with NBDB configuration files
#4 - Deletion of SRTs from the Boot Servers (BMR) (maybe boot images also?)
#5 - Modification of Retention Levels
#6 - Setting expiration dates of backup images to expire immediately or near future
#7 - Mass freeze media
#8 - Stoppage of Critical Services/Daemons
For example: #1 images in the catalog are usually cleaned up automatically by a service and rarely deleted by an admin. Since the majority of it is done automatically, normal behavior would easy to exclude. An attacker deleting in bulk would be alerted and stopped. Other example: #5 I don't know how often admins change their Retention Levels, but changing them in away that backups would expire immediately would be very suspicious right? This is the kind of reasoning Im approaching the problem with.
I tried designing these taking into account if it's something a NBU admin does regularly, and also trying to distinguish it by if it's automatic or if it's manual work. But ultimately I would love your input.