Organizations typically view backup data as a safety net for disaster recovery and business continuity. However, companies want to do more with their backup data as they realize they’re sitting on a goldmine for cybersecurity teams engaged in threat hunting. By analyzing backup data, security teams can uncover patterns, anomalies, and evidence of malicious activity that may not be immediately visible in live systems, especially when it comes to exposing previously hidden zero-day threats in stored backups.
Over the past year, Cohesity has led the way in building the tools and solutions that allow you to bring your backup data into the security ecosystem. Tools like Cohesity DataHawk which give you the ability to hunt for threats and classify data to prioritize response. The isolated Clean Room environment and the Digital Jump Bag™ ensure you are prepared for an attack and can speed response. These innovations allow you to do more with your backup data turning it into a robust solution that speeds response and recovery to increasingly sophisticated cyber threats.
First-to-market solution identifies Indicators of Compromise (IoCs) in backups
In September 2024, Cohesity was the first to introduce our market-leading and ground-breaking ability to identify IoCs within backups using a searchable index of SHA-256 hashes for unstructured file backups.
The index integrates seamlessly into existing Cohesity NetBackup malware scanning workflows and can be harnessed using the NetBackup WebUI or API even in isolated environments. Additionally, when managed by Cohesity Alta View, discovered IoCs are propagated across all NetBackup protection domains within the customer’s backup infrastructure, delivering enterprise-wide threat detection.
Creating this groundbreaking functionality helps threat hunters identify IoCs across the enterprise without the need for extensive malware scans, significantly reducing the time it takes to detect a threat. For example, while most hunts can be completed in seconds, we stress tested the capabilities of the lookups and found we could do a malware lookup at a rate of around 500 million hashes per second. This means hunting for threats will take minutes instead of hours. Simply put, this is one of the fastest malware scans within backups, and NetBackup customers have been the first to benefit these capabilities.
Shift from reactive to proactive detection
Another first was joining the Joint Cyber Defense Collaborative, (JCDC) a consortium of federal government, private and international partners led in the U.S. by the Cybersecurity and Infrastructure Security Agency (CISA). The JCDC partnership opens up a unique information sharing portal that shifts the paradigm away from reacting to global threats, to proactive detection and mitigation planning.
IoCs of known exploitable vulnerabilities, published by CISA or its global partners, are refreshed daily and used by Alta View’s automated daily threat hunts—which search for IOCs across backups of unstructured data. If any IoCs are found, a dynamic map view of all impacted assets across the enterprise is updated daily. This is an immense value for customers—especially those designated as an essential service provider—in matters of national security, healthcare, public safety, and the stability of economic markets.
After integrating with the CISA threat feed, we added integrations to support both open-source feeds, as well as scanning using customer provided file hashes. With just a SHA256 file hash, customers can search their protected enterprise backups and locate any content in a matter of seconds. Recovery after a cyberattack takes preparation, and disciplined rehearsals to ensure that threats are isolated and infected recovery points are excluded when initiating restore operations.
Watch the video demo below.
Mitigate threats within backups
Here’s where it gets exciting. As we bring together the best of NetBackup and Cohesity DataProtect, you’ll start to see file hash search and IoC content indexing come into the Cohesity Data Cloud by the Summer of 2025 to allow precise identification of malware within backup data. This complements our existing threat hunting capabilities giving customers a broader, cross-platform view of threats, reducing the risk of undetected malware persisting in backup environments. By pairing our strengths both DataProtect and NetBackup customers have the ability to mitigate threats within backups, and help organizations confidently restore data while minimizing the fear of reinfection.
The bottom line— Cohesity pioneered the use of file hash lookups in backup data, setting the industry standard before any other provider. With the largest R&D team and the largest market share in the sector, we’ll continue to drive innovation, ensuring you can stay ahead of the evolving threats. Our ongoing investments in research, technology, and talent are expanding both DataProtect and NetBackup’s capabilities, reinforcing our commitment to delivering cutting-edge advancements that keep businesses secure and resilient. And we’re just getting started.
