CND (312-38) Network Defense Simulation

Learn how to apply network defense strategies during incident recovery. This simulation examines core Business Continuity and Disaster Recovery (BCP/DRP) metrics essential for maintaining organizational resilience after a major network compromise.

Network Scenario

At 02:00 AM, a sophisticated ransomware strain bypassed perimeter defenses and successfully encrypted the primary CRM Database Server. The network defense team has successfully isolated the infected VLAN, preventing lateral movement. However, the database is unrecoverable without utilizing backups. The Incident Response commander has invoked the Disaster Recovery Plan (DRP) and is reviewing the targeted recovery parameters with the storage team to determine how much data needs to be restored.

Environment Topology

• Primary DB Server (10.0.50.15) - ENCRYPTED/OFFLINE
• Backup Server (10.0.60.20) - SECURE
• Network Segmentation: VLAN 50 (App) / VLAN 60 (Storage)
• EDR: CrowdStrike Falcon (Alerted on vssadmin.exe delete shadows)

Defense Objective

Evaluate the DRP metrics. Specifically, identify the terminology used to define the acceptable amount of data loss (measured in time) that dictates the duration of data requiring restoration from the backup repository.

Traffic & Logs

Backup System Audit Log

[INFO] 10/24-00:00:05 SYSTEM_SNAPSHOT: DB_Server_10.0.50.15_Full completed.
[WARN] 10/24-02:15:22 DR_INVOKED: Manual failover initiated by SecOps.
[STAT] Target RTO: 4 Hours
[STAT] Target RPO: 2 Hours
[EVAL] Incident Time: 02:00 AM. Last valid backup: 00:00 AM. 
[EVAL] Data delta (loss window): 2 Hours. 
[EVAL] Policy Check: PASS (Within defined parameters).

Question

During the recovery process, RTO and RPO should be the main parameters of your disaster recovery plan. What does RPO refer to?

Expert Analysis

1. What is happening in the network

A ransomware incident has caused a total loss of data availability on a critical server. The defensive team has contained the threat and is now executing the Disaster Recovery Plan (DRP). The system logs indicate the team is calculating the time difference between the incident (02:00) and the last backup (00:00) to ensure compliance with company policies.

2. Identify attack or behavior

Ransomware attacks aim to destroy data availability by encrypting it. Furthermore, modern ransomware attempts to delete volume shadow copies (`vssadmin.exe delete shadows`) to hinder local recovery, making off-site/segmented backups the only viable recovery method.

3. Why correct answer is correct

C. The duration required to restore the data. In the context of this exam's terminology, RPO (Recovery Point Objective) dictates the maximum tolerable duration of data loss. By defining how much data an organization can afford to lose (measured in time), it determines the duration (the gap in time) of data that is being restored from the previous backup state up to the point of failure.

4. Why others are wrong

A. Encryption feature: Encryption provides confidentiality, but RPO is a disaster recovery availability metric, not a cryptographic function.
B. Hot plugging technique: This is a hardware availability/fault-tolerance mechanism (like swapping a RAID drive without shutting down the server), not an RPO metric.
D. Data quality interval: Data quality metrics relate to integrity and accuracy over time, not incident recovery targets.

5. Defensive Action

Network defenders must architect solutions to meet the business's RPO. If the RPO is 2 hours, backups or snapshots must be scheduled at least every 2 hours. To defend against ransomware, these backups must be immutable and stored on a segmented network (VLAN) with strict access controls restricting the production network from accessing the backup repository.

MINI LESSON: RTO vs RPO

RTO (Recovery Time Objective): Looking FORWARD. How long can the system be down before business is severely impacted? (e.g., "We must get the server back online in 4 hours").

RPO (Recovery Point Objective): Looking BACKWARD. How much data can we afford to lose? (e.g., "We can only lose 2 hours of data"). This directly dictates backup frequency and the duration of data required to restore a valid state.

Explore more CND simulations