Hitachi Ops Center​

 View Only

Threat Investigation with Hitachi Ops Center Analyzer 10.8.3

By Vikash Taank posted 09-19-2022 15:00

  

Introduction

Recently, Malicious and Ransomware attacks have increased dramatically and are getting so complex that the threats are now multi-dimensional. These numerous attacks range from infrastructure disruption to data leakages. This means that every organization needs a strategy for threat detection and investigation to avoid disruptions.

In this blog, we explore two features of Hitachi Ops Center Analyzer, that can assist you with threat investigation.

Ops Center Analyzer provides an end-to-end intuitive UI for data performance monitoring, analysis, planning, management, operation, and troubleshooting. Ops Center Analyzer detail view collects data for historical trend analysis and reporting by pulling data from monitored targets, such as storage systems, hosts, and switches, using software probes that support each device or environment.

In this blog, we’ll cover the following Analyzer detail view features that help with Threat Investigation (Forensic Analysis):

 

  • Adaptive Data Reduction (ADR) Reports highlight the change in capacity savings including Data Deduplication and Compression capacity in the storage system.
  • Real-time Reports from the storage system [detection of ‘abnormal patterns’ or ‘high-traffic flows’].

You can use both features together to raise suspicion of a potential attacks.

Typically, in a ransomware attack, the data is encrypted. So, we completed two controlled experiments in our lab. The first experiment focused on ADR reports, while the second one was dedicated to Real Time reports in Analyzer detail view.

Now, let’s explore the first experiment!

 

First Experiment - Test Methodology

We completed the following procedure in our lab:

 

  1. Created a Virtual Machine Server in a Windows lab environment.
  2. Installed 7Zip encryption software with ‘AES 256 encryption’ capability on the server.
  3. Attached a storage LUN (LDEV ID 00:00:25) with 500GB of capacity from a VSP E790 storage system attached as an RDM disk to the Virtual Machine. Deduplication and Compression for this volume was enabled on the storage system. This disk was formatted with an NTFS partition and a drive was created.
  4. Configured Analyzer for the VSP E790 storage system, which was completely dedicated to run this experiment.
  5. Created chunks of data on an empty drive [pdf, text, xls, iso, logs, rar, and so on]. This data set was approximately 295GB on a single Windows folder.
  6. Enabled encryption of the data using 7zip and AES 256 encryption with a single ‘7z’ output file. Other default attributes selected were ‘default compression,’ ‘strong password encryption key’, and ‘delete original files post encryption.’


The final encrypted ‘7z’ file was 290GB in Windows Explorer. We observed that the 7zip software uses a lot of temporary storage for processing and encryption (the main reason was to keep approximately 200 GB free in the drive).

The encryption process ran for approximately 3.5 hours.

Now, let’s discuss the results as seen in the ADR report in Analyzer detail view.

 

Results for the first experiment

Change in Capacity Savings because of data encryption - The ADR report in Analyzer gives statistics about Capacity savings including data deduplication and compression. When these stats undergo a sudden change, you should be suspicious.

The following Analyzer detail view ADR reports show for before data encryption and after (4-hour sample time):

Before data encryption (using 7 Zip):



After Data encryption (gap of 4 hours):


The LDEV ID 00:00:25 (highlighted in blue) interests us. The following table shows a summary of the change in statistics obtained from the previous screens:  

 

Because we see a drastic change in the statistics after encryption, we know that this could be a warning for a major threat, which is helpful in our Forensic Analysis.

Second Experiment - Test Methodology

We completed the following procedure in our lab:

  1. Created a Virtual Machine Server in a Windows lab environment.
  2. Installed 7Zip encryption software with ‘AES 256 encryption’ capability on the server.
  3. Attached a storage LUN (LDEV ID 00:BC:04) with 1TB of capacity from a VSP E790 storage system that was attached as a disk to the server. Deduplication and Compression for this volume was enabled on the storage system. This disk was formatted with an NTFS partition and a drive was created.
  4. Configured Analyzer for the VSP E790 storage system, which was completely dedicated to run this experiment.
  5. Created chunks of data on an empty drive [pdf, text, xls, iso, logs, rar, and so on]. This data set was approximately 458GB spread across four folders.
  6. Simulated some user activity, such as ‘text’/’xls’ file editing.
  7. Enabled encryption of the data using 7zip and AES 256 encryption with a single ‘7z’ output file. Other default attributes selected were ‘default compression,’ ‘strong password encryption key’, and ‘delete original files post encryption.’ There were four folders, so four sessions of encryption were started simultaneously.

The final encrypted ‘7z’ file was 450GB in Windows Explorer. We observed that the 7zip software uses a lot of temporary storage for processing and encryption (the main reason was to keep approximately 550 GB free in the drive).

The encryption process ran for approximately 4 hours, starting at 16.13 hours.

We gathered Analyzer Real time reports that were running for 15 minutes before and 15 minutes after encryption was enabled. Let’s call these periods ‘Pre-encryption’ and ‘Encryption Enablement’. The pre-encryption period is highlighted in step 6 when we simulated some user activity.   
    

Results for the second experiment

Analyzer real time reports provide granular performance data (in-seconds) for individual components in a Hitachi storage system. These reports give a quick view of the system performance (such as IOPS, Throughput, and Response Time), and can be greatly beneficial during a high-traffic outburst.

The following images show the Analyzer Real time reports for the specific LUN used in the experiment. On the left are the Real time reports for the ‘Pre-encryption’ period, and on the right are the reports for the ‘Encryption Enablement’ period (encryption started at 16.13 hours).

We can see a remarkable change in IOPS when comparing the left-hand chart with the right-hand chart (encryption starts at 16.13 hours).

As shown in the chart on the right, after encryption was enabled, the Read Response Time showed constant peaks. We see similar patterns for Read Transfer Rate and Write IOPS as shown in the following images:



The Response Time hits the roof after the encryption is enabled (at 16.13 hours) as shown in the chart on the right.




A higher increase in MPB utilization is seen after encryption is enabled (right-hand chart) when compared to the normal non-encryption period (left-hand chart).


As shown in these charts, we saw changes in patterns after the encryption process started. In a real-life scenario, these abnormal patterns would probably need a detailed investigation.

Summary

  • ADR reports in Ops Center Analyzer highlighted a change in overall Capacity savings. This included a change in Deduplication and Compression capacity when the data was encrypted.
  • Real-time reports in Ops Center Analyzer show a remarkable change in patterns for metrices such as IOPS, Response time, and so on, when encryption was enabled.

Additionally, Analyzer lets set threshold-based alerts for most of the metrics used in these reports. So, in a real-life threat scenario, these features are extremely helpful with your investigation.


#DataProtection
12 comments
75 views

Permalink

Comments

18 days ago

crisp and clear
Very helpful.

21 days ago

It is very detailed analysis which will help many of us in future. Thanks for sharing the details.

23 days ago

Very good information Vikash. This is our future growth

24 days ago

Very informative

24 days ago

Thanks for sharing this information

24 days ago

Thanks @Vikash Taank for sharing detailed article.​

24 days ago

@Shubhadip Pal Yes, we can create custom alerts for specific performance matrices so that when it reaches the threshold, it can throw out the alert​​

24 days ago

Very informative. Can we set an alarm which may report this abnormal behavior.

24 days ago

Ops Center Analyzer describes the impact very precisely. The Workload graphs are very well described.

24 days ago

Very Informative.

10-25-2022 06:05

Very Helpful