Recently, Malicious and Ransomware attacks have increased dramatically and are getting so complex that the threats are now multi-dimensional. These numerous attacks range from infrastructure disruption to data leakages. This means that every organization needs a strategy for threat detection and investigation to avoid disruptions.
In this blog, we explore two features of Hitachi Ops Center Analyzer, that can assist you with threat investigation.
Ops Center Analyzer provides an end-to-end intuitive UI for data performance monitoring, analysis, planning, management, operation, and troubleshooting. Ops Center Analyzer detail view collects data for historical trend analysis and reporting by pulling data from monitored targets, such as storage systems, hosts, and switches, using software probes that support each device or environment.
In this blog, we’ll cover the following Analyzer detail view features that help with Threat Investigation (Forensic Analysis):
- Adaptive Data Reduction (ADR) Reports highlight the change in capacity savings including Data Deduplication and Compression capacity in the storage system.
- Real-time Reports from the storage system [detection of ‘abnormal patterns’ or ‘high-traffic flows’].
You can use both features together to raise suspicion of a potential attacks.
Typically, in a ransomware attack, the data is encrypted. So, we completed two controlled experiments in our lab. The first experiment focused on ADR reports, while the second one was dedicated to Real Time reports in Analyzer detail view.
Now, let’s explore the first experiment!
First Experiment - Test Methodology
We completed the following procedure in our lab:
- Created a Virtual Machine Server in a Windows lab environment.
- Installed 7Zip encryption software with ‘AES 256 encryption’ capability on the server.
- Attached a storage LUN (LDEV ID 00:00:25) with 500GB of capacity from a VSP E790 storage system attached as an RDM disk to the Virtual Machine. Deduplication and Compression for this volume was enabled on the storage system. This disk was formatted with an NTFS partition and a drive was created.
- Configured Analyzer for the VSP E790 storage system, which was completely dedicated to run this experiment.
- Created chunks of data on an empty drive [pdf, text, xls, iso, logs, rar, and so on]. This data set was approximately 295GB on a single Windows folder.
- Enabled encryption of the data using 7zip and AES 256 encryption with a single ‘7z’ output file. Other default attributes selected were ‘default compression,’ ‘strong password encryption key’, and ‘delete original files post encryption.’
The final encrypted ‘7z’ file was 290GB in Windows Explorer. We observed that the 7zip software uses a lot of temporary storage for processing and encryption (the main reason was to keep approximately 200 GB free in the drive).
The encryption process ran for approximately 3.5 hours.
Now, let’s discuss the results as seen in the ADR report in Analyzer detail view.
Results for the first experiment
Change in Capacity Savings because of data encryption - The ADR report in Analyzer gives statistics about Capacity savings including data deduplication and compression. When these stats undergo a sudden change, you should be suspicious.
The following Analyzer detail view ADR reports show for before data encryption and after (4-hour sample time):
Before data encryption (using 7 Zip):