One of the core functions of the Peer Global File Service (PeerGFS) platform is its ability to detect and analyze both user and application activity on various storage platforms in real-time. This engine discovers the activity patterns that drive the distributed locking and replication capabilities of PeerGFS.
The same detection and analysis engine can also be used to spot unwanted activity being executed on storage platforms by ransomware, viruses, malware, hackers, or rogue users. Peer MED (malicious event detection) technology provides alerting capabilities, as well as the ability to minimize the amount of encrypted or deleted content from being replicated to remote locations.
Peer MED deploys three different mechanisms for spotting malicious activity, each of which can be enabled and tuned independently. This three-pronged approach boosts detection rates of malicious actors that are constantly evolving. The three mechanisms are:
- Bait Files: Peer MED seeds common file types into the environment that are hidden to users. Though hidden, these bait files are likely to be accessed by automated processes (like ransomware) or by mass deletions of entire folder structures. As soon as these files are touched, Peer MED's action engine is triggered.
- Pattern Matching: Peer MED comes with a set of predefined patterns of both valid and malicious file activity behavior. They are based on known good activity patterns, as well as on the activity patterns of common malware variants. If a pattern signifying malicious activity by a specific client or user is detected, Peer MED's action engine is triggered.
- Trap Folders: On Windows file servers, Peer MED creates hidden recursive folders that try to trap or slow down ransomware as it enumerates a folder structure. As with the bait files, these folders cannot be seen by users but are accessible by automated processes. If any files within these folders are touched, Peer MED's action engine is triggered.
Upon detection of malicious activity, Peer MED can perform one of the following actions:
- Alert: Notify admins that malicious activity has been detected. This option is typically used during initial rollouts to determine normal patterns of access for existing data.
- Alert and Disable the Afflicted Agent: In addition to notifying admins, disable the Agent paired with that device. Once disabled, that Agent will no longer replicate changes to other locations, minimizing the amount of encrypted and/or deleted content from being spread. The afflicted Agent will remain disabled until it is manually re-enabled by an admin. Other locations can continue working without interruption.
- Alert and Stop the Afflicted Job: In addition to notifying admins, stop any jobs associated with that storage device. This minimizes the amount of encrypted and/or deleted content from being spread, regardless of where it was first detected. A restart of afflicted jobs by an admin will return replication relationships back to normal.
- Alert, Disable the Afflicted Agent, and Stop the Afflicted Job: In addition to notifying admins, disable its paired Agent and stop all associated jobs. This is the most aggressive option, requiring admins to not only restart jobs but also re-enable Agents.
PeerGFS can help recover data once malicious activity has been detected and contained. Setting the afflicted location as a Seeding Target, re-enabling the associated Agent (if disabled), and restarting associated jobs can replace encrypted and deleted content at the afflicted site with good data from another. After this reseed is complete, the site will return to a normal active state.