Introduction to Peer MED

Revision

001

Last Updated

27 Feb 2018

One of the core functions of the Peer Global File Service (PeerGFS) platform is its ability to detect and analyze both user and application activity on various storage platforms in real-time. This engine discovers the activity patterns that drive the distributed locking and replication capabilities of PeerGFS.
 

With the introduction of Peer Malicious Event Detection (MED), that same detection and analysis engine can now be used to spot unwanted activity being executed on storage platforms by ransomware, viruses, malware, hackers, or rogue users. This new technology provides alerting capabilities, as well as the ability to minimize the amount of encrypted or deleted content from being replicated to remote locations.
 

Peer MED deploys three different mechanisms for spotting malicious activity, each of which can be enabled and tuned independently. This three-pronged approach boosts detection rates of malicious actors that are constantly evolving.

  • Bait Files: Peer MED seeds common file types into the environment that are hidden to users. Though hidden, these bait files are likely to be accessed by automated processes (like ransomware) or by mass deletions of entire folder structures. As soon as these files are touched, Peer MED's action engine is triggered.
     
  • Pattern Matching: Peer MED comes with a set of pre-defined patterns of both valid and malicious file activity behavior. They are based on known good activity patterns, as well as on the activity patterns of common malware variants. If a pattern signifying malicious activity by a specific client or user is detected, Peer MED's action engine is triggered
     
  • Trap Folders: On Windows File Servers, Peer MED creates hidden recursive folders that try to trap or slowdown ransomware as it enumerates a folder structure. As with the bait files, these folders cannot be seen by users but will be accessible by automated processes. If any files within these folders are touched, Peer MED's action engine is triggered.
     

Upon detection of malicious activity, Peer MED can perform one of the following actions:

  • Alert: Notify admins if any of the three mechanisms above have been triggered. This mode is typically used during initial rollouts to determine normal patterns of access for existing data.
     
  • Alert and Disable the Afflicted Agent: When Peer MED detects malicious activity on a storage device, the Agent paired with that device will be disabled. Once disabled, that Agent will no longer replicate changes to other locations, minimizing the amount of encrypted and/or deleted content from being spread. The afflicted Agent will remain disabled until it is manually re-enabled by an admin. Other locations can continue working without interruption.
     
  • Alert and Stop the Afflicted Job: When Peer MED detects malicious activity on a storage device, any jobs tied to that storage device will be stopped. This will minimize the amount of encrypted and/or deleted content from being spread, regardless of where it was first detected. A restart of afflicted jobs by an admin will return replication relationships back to normal.
     
  • Alert, Disable the Afflicted Agent, and Stop the Afflicted Job: When Peer MED detects malicious activity on a storage device, it's paired Agent will be disabled, and all associated jobs will be stopped. This is the most aggressive option, requiring admins to not only restart jobs but also re-enable Agents.
     

PeerGFS can help recover data once malicious activity has been detected and contained. Setting the afflicted location as a Seeding Target, re-enabling the associated Agent (if disabled), and restarting associated jobs can replace encrypted and deleted content at the afflicted site with good data from another. After this reseed is complete, the site will return to a normal active state.