IBM’s new FlashCore Module 4 – ransomware attack detection cut from minutes to seconds

In February IBM announced an upgraded FlashCore Module (FCM) – FCM4 now includes features to prevent and/or recover quickly from ransomware attack, following last year’s announcement that its storage controllers could sample I/Os for detection. In the past users have found it very hard to protect block storage devices, which is one reason why so many large organizations have fallen victim to serious ransomware attacks. Last year (just in the UK)the Metropolitan Police, Greater Manchester Police, Capita and Royal Mail were all successfully infected. Those affected will be confronted with something like this:

Yves Santos and his team at IBM’s Storage Division, with help from IBM Security and Research, have been working for the last year on methods to improve reconnaissance, detection and prevention of these attacks for users of its Flash Core Modules (FCMs). Their intuition was that since Flash Systems are very good at ingesting large amounts of data very quickly, they could also analyze data as it is stored to generate critical insights more effectively than current applications, which come in at a later stage scanning external backup data.

How are ransomware attacks detected today?

There are three methods, according to IBM:

• Traditional anti-virus software looks to identify threat signatures through simple hash comparisons; this is a limited approach since it will only find threats that are already known about and works after primary or secondary data has already been infected;
• Network analysis, where software or services monitor the network looking for anomalies in the validity of those trying to access it. Again this is only of limited use due to the broad accessibility and massive footprints of modern IP-based corporate computer systems – fortifying the front door will do nothing to protect you from those already inside the house.
• Analyzing data behaviour, where software monitors primary storage at the block level in real-time; this is where the IBM team has been focusing.

While most large organizations have been using a variety of the first two of these to protect themselves for a while, the third is something new (and dependent on the nature of the primary storage being used).

How do ransomware attacks work on a block level?

Ransomware attacks have a number of steps. In particular:

• A single computer is infected by an internal or external criminal usually through phishing software.
• The infected computer allows the criminal to perform reconnaissance of the victim’s infrastructure.
• The software is used to escalate the privileges of the threat actor and expand the infection laterally through other computers within the victim’s infrastructure.
• Eventually the criminal exfiltrates the victim’s key data, encrypts it and then overwrites the original with it before sending the ransom note.

During this process the criminal has to evade a number of security operations protecting identity and access management, endpoints, networks, cloud and infrastructure, applications and workloads as well as the data itself (see my Figure above, based on IBM’s original).
IBM has discovered that ransomware attacks involve similar IO access sequences, which vary slightly in each of these steps (see the Figure below).

In particular they use infected computers to exfiltrate the victim’s data. There are three stages in the attack. In particular:

• Exfiltrate – where blocks are opened, read and deleted before being closed,
• Read, encrypt, delete – where the blocks in the victim’s data are read and encrypted before being deleted,
• Read, encrypt, overwrite – where the original blocks are replaced with the criminal’s encrypted version and linked with the ransom note.

The storage division has been working with others in the company including IBM Research to identify the patterns these three processes make over time.

In second quarter 2023 IBM announced that its storage system controllers would be used to sample I/Os to help detect ransomware attacks. Because this process is quite CPU-intensive for the controller, it decided to measure the I/Os of one in a hundred – rather than of every block – to provide real-time statistics on write bandwidth and drive-level compressibility.

With the introduction of FCM4, IBM is now using hardware on the FCM flash drives to do the sampling using their in-built dedicated Field Programmable Gate Array (FPGA) chips with ARM processing cores. This now allows its hardware to sample every single I/O, providing all sorts of measurements of which entropy is one. It has trained an AI model running on the controller to look at the statistics every 2 seconds to identify potential ransomware attacks. These alerts are sent to its Storage Insights software, which of course is further connected to IBM’s security software, such as Qradar and Storage Detector. By doing the processing in the FCM itself IBM can provide its users with much faster attack discovery (measured in seconds rather than minutes) without adding this workload to the customer’s server CPUs. This new approach increases protection beyond the current techniques of scanning backup data.