***This is a rough draft idea, poke all the holes in it please.*** *I haven’t proven any of this works obviously. I couldn’t code SATA firmware to do this yet or any other storage drive protocol, but I might learn how to write or adapt a driver for one standard to test this, at least in an emulator. I’m in the Army and am exploring ideas to solve cybersecurity problems since A) It can’t hurt to try to solve ambitious problems as a junior cybersec analyst (“Aim small, miss small”, a Patriot once said) and B) it shows initiative. But I’d much rather hear about why I’m wrong from you all than my superiors.*
# Virtualized Cold Storage Buffer
Cold storage is often logistically infeasible for large orgs (edit, for reddit: at least from what I hear, it does make sense after all that physical connection and disconnection would be a challenge), but in cyber security data is everything. Every organization has certain dynamic datasets critical to recovery after a cyber-attack. Destruction of such data dramatically increases the time required to recover operationally from a severe attack, costing the organization money or where services are critical, costing lives. This paper suggests a tool serving as an alternative to cold storage which reduces logistical costs and maintains the desired guarantees of workable backup data states to fall back on.
Incident recovery time after a cybersecurity incident is a critical factor in determining the financial damage a company will incur. Attackers frequently target backup storage in order to ensure payment of data ransom. Attackers are frequently able to succeed in this endeavor, resulting in severe disruption to targets, who often pay the ransom. This results in a self-feeding cycle where payment generates further incentive for cyber criminals to increase efforts towards this form of attack. Additionally, on the national stage, nation-state operatives have demonstrated the ability to use this strategy to delay recovery following state-sponsored cyberwarfare efforts against private and government entities.
In conclusion, it is of vital importance for both private and government entities to pursue and employ an effective solution. The following research proposes one such solution.
# Traditional Cold Storage
Cold storage, a method of ensuring backup data integrity by physically disconnecting the storage drive, is logistically unfeasible for many large enterprises. This is due to the sheer number of storage drives utilized by large enterprises, many of which is often hosted remotely on cloud services. Separate drives are expensive. The equipment and man-hours involved in physically disconnecting the drives is expensive. These costs are often prohibitively high for businesses.
It is commonly taught as a fundamental factor in cyber-security that having physical access to a device gives an attacker a potentially insurmountable advantage. It just so happens that defenders always have this advantage. A hardware-based solution is proposed to leverage physical access to provide the data integrity benefits of cold storage without the steep logistical challenges presented by the standard cold-storage backup approach.
The following scheme proposes increasing storage costs. In return for this increased cost, a capability of high financial and national security value is gained: Logistically feasible, mathematically proven (guaranteed) data integrity for operationally critical data which will inhibit operations if damaged. The tool described translates to every widely used storage protocol by combining the same base technology to firmware modules designed to support each individual physical storage protocol.
📷 [Figure 1](https://imgur.com/a/GoJbKUT) (can’t embed images on this subreddit): [https://imgur.com/a/GoJbKUT](https://imgur.com/a/GoJbKUT)
1. **Figure 1:** Each storage drive connection interface is connected to the **Virtualizer**, which manipulates the input/output (I/O) scheme for the drive to make the drive *behave* as two separate physical storage drives virtually: **Virtual Drive A (VD:A)** and **Virtual Drive B** **(VD:B)**. **VD:A** interfaces with the host as a standard storage drive would. The portion allocated to each drive is administrator configured depending on the amount of data the organization needs to protect and the duration of the incident detection and response window desired.
📷 [Figure 2](https://imgur.com/a/qaa0JAw): [https://imgur.com/a/qaa0JAw](https://imgur.com/a/qaa0JAw)
1. **Figure 2:** Between the virtual interface between the **Virtualizer** and **Delta Encoder** is a printed circuit board: **Delta Encoder.** Directories the administrator determines are necessary to protect for rapid disruption recovery are defined, that definition is uploaded to **Delta Encoder** via USB port. **Delta Encoder** then interprets I/O events that affect a protected directory. Initially, the contents of the protected directory are cloned onto **VD:B** and will hereafter be referred to as the **delta** **base image**.
2. The **Virtualizer** duplicates storage I/O executed between the host and **VD:A** and passes it to the **Delta Encoder**. The **Delta Encoder** performs an XOR operation against the previous and new data states in order to generate deltas (also known as diffs), a process known as **delta encoding. Delta encoding** is a way of recording differences when files are changed, resulting in a complete history of data states while only having to store the changed bits. Addressing metadata is stored with each delta.
3. As **VD:B** reaches capacity, the oldest deltas are permanently applied to the **delta base image**. In this way, a buffer window is created during which the defender has some time range with which to notice critical destruction of data backups which would otherwise be permanently destroyed or encrypted. While an attacker may be able to corrupt some data without notice, any data that is of critical, ongoing necessity for day-to-day operations should be noticed in time to perform a recovery operation. The duration of this recovery buffer window depends on the amount of space allocated to **VD:B** and the amount of activity performed by the business.
4. In the event of an incident, the enterprise uses an application on the hosts to read the contents of **VD:B** and interpret the deltas to recover a desired history state within the buffer window. The circuit is designed to ensure that the only commands a host can reach **VD:B** with are read-only. This outcome must be supported by mathematical proof, a process in which the circuit is simple enough to calculate every possible outcome and guarantee correct results.
The objective of this tool is to ensure operationally critical data is not permanently destroyed, corrupted, or otherwise damaged to create extended and costly disruption of operations. The attacker is still able to gain persistence in the data. This tool ensures that the defender has an opportunity to locate the threat and remove persistence from recovered data in order to rapidly recover.
# Cloud Services & Virtual Machines
One might question how such a technology can be applicable to a dynamic and rapidly changing business environment which is rapidly moving to cloud services and virtual machine hosts. Physically connecting to a USB port on the Delta Encoder to reconfigure which locations are protected would be logistically expensive, likely resulting is undesired directory structures wherein the administrator requires all critical files to be stored in a specific, never changing parent directory. Conveniently, a cloud service is more of a benefit to the model than a hinderance. A cloud storage provider can leverage this tool to offer a more user-friendly way to change which directories are protected, while behind the scenes the actual directory stays the same and a software-feature is used to map new directory names to that same protected directory location on the drive.