Strengthening Data Protection Against Advanced Threats

Strengthening Data Protection Against Advanced Threats

While the first three layers of data protection provided by Data Defense are robust, they are primarily software-based, which a skilled adversary might attempt to bypass or exploit. For instance, if a threat actor gains administrative control of the host, they could disable Data Defense and its components. If the secure drive is unlocked at the time, the data would be exposed.
This is where the Cigent firmware enhancements come in, closing those potential threat vectors.

Erase Verify

Secure data erasure is essential to prevent unauthorized access to classified information. Erase Verify utilizes specialized methods to counter advanced recovery techniques on SSDs. 
Cigent Drives support extended erasure verification commands that check all mapped and unmapped blocks to ensure data has been fully removed. Any blocks containing data trigger an erasure verification failure. Once Data Defense confirms complete erasure, the drive can be securely reused.
  1. On the Drives page, select Erase Verify from the menu.
  2. The resulting map displays logical blocks, color-coded to indicate their state. The overall status of the drive (Erased or Not Erased) is shown at the top.
Example of a drive after a successful data erasure procedure:

KeepAlive

KeepAlive adds protection by strengthening the trust connection between the SSD firmware and Data Defense. When enabled, a non-replayable heartbeat ensures constant communication. If the drive doesn't respond in time, it automatically locks, preventing hackers from disabling Data Defense once the drive is unlocked. This makes it impossible to access the files on the Cigent Secure SSD without Data Defense running.

KeepAlive is automatically set up and enabled when you configure Secure Drive. Its status can be seen on the Secure Drive panel:
Since Windows caches a large amount of file and directory information, testing KeepAlive with Windows Explorer can be challenging. The best method is to use a simple batch script to continuously write a test file to the secure drive and then stop the Data Defense service. After about 30 seconds, the script will fail to write as the firmware automatically locks the drive.
  1. Unlock the Secure Drive: 
    1. Ensure the Secure Drive is unlocked before proceeding.
  2. Open Services application and locate the Cigent Service.
  3. Right-click on the row and select Properties.
    1. Set all failure actions to Take No Action and click OK to save changes.
  4. Create a Batch File on your C: drive with the following contents:
  5. Open a Command Prompt with Administrator privileges. Execute the batch file and leave it running.
  6. Open another Command Prompt with Administrator privileges. Run the command “taskkill /f /IMcigentservice.exe” to forcibly shutdown the Cigent Service.
  7. Shortly after, write operations to the Secure Drive will begin to fail. This indicates that Keepalive has timed out, causing the firmware to lock the drive. 
    1. While Windows Explorer might not immediately reflect that the drive is locked, any attempt to access it will confirm the lock.
  8. Restart the Cigent Service using Services, and reset the failure actions to restart service:

  9. Unlock the Always-On Drive using Data Defense. You may need to lock and unlock the drive twice to restore its previous drive letter (e.g., L:).
    1. Confirm that after unlocking, the script is once again able to write to the Secure Drive.
  10. Terminate the Batch File using Ctrl + C.

Command Log 

Cigent Secure SSDs automatically record all commands sent to the drive in a tamper-proof memory location. Cigent Data Defense periodically adds markers to indicate that activities were performed with Data Defense active and properly authorized. This log covers all partitions, including unsecured locations such as the C: drive.
Main features:
  1. Tracks drive operations to detect unauthorized access attempts, including efforts to bypass file protection.
  2. Maps accessed locations to the current file system layout, highlighting files accessed with or without Data Defense active. This provides critical insights for investigators.
  3. The log is primarily retrieved during forensic investigations or to confirm drive tampering.
  4. Supports the machine learning-based ransomware detection of Cigent Secure SSD+ drives.
  1. In Data Defense > Drives, select Command Log.
  2. Click Scan.
    1. The scanning process may take 30 minutes or longer. You can stop it anytime by clicking Stop. Any data retrieved before stopping will remain accessible.
  3. As the scan progresses, rows will begin to populate in the table, starting with the oldest available dates.
    1. While you can stop the retrieval once data appears, it is recommended to wait until the process completes to ensure all relevant data is displayed.
  4. When the scan is complete, a popup will appear. Click OK to proceed. 
  5. Scroll to the end of the table and select a row corresponding to the time period during which you followed this guide. Click Generate.
  6. Choose a report location and name, then click Save
    1. You will be prompted to authenticate to complete the process.
  7. Data Defense will process the command log and cross-reference the file system with the access logs to generate an affected file report.
  8. Click OK to confirm.
  9. Locate and open the file ending in csv_files.csv.
  10. Search the file for “Level1”. Hopefully you will see an entry for the file used during this evaluation.
Authorized activities occurred while Data Defense was active, while unauthorized activities took place when Data Defense was not running. This may have occurred during system startup or if the drive was accessed from another system while in an external enclosure. 
While unauthorized activity does not necessarily indicate malicious intent, it can provide valuable clues regarding how the drive was accessed.

    • Related Articles

    • Understanding the Three Layers of Data Protection in Data Defense

      This article explores the first three layers of data protection offered by Data Defense when used with a supported SED to create Secure Drives, detailing how each layer protects sensitive information against various threats. It also covers the key ...

    • Setting Up Data Defense

      After completing the installation and activating your account, you can proceed to set up Data Defense. Log in to your account and follow the on-screen wizard, which will guide you through: Setting up a Secure Drive (if available). Configuring folder ...

    • Running the Intel® Auto Verify Tool (GUI version)

      The ThinkShield BuildAssure Intel® Auto Verify Tool is a standalone graphical user interface compatible with Windows® 10 and Windows® 11 operating systems. It provides two main functions: • Platform Certificate Validation: Verifies the Platform ...

    • Running On-demand Measurements

      This feature introduces the ability to perform on-demand measurements on the device, run the measurement (verify firmware integrity) of each component, and display the latest logs on the Cloud UI. It also enables a two-step attestation of ...

    • Using Intel® Verify Utility Commands (CLI version)

      The BuildAssure Verify Utility is a command-line executable that runs in a user-initiated command prompt window. It supports the following commands: SCANSYSTEM: Scans the platform to retrieve current platform values and outputs them to the console. ...