Commvault Metallic ThreatWise Early Threat Detection with Deception Technology

There is no question that cybersecurity is at the top of the minds of businesses in 2022 and beyond. High-profile ransomware attacks and data breach events continue to plague businesses worldwide with no end in sight. Threat actors continue to target businesses using typical attack vectors and even zero-day vulnerabilities. Commvault Metallic ThreatWise sets out to help businesses solve extremely challenging security challenges with a unique approach to cybersecurity.

The threat landscape is growing

Attackers are continuing to target enterprise organizations across every business sector. The threat of ransomware attacks has continued to grow. By 2022, ransomware is estimated to attack a business every 11 seconds!

Attackers continue using more sophisticated approaches to compromising environments, including hiring insiders and using zero-day vulnerabilities. In the Group-IB report, Ransomware Uncovered 2021-2022, it was noted that attackers were increasingly targeting various vulnerabilities on public-facing services and applications.

We probably recall the zero-day vulnerabilities found in the Kaseya VSA appliance and the zero-day vulnerabilities in Accellion’s legacy File transfer Appliance (FTA). The following are a few of the vulnerabilities identified and capitalized on in 2021 by various ransomware groups:

CVE-2021-20016 (SonicWall SMA100 SSL VPN)
CVE-2021-26084 (Atlassian Confluence)
CVE-2021-26855 (Microsoft Exchange)
CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and
CVE-2021-27104 (Accellion FTA)
CVE-2021-30116 (Kaseya VSA)
CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 (Microsoft Exchange)
CVE-2021-35211 (SolarWinds)

Once attackers have infiltrated the network, they use new tactics to help ensure ransom payment. These include the double extortion technique where they not only extort businesses to decrypt their data, they also extort them to prevent leaking their data.

Hacker groups are commonly using ransomware attacks to steal and encrypt critical data
Hacker groups are commonly using ransomware attacks to steal and encrypt critical data

Needless to say, ransomware, data leaks, and other cyber attacks are a top cybersecurity priority that requires the right tools and solutions to help protect business-critical data.

Commvault provides powerful Data management solutions

Commvault has been strengthening its DMaaS portfolio with the introduction of Metallic in 2019. What is Metallic? It delivers an intelligent data platform and provides SaaS-delivered data protection with many great features. These include:

  • Metallic Backup-as-a-Service – Microsoft 365, Microsoft Dynamics, and Salesforce protection. Hybrid cloud protection for VMs, databases, containers, and file systems.
  • Metallic eDiscovery – Granular search and export for Office 365 and also endpoint data, helping to meet regulatory compliance requirements
  • Metallic Recovery Reserve – The scalable cloud storage solution is built on Microsoft Azure and delivers secure storage for backups

Commvault has engineered the Metallic portfolio of solutions to work seamlessly with Commvault customer-managed solutions, helping to deliver the feel of the cloud SaaS model and still deliver rapid recovery on-premises.

Introducing Metallic ThreatWise Threat Detection and Zero Loss Strategy

Recently, Commvault has evolved the Metallic solution, introducing Metallic ThreatWise. It is a data security service that provides a unique threat detection technology for enterprise organizations, allowing them to have early detection for zero-day threats before these target critical infrastructure assets and data.

A unique approach to surfacing zero-day threats

Metallic ThreatWise provides a unique approach to surfacing zero-day threats. It uses decoys or fake resources to spot threats proactively. Commvault uses what they describe as patented deception technology to configure threat sensors around critical resources like virtual machines, databases, file servers, etc.

The Metallic ThreatWise sensors simulate real production resources such that attackers cannot determine the difference between real resources and those set up as decoys.

Metallic ThreatWise threat detection and early warning responses

The Metallic ThreatWise solution gives organizations the early warning signals needed for visibility to attackers moving slyly through the network, elevating privileges, etc. When an attacker infiltrates and compromises a network, it is usually discovered too late after data is leaked, encrypted, or exfiltrated.

Before the compromise reaches this point, Metallic ThreatWise springs into action with early warning alerts and orchestration with security vendors to contain threats. Note the following workflow to protect against threats:

  • Mimic – Metallic ThreatWise deploys decoys around the environment to dilute the attack surface and effectively gain visibility of the movements and tactics of an attacker
  • Trip – When you think of a trip wire, the unsuspecting attacker works at compromising what they think are legitimate internal resources, only to be “attacking” mimics of real resources
  • Alert – Once the decoys are “tripped,” admins get real-time alerts helping to gain quick visibility to a potential attack to take appropriate action
  • Respond – Metallic ThreatWise works seamlessly with security vendors on the market to provide quick remediation and containment of threats before undesired outcomes like data leak, encryption, or data exfiltration
Metallic ThreatWise provides a unique threat deception technology protecting critical assets
Metallic ThreatWise provides a unique threat deception technology protecting critical assets

What is different with this approach

Traditional vendors in the data protection space often focus on the reactive responses needed after an attack occurs. However, in reality, organizations want to have the visibility and aggressive responses to attacks needed before an attack progresses to needing data recovery.

This is where Metallic ThreatWise shines. The unique cybersecurity detection tools offered by Metallic ThreatWise help businesses intercept and disorient attackers who make it into the environment before the damage is done.

Working alongside the Metallic DMaaS solution, ThreatWise helps stop ransomware attacks before these get to the point of compromising critical data. Much like an early-warning buoy detects the danger of a tsunami miles off the coast, Metallic provides a similar early-warning detection system, helping to identify grave risks to critical data underway.

Is this a honeypot?

You may say this sounds like a honeypot approach. While there are similarities conceptually, honeypot solutions can be cumbersome, complex, take time to deploy, and consume IT resources. Instead of this approach, Commvault Metallic ThreatWise uses a patented threat sensor technology that mimics real assets.

In just a matter of seconds, hundreds or even thousands of lightweight sensors can be rapidly deployed across entire environments. These decoys are indistinguishable from the real thing, making them look and behave like real assets. These high-quality look-alikes entice bad actors into engaging fake resources across the environment.

Metallic ThreatWise key features

What are the key features offered by the Metallic ThreatWise solution? These include the following:

  1. It mimics real network resources and assets to trick attackers into attacking decoys
  2. It provides early-warning ransomware detection
  3. It provides the tools needed to contain attacks before they impact real data
  4. It is delivered as a SaaS solution

1. It mimics real network resources and assets to trick attackers into attacking decoys

As we have already discussed, Metallic ThreatWise deploys decoys in the environment to trick attackers into attacking “tripping” decoy targets. These decoy targets provide the targets that provide visibility to attacks that threat actors are actively carrying out in the environment.

This way, attackers are baited into alerting SecOps to their presence and the resources they are actively seeking out. In addition, it gives SecOps and IT admins the precious time needed to contain and remediate threats before they progress to the point of affecting or leaking sensitive data.

It also serves to provide an additional benefit. Since attackers are attacking decoys, it slows their progress in the environment, helping organizations to proactively contain and remediate threats.

2. It provides early-warning ransomware detection

Every minute and second counts with a ransomware attack. Often when data is being encrypted, it is already too late. By this point, cybercriminals have often already exfiltrated the data before they begin their encryption activities. They do this to help guarantee payment using tactics like double extortion.

The early-warning detection provided by Metallic ThreatWise helps give visibility to the beginning stages of a ransomware attack, such as the reconnaissance activities, privilege elevation, and other nefarious actions carried out by threat actors in the early stages.

3. It provides the tools needed to contain attacks before they impact real data

Precise and accurate alerting is a key aspect of visibility into an attacker’s actions. Commvault Metallic ThreatWise provides immediate visibility to malicious activities of an attacker before they reach your data. In addition, it helps SecOps have immediate visibility into the activities and tactics used, lateral movement and helps eliminate false positives.

Commvault Metallic ThreatWise also integrates with SIEM solutions to provide further insights into activities and any latent threats on the network.

4. It is delivered as a SaaS solution

So many organizations today are shifting to the Software-as-a-Service (SaaS) model for consuming software, applications, and services. Commvault Metallic ThreatWise aligns with this shift in consuming services and solutions as it is offered as a SaaS solution.

It means no infrastructure needs provisioning, configured, maintained, or updated. In addition, businesses can rapidly deploy Commvault Metallic ThreatWise for immediate surface area coverage, providing multi-layered zero-trust security in the cloud.

Screenshots of Metallic ThreatWise

Below, we are adding a new threat sensor by clicking the + sign on the right-hand side.

Adding a new threat sensor
Adding a new threat sensor

The wizard allows choosing which type of system you want to emulate.

Configuring a new threat sensor type and services
Configuring a new threat sensor type and services

Further into the wizard and selecting the system type that will be emulated.

Continuing the configuration wizard
Continuing the configuration wizard

Selecting the services the threat sensor will host.

Selecting the services that will be hosted on the new threat sensor
Selecting the services that will be hosted on the new threat sensor

The new threat sensor, emulating Windows Server 2019, has been provisioned.

New threat sensor has been deployed
New threat sensor has been deployed

On the Analysis screen, Metallic ThreatWise shows details of lateral movement by an attacker through the network as they hit the threat sensor.

Analyzing lateral movement of an attacker hitting the threat sensor
Analyzing lateral movement of an attacker hitting the threat sensor

Commvault Metallic ThreatWise FAQs

What is cyber deception? Cyber deception is a new type of cybersecurity that employs active defense mechanisms to slow attackers down and alert businesses to the activities of cyber attackers before they get to the point of leaking, exfiltrating, or encrypting data.

Why is cyber deception needed with backups? Attackers today are using double extortion techniques to encrypt data and exfiltrate data to use as leverage, forcing businesses to pay the ransom demanded. Metallic ThreatWise gives businesses the upper hand to gain visibility of these activities and threats before it makes it to the point of data exfiltration and encryption.

How does Commvault Metallic ThreatWise work? It works by deploying threat sensors around valuable assets such as file servers, databases, and virtual machines, providing decoys in the production environment. If these decoys are tripped, it provides visibility and high-fidelity alerting to nefarious activities in the environment.

My impressions and Wrapping Up

The new Metallic ThreatWise solution provides a fresh take on protecting data from the threat of ransomware. With the new threat of double extortion, attackers have the upper hand and have already exfiltrated data by the time organizations recognize a ransomware attack is underway, and their data is encrypted.

The Metallic ThreatWise approach allows organizations to throw many roadblocks and frustration in the way of attackers who have to traipse through decoys they do not even know are decoys. This buys back valuable time for organizations to contain and remediate the environment and provides orchestration for security solutions to work from SIEM feeds, etc.

The “blue team” has always had the more difficult position in cybersecurity. Commvault Metallic ThreatWise helps provide businesses with the sophisticated tools needed for a strong cybersecurity posture, allowing them to ward off even very sophisticated attacks successfully and throw as many obstacles in the path of an attack as they can.

Learn more about Metallic ThreatWise here:

Subscribe to VirtualizationHowto via Email 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.