In this post, we:
-
Detail the increasing threat of ransomware attacks.
-
Outline precautions you can take to prevent a ransomware attack.
Ransomware is a particularly nefarious form of malware that encrypts its victim’s data with the promise of decryption once a ransom is paid. Attacks are on the rise and can have devastating effects.
In our series on Davie Street Enterprises (DSE), we've used a fictitious company to illustrate how organizations have implemented DevSecOps practices, transformed applications, and more.
In this post, we’ll cover how Zachary L. Tureaud, DSE’s Director of Security Engineering, plans to use Red Hat Ansible Automation Platform and ONTAP Snapshot technology to prevent and react to ransomware attacks.
A cohesive strategy to address ransomware
Tureaud is well aware of the impact a ransomware attack can have on a company. He had already implemented several strategies for avoiding ransomware and other malware attacks. In addition to deploying a Security Information and Event Management (SIEM) system, he conducted audits on security systems and trained company personnel on how to detect malicious attacks.
During one of the security audits, DSE discovered that it did not have a cohesive strategy to recover from a ransomware attack. If an attack did happen, would DSE pay the ransom? Would it be able to recover data from backups? How long would it take to restore the data?
While it may seem counterintuitive, a number of organizations pay the ransom and their data is in fact decrypted. In The State of Ransomware 2020 report published by Sophos, 94% of organizations surveyed that were affected by ransomware encryption say they were able to get their data back.
Twenty-six percent of these organizations reported paying the ransom and 54% were able to restore from backup. The remaining 12% say they restored their data by other means. No matter the method, this can come at a great financial cost.
The report also indicated that for large organizations, the average cost of remediation was almost $1,000,000. The cost was nearly double for those that paid the ransom than for those that restored from backup.
Not only is there a financial cost, but there can also be a hit to a company’s reputation. For these reasons, Tureaud wanted to make sure DSE could recover from an attack at a low cost, and do it quickly.
Luckily, DSE is using NetApp’s ONTAP solution to manage their storage needs. NetApp ONTAP has snapshot technology that creates a point-in-time read-only image of data. At a filesystem level, ONTAP uses pointers to the actual blocks of data on a disk. Snapshots are near instantaneous, as ONTAP is just making a backup of the pointers. Any new data is then written to new blocks. This also enables very fast restores, as ONTAP is just updating the pointers to existing blocks of data.
While snapshots are a powerful tool in the fight against ransomware, organizations also need to proactively react to threats and enforce data retention policies. This is where Red Hat Ansible Automation Platform comes into play.
An automated solution
NetApp has long worked with Red Hat on automation and has a large collection of Ansible modules. The full list of NetApp Ansible modules can be found here. The two modules of interest for snapshots are `na_ontap_snapshot` and na_ontap_snapshot_policy
.
The na_ontap_snapshot
module allows for the creation, modification, and deletion of snapshots. This module can help administrators create simple, yet powerful, Ansible playbooks that manage snapshots. And because Ansible works across the enterprise, ONTAP snapshots can better integrate with a holistic defense strategy. For example, Ansible can be triggered by a SIEM system to create a snapshot at any sign of attack.
Taking precautions
Tureaud needed a method to enforce policy. By leveraging the na_ontap_snapshot_policy, he created an Ansible playbook to make sure the appropriate ONTAP Snapshot policies were in place.
As file systems change, snapshots do take up some amount of space, so aging out old snapshots is recommended. Note the use of https: true and validate_certs: false. These are the defaults for connecting to ONTAP, but may change in a production environment.
- name: create Snapshot policy na_ontap_snapshot_policy: state: present name: ansible schedule: daily count: 30 enabled: True username: "{{ netapp username }}" password: "{{ netapp password }}" hostname: "{{ netapp hostname }}" https: true validate_certs: false
Using Ansible Tower, he scheduled a Job Template to run every night that would enforce a policy of keeping 30 days of daily snapshots.
Reacting to threats
Next, Tureaud wanted to show how easy it is to create a snapshot with an Ansible playbook. This can be called by an administrator in Ansible Tower or kicked off by an outside event, such as a threat alert. If an email scan detects a potential threat, a snapshot can automatically be created as a precaution. Because there is no overhead in creating a snapshot, it can be done anytime and without impacting users.
- name: create SnapShot na_ontap_snapshot: state: present snapshot: "{{ snapshot name }}" volume: "{{ vol name }}" comment: "i am a comment" vserver: "{{ vserver name }}" username: "{{ netapp username }}" password: "{{ netapp password }}" hostname: "{{ netapp hostname }}" https: true validate_certs: false
Once the threat is gone, Ansible can be used to remove the snapshot. This can all be automated so it is transparent to administrators.
- name: delete SnapShot na_ontap_snapshot: state: absent snapshot: "{{ snapshot name }}" volume: "{{ vol name }}" vserver: "{{ vserver name }}" username: "{{ netapp username }}" password: "{{ netapp password }}" hostname: "{{ netapp hostname }}" https: true validate_certs: false
Conclusion
As ransomware attacks can lead to financial and operational setbacks, organizations should be prepared with a cohesive strategy to address such attacks. ONTAP Snapshots are just one component in that plan of action, but are absolutely vital.
They allow speedy recovery of data and provide a lower total cost to remediation than paying the ransom or restoring with traditional backups. Because of the tight integration between NetApp ONTAP and Ansible, organizations can leverage both to create sophisticated solutions across the enterprise. Organizations can proactively react to threats without the worry of losing critical data. They can also enforce a snapshot policy to help protect data at all times.
Learn more about security automation and NetApp integrations with Ansible Automation Platform.
About the author
George James came to Red Hat with more than 20 years of experience in IT for financial services companies. He specializes in network and Windows automation with Ansible.
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit