In this post, we:
-
Detail the increasing threat of ransomware attacks.
-
Outline precautions you can take to prevent a ransomware attack.
Ransomware is a particularly nefarious form of malware that encrypts its victim’s data with the promise of decryption once a ransom is paid. Attacks are on the rise and can have devastating effects.
In our series on Davie Street Enterprises (DSE), we've used a fictitious company to illustrate how organizations have implemented DevSecOps practices, transformed applications, and more.
In this post, we’ll cover how Zachary L. Tureaud, DSE’s Director of Security Engineering, plans to use Red Hat Ansible Automation Platform and ONTAP Snapshot technology to prevent and react to ransomware attacks.
A cohesive strategy to address ransomware
Tureaud is well aware of the impact a ransomware attack can have on a company. He had already implemented several strategies for avoiding ransomware and other malware attacks. In addition to deploying a Security Information and Event Management (SIEM) system, he conducted audits on security systems and trained company personnel on how to detect malicious attacks.
During one of the security audits, DSE discovered that it did not have a cohesive strategy to recover from a ransomware attack. If an attack did happen, would DSE pay the ransom? Would it be able to recover data from backups? How long would it take to restore the data?
While it may seem counterintuitive, a number of organizations pay the ransom and their data is in fact decrypted. In The State of Ransomware 2020 report published by Sophos, 94% of organizations surveyed that were affected by ransomware encryption say they were able to get their data back.
Twenty-six percent of these organizations reported paying the ransom and 54% were able to restore from backup. The remaining 12% say they restored their data by other means. No matter the method, this can come at a great financial cost.
The report also indicated that for large organizations, the average cost of remediation was almost $1,000,000. The cost was nearly double for those that paid the ransom than for those that restored from backup.
Not only is there a financial cost, but there can also be a hit to a company’s reputation. For these reasons, Tureaud wanted to make sure DSE could recover from an attack at a low cost, and do it quickly.
Luckily, DSE is using NetApp’s ONTAP solution to manage their storage needs. NetApp ONTAP has snapshot technology that creates a point-in-time read-only image of data. At a filesystem level, ONTAP uses pointers to the actual blocks of data on a disk. Snapshots are near instantaneous, as ONTAP is just making a backup of the pointers. Any new data is then written to new blocks. This also enables very fast restores, as ONTAP is just updating the pointers to existing blocks of data.
While snapshots are a powerful tool in the fight against ransomware, organizations also need to proactively react to threats and enforce data retention policies. This is where Red Hat Ansible Automation Platform comes into play.
An automated solution
NetApp has long worked with Red Hat on automation and has a large collection of Ansible modules. The full list of NetApp Ansible modules can be found here. The two modules of interest for snapshots are `na_ontap_snapshot` and na_ontap_snapshot_policy
.
The na_ontap_snapshot
module allows for the creation, modification, and deletion of snapshots. This module can help administrators create simple, yet powerful, Ansible playbooks that manage snapshots. And because Ansible works across the enterprise, ONTAP snapshots can better integrate with a holistic defense strategy. For example, Ansible can be triggered by a SIEM system to create a snapshot at any sign of attack.
Taking precautions
Tureaud needed a method to enforce policy. By leveraging the na_ontap_snapshot_policy, he created an Ansible playbook to make sure the appropriate ONTAP Snapshot policies were in place.
As file systems change, snapshots do take up some amount of space, so aging out old snapshots is recommended. Note the use of https: true and validate_certs: false. These are the defaults for connecting to ONTAP, but may change in a production environment.
- name: create Snapshot policy na_ontap_snapshot_policy: state: present name: ansible schedule: daily count: 30 enabled: True username: "{{ netapp username }}" password: "{{ netapp password }}" hostname: "{{ netapp hostname }}" https: true validate_certs: false
Using Ansible Tower, he scheduled a Job Template to run every night that would enforce a policy of keeping 30 days of daily snapshots.
Reacting to threats
Next, Tureaud wanted to show how easy it is to create a snapshot with an Ansible playbook. This can be called by an administrator in Ansible Tower or kicked off by an outside event, such as a threat alert. If an email scan detects a potential threat, a snapshot can automatically be created as a precaution. Because there is no overhead in creating a snapshot, it can be done anytime and without impacting users.
- name: create SnapShot na_ontap_snapshot: state: present snapshot: "{{ snapshot name }}" volume: "{{ vol name }}" comment: "i am a comment" vserver: "{{ vserver name }}" username: "{{ netapp username }}" password: "{{ netapp password }}" hostname: "{{ netapp hostname }}" https: true validate_certs: false
Once the threat is gone, Ansible can be used to remove the snapshot. This can all be automated so it is transparent to administrators.
- name: delete SnapShot na_ontap_snapshot: state: absent snapshot: "{{ snapshot name }}" volume: "{{ vol name }}" vserver: "{{ vserver name }}" username: "{{ netapp username }}" password: "{{ netapp password }}" hostname: "{{ netapp hostname }}" https: true validate_certs: false
Conclusion
As ransomware attacks can lead to financial and operational setbacks, organizations should be prepared with a cohesive strategy to address such attacks. ONTAP Snapshots are just one component in that plan of action, but are absolutely vital.
They allow speedy recovery of data and provide a lower total cost to remediation than paying the ransom or restoring with traditional backups. Because of the tight integration between NetApp ONTAP and Ansible, organizations can leverage both to create sophisticated solutions across the enterprise. Organizations can proactively react to threats without the worry of losing critical data. They can also enforce a snapshot policy to help protect data at all times.
Learn more about security automation and NetApp integrations with Ansible Automation Platform.
Sobre el autor
George James came to Red Hat with more than 20 years of experience in IT for financial services companies. He specializes in network and Windows automation with Ansible.
Navegar por canal
Automatización
Las últimas novedades en la automatización de la TI para los equipos, la tecnología y los entornos
Inteligencia artificial
Descubra las actualizaciones en las plataformas que permiten a los clientes ejecutar cargas de trabajo de inteligecia artificial en cualquier lugar
Nube híbrida abierta
Vea como construimos un futuro flexible con la nube híbrida
Seguridad
Vea las últimas novedades sobre cómo reducimos los riesgos en entornos y tecnologías
Edge computing
Conozca las actualizaciones en las plataformas que simplifican las operaciones en el edge
Infraestructura
Vea las últimas novedades sobre la plataforma Linux empresarial líder en el mundo
Aplicaciones
Conozca nuestras soluciones para abordar los desafíos más complejos de las aplicaciones
Programas originales
Vea historias divertidas de creadores y líderes en tecnología empresarial
Productos
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Servicios de nube
- Ver todos los productos
Herramientas
- Training y Certificación
- Mi cuenta
- Soporte al cliente
- Recursos para desarrolladores
- Busque un partner
- Red Hat Ecosystem Catalog
- Calculador de valor Red Hat
- Documentación
Realice pruebas, compras y ventas
Comunicarse
- Comuníquese con la oficina de ventas
- Comuníquese con el servicio al cliente
- Comuníquese con Red Hat Training
- Redes sociales
Acerca de Red Hat
Somos el proveedor líder a nivel mundial de soluciones empresariales de código abierto, incluyendo Linux, cloud, contenedores y Kubernetes. Ofrecemos soluciones reforzadas, las cuales permiten que las empresas trabajen en distintas plataformas y entornos con facilidad, desde el centro de datos principal hasta el extremo de la red.
Seleccionar idioma
Red Hat legal and privacy links
- Acerca de Red Hat
- Oportunidades de empleo
- Eventos
- Sedes
- Póngase en contacto con Red Hat
- Blog de Red Hat
- Diversidad, igualdad e inclusión
- Cool Stuff Store
- Red Hat Summit