In this post, we:

  • Detail the increasing threat of ransomware attacks.

  • Outline precautions you can take to prevent a ransomware attack.


Ransomware is a particularly nefarious form of malware that encrypts its victim’s data with the promise of decryption once a ransom is paid. Attacks are on the rise and can have devastating effects. 

In our series on Davie Street Enterprises (DSE), we've used a fictitious company to illustrate how organizations have implemented DevSecOps practices, transformed applications, and more. 

In this post, we’ll cover how Zachary L. Tureaud, DSE’s Director of Security Engineering, plans to use Red Hat Ansible Automation Platform and ONTAP Snapshot technology to prevent and react to ransomware attacks. 

A cohesive strategy to address ransomware

Tureaud is well aware of the impact a ransomware attack can have on a company. He had already implemented several strategies for avoiding ransomware and other malware attacks. In addition to deploying a Security Information and Event Management (SIEM) system, he conducted audits on security systems and trained company personnel on how to detect malicious attacks.

During one of the security audits, DSE discovered that it did not have a cohesive strategy to recover from a ransomware attack. If an attack did happen, would DSE pay the ransom? Would it be able to recover data from backups? How long would it take to restore the data?

 

Security icon thumbnail

While it may seem counterintuitive, a number of organizations pay the ransom and their data is in fact decrypted. In The State of Ransomware 2020 report published by Sophos, 94% of organizations surveyed that were affected by ransomware encryption say they were able to get their data back. 

Twenty-six percent of these organizations reported paying the ransom and 54% were able to restore from backup. The remaining 12% say they restored their data by other means. No matter the method, this can come at a great financial cost.

The report also indicated that for large organizations, the average cost of remediation was almost $1,000,000. The cost was nearly double for those that paid the ransom than for those that restored from backup. 

Not only is there a financial cost, but there can also be a hit to a company’s reputation. For these reasons, Tureaud wanted to make sure DSE could recover from an attack at a low cost, and do it quickly.  

Luckily, DSE is using NetApp’s ONTAP solution to manage their storage needs. NetApp ONTAP has snapshot technology that creates a point-in-time read-only image of data. At a filesystem level, ONTAP uses pointers to the actual blocks of data on a disk. Snapshots are near instantaneous, as ONTAP is just making a backup of the pointers. Any new data is then written to new blocks. This also enables very fast restores, as ONTAP is just updating the pointers to existing blocks of data. 

While snapshots are a powerful tool in the fight against ransomware, organizations also need to proactively react to threats and enforce data retention policies. This is where Red Hat Ansible Automation Platform comes into play. 

An automated solution

NetApp has long worked with Red Hat on automation and has a large collection of Ansible modules. The full list of NetApp Ansible modules can be found here. The two modules of interest for snapshots are `na_ontap_snapshot` and na_ontap_snapshot_policy

The na_ontap_snapshot module allows for the creation, modification, and deletion of snapshots. This module can help administrators create simple, yet powerful, Ansible playbooks that manage snapshots. And because Ansible works across the enterprise, ONTAP snapshots can better integrate with a holistic defense strategy. For example, Ansible can be triggered by a SIEM system to create a snapshot at any sign of attack.   

Taking precautions

Tureaud needed a method to enforce policy. By leveraging the na_ontap_snapshot_policy, he created an Ansible playbook to make sure the appropriate ONTAP Snapshot policies were in place. 

As file systems change, snapshots do take up some amount of space, so aging out old snapshots is recommended. Note the use of https: true and validate_certs: false. These are the defaults for connecting to ONTAP, but may change in a production environment. 

- name: create Snapshot policy
  na_ontap_snapshot_policy:
    state: present
    name: ansible
    schedule: daily
    count: 30
    enabled: True
    username: "{{ netapp username }}"
    password: "{{ netapp password }}"
    hostname: "{{ netapp hostname }}"
    https: true
    validate_certs: false  

Using Ansible Tower, he scheduled a Job Template to run every night that would enforce a policy of keeping 30 days of daily snapshots.

ONTAP snapshot policy ansible tower create schedule snapshot

Reacting to threats

Next, Tureaud wanted to show how easy it is to create a snapshot with an Ansible playbook. This can be called by an administrator in Ansible Tower or kicked off by an outside event, such as a threat alert. If an email scan detects a potential threat, a snapshot can automatically be created as a precaution. Because there is no overhead in creating a snapshot, it can be done anytime and without impacting users.

- name: create SnapShot
  na_ontap_snapshot:
    state: present
    snapshot: "{{ snapshot name }}"
    volume: "{{ vol name }}"
    comment: "i am a comment"
    vserver: "{{ vserver name }}"
    username: "{{ netapp username }}"
    password: "{{ netapp password }}"
    hostname: "{{ netapp hostname }}"
    https: true
    validate_certs: false

Once the threat is gone, Ansible can be used to remove the snapshot. This can all be automated so it is transparent to administrators.  

- name: delete SnapShot
  na_ontap_snapshot:
    state: absent
    snapshot: "{{ snapshot name }}"
    volume: "{{ vol name }}"
    vserver: "{{ vserver name }}"
    username: "{{ netapp username }}"
    password: "{{ netapp password }}"
    hostname: "{{ netapp hostname }}"
    https: true
    validate_certs: false

Conclusion

As ransomware attacks can lead to financial and operational setbacks, organizations should  be prepared with a cohesive strategy to address such attacks. ONTAP Snapshots are just one component in that plan of action, but are absolutely vital.  

They allow speedy recovery of data and provide a lower total cost to remediation than paying the ransom or restoring with traditional backups. Because of the tight integration between NetApp ONTAP and Ansible, organizations can leverage both to create sophisticated solutions across the enterprise. Organizations can proactively react to threats without the worry of losing critical data. They can also enforce a snapshot policy to help protect data at all times. 

Learn more about security automation and NetApp integrations with Ansible Automation Platform.


About the author

George James came to Red Hat with more than 20 years of experience in IT for financial services companies. He specializes in network and Windows automation with Ansible.

Read full bio