In this post, we:
-
Detail the increasing threat of ransomware attacks.
-
Outline precautions you can take to prevent a ransomware attack.
Ransomware is a particularly nefarious form of malware that encrypts its victim’s data with the promise of decryption once a ransom is paid. Attacks are on the rise and can have devastating effects.
In our series on Davie Street Enterprises (DSE), we've used a fictitious company to illustrate how organizations have implemented DevSecOps practices, transformed applications, and more.
In this post, we’ll cover how Zachary L. Tureaud, DSE’s Director of Security Engineering, plans to use Red Hat Ansible Automation Platform and ONTAP Snapshot technology to prevent and react to ransomware attacks.
A cohesive strategy to address ransomware
Tureaud is well aware of the impact a ransomware attack can have on a company. He had already implemented several strategies for avoiding ransomware and other malware attacks. In addition to deploying a Security Information and Event Management (SIEM) system, he conducted audits on security systems and trained company personnel on how to detect malicious attacks.
During one of the security audits, DSE discovered that it did not have a cohesive strategy to recover from a ransomware attack. If an attack did happen, would DSE pay the ransom? Would it be able to recover data from backups? How long would it take to restore the data?
While it may seem counterintuitive, a number of organizations pay the ransom and their data is in fact decrypted. In The State of Ransomware 2020 report published by Sophos, 94% of organizations surveyed that were affected by ransomware encryption say they were able to get their data back.
Twenty-six percent of these organizations reported paying the ransom and 54% were able to restore from backup. The remaining 12% say they restored their data by other means. No matter the method, this can come at a great financial cost.
The report also indicated that for large organizations, the average cost of remediation was almost $1,000,000. The cost was nearly double for those that paid the ransom than for those that restored from backup.
Not only is there a financial cost, but there can also be a hit to a company’s reputation. For these reasons, Tureaud wanted to make sure DSE could recover from an attack at a low cost, and do it quickly.
Luckily, DSE is using NetApp’s ONTAP solution to manage their storage needs. NetApp ONTAP has snapshot technology that creates a point-in-time read-only image of data. At a filesystem level, ONTAP uses pointers to the actual blocks of data on a disk. Snapshots are near instantaneous, as ONTAP is just making a backup of the pointers. Any new data is then written to new blocks. This also enables very fast restores, as ONTAP is just updating the pointers to existing blocks of data.
While snapshots are a powerful tool in the fight against ransomware, organizations also need to proactively react to threats and enforce data retention policies. This is where Red Hat Ansible Automation Platform comes into play.
An automated solution
NetApp has long worked with Red Hat on automation and has a large collection of Ansible modules. The full list of NetApp Ansible modules can be found here. The two modules of interest for snapshots are `na_ontap_snapshot` and na_ontap_snapshot_policy
.
The na_ontap_snapshot
module allows for the creation, modification, and deletion of snapshots. This module can help administrators create simple, yet powerful, Ansible playbooks that manage snapshots. And because Ansible works across the enterprise, ONTAP snapshots can better integrate with a holistic defense strategy. For example, Ansible can be triggered by a SIEM system to create a snapshot at any sign of attack.
Taking precautions
Tureaud needed a method to enforce policy. By leveraging the na_ontap_snapshot_policy, he created an Ansible playbook to make sure the appropriate ONTAP Snapshot policies were in place.
As file systems change, snapshots do take up some amount of space, so aging out old snapshots is recommended. Note the use of https: true and validate_certs: false. These are the defaults for connecting to ONTAP, but may change in a production environment.
- name: create Snapshot policy na_ontap_snapshot_policy: state: present name: ansible schedule: daily count: 30 enabled: True username: "{{ netapp username }}" password: "{{ netapp password }}" hostname: "{{ netapp hostname }}" https: true validate_certs: false
Using Ansible Tower, he scheduled a Job Template to run every night that would enforce a policy of keeping 30 days of daily snapshots.
Reacting to threats
Next, Tureaud wanted to show how easy it is to create a snapshot with an Ansible playbook. This can be called by an administrator in Ansible Tower or kicked off by an outside event, such as a threat alert. If an email scan detects a potential threat, a snapshot can automatically be created as a precaution. Because there is no overhead in creating a snapshot, it can be done anytime and without impacting users.
- name: create SnapShot na_ontap_snapshot: state: present snapshot: "{{ snapshot name }}" volume: "{{ vol name }}" comment: "i am a comment" vserver: "{{ vserver name }}" username: "{{ netapp username }}" password: "{{ netapp password }}" hostname: "{{ netapp hostname }}" https: true validate_certs: false
Once the threat is gone, Ansible can be used to remove the snapshot. This can all be automated so it is transparent to administrators.
- name: delete SnapShot na_ontap_snapshot: state: absent snapshot: "{{ snapshot name }}" volume: "{{ vol name }}" vserver: "{{ vserver name }}" username: "{{ netapp username }}" password: "{{ netapp password }}" hostname: "{{ netapp hostname }}" https: true validate_certs: false
Conclusion
As ransomware attacks can lead to financial and operational setbacks, organizations should be prepared with a cohesive strategy to address such attacks. ONTAP Snapshots are just one component in that plan of action, but are absolutely vital.
They allow speedy recovery of data and provide a lower total cost to remediation than paying the ransom or restoring with traditional backups. Because of the tight integration between NetApp ONTAP and Ansible, organizations can leverage both to create sophisticated solutions across the enterprise. Organizations can proactively react to threats without the worry of losing critical data. They can also enforce a snapshot policy to help protect data at all times.
Learn more about security automation and NetApp integrations with Ansible Automation Platform.
Sobre o autor
George James came to Red Hat with more than 20 years of experience in IT for financial services companies. He specializes in network and Windows automation with Ansible.
Navegue por canal
Automação
Últimas novidades em automação de TI para empresas de tecnologia, equipes e ambientes
Inteligência artificial
Descubra as atualizações nas plataformas que proporcionam aos clientes executar suas cargas de trabalho de IA em qualquer ambiente
Nuvem híbrida aberta
Veja como construímos um futuro mais flexível com a nuvem híbrida
Segurança
Veja as últimas novidades sobre como reduzimos riscos em ambientes e tecnologias
Edge computing
Saiba quais são as atualizações nas plataformas que simplificam as operações na borda
Infraestrutura
Saiba o que há de mais recente na plataforma Linux empresarial líder mundial
Aplicações
Conheça nossas soluções desenvolvidas para ajudar você a superar os desafios mais complexos de aplicações
Programas originais
Veja as histórias divertidas de criadores e líderes em tecnologia empresarial
Produtos
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Red Hat Cloud Services
- Veja todos os produtos
Ferramentas
- Treinamento e certificação
- Minha conta
- Suporte ao cliente
- Recursos para desenvolvedores
- Encontre um parceiro
- Red Hat Ecosystem Catalog
- Calculadora de valor Red Hat
- Documentação
Experimente, compre, venda
Comunicação
- Contate o setor de vendas
- Fale com o Atendimento ao Cliente
- Contate o setor de treinamento
- Redes sociais
Sobre a Red Hat
A Red Hat é a líder mundial em soluções empresariais open source como Linux, nuvem, containers e Kubernetes. Fornecemos soluções robustas que facilitam o trabalho em diversas plataformas e ambientes, do datacenter principal até a borda da rede.
Selecione um idioma
Red Hat legal and privacy links
- Sobre a Red Hat
- Oportunidades de emprego
- Eventos
- Escritórios
- Fale com a Red Hat
- Blog da Red Hat
- Diversidade, equidade e inclusão
- Cool Stuff Store
- Red Hat Summit