AWS Storage Blog
Protecting data against ransomware with Amazon FSx for NetApp ONTAP
Imagine running a large business with critical data stored on your servers. One day, your systems get hit by ransomware, leaving your data encrypted and inaccessible. The bad actor demands a hefty ransom to provide the decryption key. Paying the ransom doesn’t guarantee that you can get your data back, and not paying might mean losing that critical data forever. This is not a position any business wants to be in.
Fortunately, if you’re using Amazon FSx for NetApp ONTAP, you can use features such as Snapshots, SnapLock, and the FPolicy to provide additional layers of protection for your data and recover quickly.
In this post we will cover FSx for NetApp ONTAP features including; FPolicy Native mode, External mode, Snapshot, and SnapLock in FSx for ONTAP which provides a robust defense against ransomware, facilitating both data recovery and protection. We will also learn how these features can help shield you against ransomware threats.
Understanding ransomware and data protection
Ransomware is a type of malicious software that encrypts a victim’s files or locks them out of their system, demanding a ransom payment for the decryption key or system access. This can have devastating effects on businesses, especially those without an effective data protection strategy in place. To improve cybersecurity risk management, we can reference NIST Cybersecurity Framework and the five key pillars: Identify, Protect, Detect, Respond, and Recover.
In this post, we discuss how the features and integration of FSx for ONTAP can align with the key pillars. In particular we focus on Protect, Detect, Respond, and Recover. Table: 1 provides an overview of FSx for ONTAP features and integrations aligned to the NIST Cybersecurity Framework.
Table 1: FSx for ONTAP features and integrations aligned to the NIST Cybersecurity Framework
What is FPolicy?
NetApp FPolicy is a framework designed to notify file access. This allows administrators to monitor file interactions over Server Message Block (SMB) and NFS v3 and v4.0. FPolicy operates in two modes: Native and External.
FPolicy Native Mode introduction
Native FPolicy’s File Blocking feature enables the creation of denylists or allowlists for specific file types. This feature becomes invaluable when dealing with known ransomware that use particular file extensions after encrypting data. A case in point is the WannaCry virus (.wncry). Native FPolicy can block these files from being stored on the storage system with a denylist.
Prerequisites
To use FPolicy Native Mode, you should have basic knowledge of ONTAP and administrative access to your FSx for ONTAP file system. You should also have access to at least one storage virtual machine (SVM), with at least one volume or share under the SVM for testing. You should also have access to a Secure Shell (SSH) console to manage the file systems using the NetApp ONTAP CLI.
Steps for creating a denylist
The following example shows how to create a denylist from the command line interface (CLI).
This example uses an SVM named svm02-cifs that has joined an Active Directory and a Common Internet File System (CIFS) volume named vol_fp
1. Create a new FPolicy event and specify the SVM that it runs against, the file protocol (NFS or SMB/CIFS), and the types of file operations to which it applies.
FsxIdXXXX::> vserver fpolicy policy event create -vserver svm02-cifs -event-name denylist -protocol cifs -file-operations create,open,write,rename
FsxIdXXXX::> vserver fpolicy policy event show -vserver svm02-cifs -event-name denylist -instance
Vserver: svm02-cifs
Event: denylist
Protocol: cifs
File Operations: create, open, write, rename
Filters: -
Send Volume Operation Notifications: false
2. Create a new policy and direct it to use the event that you created in Step 1. Also specify which FPolicy engine (Native or External) to use.
FsxIdXXXX::> vserver fpolicy policy create -vserver svm02-cifs -policy-name block_ext -events denylist -engine native
FsxIdXXXX::> vserver fpolicy policy show -vserver svm02-cifs -instance -policy-name block_ext
Vserver: svm02-cifs
Policy: block_ext
Events to Monitor: denylist
FPolicy Engine: native
Is Mandatory Screening Required: true
Allow Privileged Access: no
User Name for Privileged Access: -
Is Passthrough Read Enabled: false
3. Assign the file scope. Specify in ONTAP which file extensions to block (in this case, the WannaCry virus and the extension .wncry, as well as .encrypted, .mp3, and .mp4). Furthermore, specify the policy to which it applies and which file shares or exports to include in the policy. The following case specifies all shares to be included with “*” to apply the policy to all shares using the SMB/CIFS protocol. For the NFS protocol, you use “volumes-to-include”.
FsxIdXXXX::> vserver fpolicy policy scope create -vserver svm02-cifs -policy-name block_ext -file-extensions-to-include wncry,encrypted,mp3,mp4 -shares-to-include "*"
FsxIdXXXX::> vserver fpolicy policy scope show -vserver svm02-cifs -instance -policy-name block_ext
Vserver: svm02-cifs
Policy: block_ext
Shares to Include: *
Shares to Exclude: -
Volumes to Include: -
Volumes to Exclude: -
Export Policies to Include: -
Export Policies to Exclude: -
File Extensions to Include: wncry, encrypted, mp3, mp4
File Extensions to Exclude: -
4. Enable the policy and place the appropriate priority if you’re configuring multiple policies.
FsxIdXXXX::> vserver fpolicy enable -vserver svm02-cifs -policy-name block_ext -sequence-number 1
FsxIdXXXX::> vserver fpolicy show -vserver svm02-cifs
Sequence
Vserver Policy Name Number Status Engine
------------- ----------------------- -------- -------- ---------
svm02-cifs block_ext 1 on native
5. Verify the configuration by using the vserver fpolicy policy scope.
FsxIdXXXX::> vserver fpolicy policy scope show -vserver svm02-cifs -instance -policy-name block_ext
Vserver: svm02-cifs
Policy: block_ext
Shares to Include: *
Shares to Exclude: -
Volumes to Include: -
Volumes to Exclude: -
Export Policies to Include: -
Export Policies to Exclude: -
File Extensions to Include: wncry, encrypted, mp3, mp4
File Extensions to Exclude: -
6. Test the behavior by creating or renaming the file to .encrypted or other denied extensions, and also by moving files with denied extensions from another location to the share.
The expected behavior is an access denied error to prevent this type of action from being completed, as shown in the following Figures 1/2/3.
Figure 1: Access denied error message
Figure 2: Dragging and dropping unwanted file into the share
Figure 3: Access denied error for dragging and dropping
Use cases of FPolicy Native mode
FPolicy can be useful in multiple situations. For example, you can gather and apply a list of ransomware extensions to a denylist. This allows FPolicy to help prevent the ransomware from spreading.
On the other hand, if you know exactly what types of files should be in your NFS exports or SMB/CIFS shares, then you can set up an allowlist. For example, if a share should only contain .pdf files, then you can allow only the .pdf extension and block all others. This makes the share resistant to ransomware that changes file extensions after encrypting files.
To achieve the allow list, you can use -file-extensions-to-include "*" with -file-extensions-to-exclude pdf to allow only the excluded file extensions to be “create,open,write,rename” to the shares.
FsxIdXXXX::> vserver fpolicy policy event create -vserver svm02-cifs -event-name allowlist -protocol cifs -file-operations create,open,write,rename
FsxIdXXXX::> vserver fpolicy policy create -vserver svm02-cifs -policy-name allow_ext -events allowlist -engine native
FsxIdXXXX::> vserver fpolicy policy scope create -vserver svm02-cifs -policy-name allow_ext -file-extensions-to-exclude pdf -file-extensions-to-include "*" -shares-to-include "*"
FsxIdXXXX::> vserver fpolicy enable -vserver svm02-cifs -policy-name allow_ext -sequence-number 1
FPolicy External mode
In addition to the FPolicy Native mode, FPolicy External mode integrates with an FPolicy server that operates externally to the FSx for ONTAP file system. The capability of the third-party FPolicy server is different per product (e.g. NetApp Cloud Insights Storage Workload Security, Varonis DatAdvantage, etc.). Typically, the integration is particularly useful in ransomware protection due to its ability to use Advance Threat Detection and User Behaviour Analytics (UBA), powered by artificial intelligence (AI) and machine learning (ML), to stop ransomware events without previous knowledge of the ransomware extension. These products typically also provide capability on automated responses by blocking malicious users or accounts and initiating additional snapshot copies. These contribute to the “Detect” and “Respond “in the NIST framework. To learn more about the capability of different products, visit the product pages.
What is a snapshot?
FPolicy Native and External mode allows us to enhance protection against ransomware that relies on file extensions to operate. We also set up detective measures so that we can monitor suspicious user and storage behavior. However, applying protective and detective measures are not enough. Therefore, we always recommend the user has a recovery measure, such as Snapshots.
A snapshot is a point-in-time copy of a volume. Snapshots in FSx for ONTAP are a fast and space-efficient way to protect data from accidental deletion, modification, and ransomware events. This is particularly useful because it minimizes data loss and reduces the recovery time.
- Quick and negligible performance penalty: Snapshots are created almost instantly with a concept known as redirect-on-write (ROW). You can create a snapshot within seconds without affecting your system’s performance.
- Reduced downtime: Since snapshot data resides within the same file system, data recovery is fast and does not require data movement. This permits the restoration of extensive amounts of data, even terabytes, in a matter of seconds, thus decreasing your business’ downtime.
- Cost-efficient: Snapshots provide a cost-efficient way to protect your data. Only the parts of the data that have changed since the last snapshot take up storage space. This enables you to create multiple point-in-time copies of the same volume with little impact on storage consumption.
- Self-service restoration: Snapshots empower users with the ability to view and restore specific files or folders from a previous point in time. This allows for a reversal of changes and comparison between file versions. In case of a system failure, data can quickly be restored to a previous snapshot, thus minimizing data loss. To learn more about how to restore data from a snapshot, see the official AWS documentation.
Protecting FSx for ONTAP Snapshots from malicious and accidental deletion
Snapshots play a critical role in point-in-time recoveries, thus it’s essential to safeguard them from being tampered with during a ransomware event. Although snapshot copies are read-only and immune to ransomware tampering, they could still be deleted. Therefore, we need to take precautions to avoid accidental and malicious deletion of the snapshots. The following settings can help secure your snapshots:
1. Snapshot Retention Period within Snapshot Policies
The default Snapshot Policy maintains six hourly snapshots, two daily snapshots, and two weekly snapshots. If a ransomware infection is detected too late, it might have begun its activity two weeks ago, thus affecting all existing snapshots. Therefore, maintaining an appropriate snapshot retention policy is crucial. For guidance on creating custom snapshot policies, you can refer to this post and the official AWS documentation.
2. Disable Snapshot autodelete
An autodelete policy can be established to automatically delete snapshots when the amount of available space in your volume is running low. Although this can be beneficial for space management, snapshots can be deleted unintentionally. To avert this, make sure that the Snapshot autodelete feature is either disabled or configured to trigger based on ‘Snapshot reserve’ (snap_reserve).
3. SnapLock helps prevent manual snapshot deletion
SnapLock can be used to guard against the manual deletion of snapshots by an administrator due to human error, rogue admin activity, or stolen credentials. SnapLock protects your files by transitioning them to a WORM state, which helps prevent modification or deletion for a specified retention period. With SnapLock Compliance, files transitioned to WORM on a Compliance volume cannot be deleted until their retention periods expire, even by privileged users. This creates an immutable volume that helps prevent files and snapshots from being modified or deleted. For more information about SnapLock, visit the official AWS documentation on SnapLock.
Conclusion
Using the combined power of FPolicy Native mode, External mode, Snapshot, and SnapLock in FSx for ONTAP provides a robust defense against ransomware, facilitating both data recovery and protection. The FPolicy Native mode allows you to establish Allow/Deny lists for file extensions, thereby minimizing unwanted files from populating the volume. The FPolicy External mode enables integration with third-party solutions that monitor user and storage anomalies and initiate automated responses. And finally, snapshots enable the creation of multiple point-in-time recovery points, offering the capability to rapidly restore data.
We’ve discussed strategies and factors that influence snapshot availability. It’s crucial to maintain a sufficient number of snapshots through an adequate snapshot retention policy and to safeguard these snapshots from accidental deletion with appropriate settings for Snapshot autodelete and SnapLock.
Employing these features can enhance an organization’s ability to secure its data and expedite recovery in the event of a ransomware event, thus aligning to the NIST Cybersecurity framework. To learn more about these features, visit the official AWS documentation section on protecting your data and the NetApp ONTAP command docs regarding FPolicy.