Workload Security: Simulating an Attack
You can use the instructions on this page to simulate an attack for testing or demonstrating Workload Security using the included Ransomware Simulation script.
Things to note before you begin
-
The ransomware simulation script works on Linux only.
-
The script is provided with the Workload Security agent installation files. It is available on any machine that has a Workload Security agent installed.
-
You can run the script on the Workload Security agent machine itself; there is no need to prepare another Linux machine. However, if you prefer to run the script on another system, simply copy the script and run it there.
Have at least 1,000 sample files
This script should run on an SVM with a folder that has files to encrypt. We recommend having at least 1,000 files within that folder and any sub-folders. The files must not be empty.
Do not create the files and encrypt them using the same user. Workload Security considers this a low-risk activity and will therefore not generate an alert (i.e. the same user modifies files he/she/they just created).
See below for instructions to programmatically create non-empty files.
Guidelines before you run the simulator:
-
Make sure encrypted files are not empty.
-
Make sure you encrypt > 50 files. A small number of files will be ignored.
-
Do not run an attack with the same user multiple times. After a few times, Workload Security will learn this user behavior and assume it is the user's normal behavior.
-
Do not encrypt files the same user has just created. Changing a file that was just created by a user is not considered a risky activity. Instead, use files created by another user OR wait for a few hours between creating the files and encrypting them.
Prepare the system
First, mount the target volume to machine. You can mount either an NFS mount or CIFs export.
To mount NFS export in Linux:
mount -t nfs -o vers=4.0 10.193.177.158:/svmvol1 /mntpt mount -t nfs -o vers=4.0 Vserver data IP>:/nfsvol /destinationlinuxfolder
Do not mount NFS version 4.1; it is not supported by Fpolicy.
To mount CIFs in Linux:
mount -t cifs //10.193.77.91/sharedfolderincluster /root/destinationfolder/ -o username=raisa
Next, set up a Data Collector:
-
Configure the Workload Security agent if not already done.
-
Configure SVM data collector if not already done.
Run the Ransomware Simulator script
-
Log in (ssh) to the Workload Security agent machine.
-
Navigate to: /opt/netapp/cloudsecure/agent/install
-
Call the simulator script without parameters to see usage:
# pwd /opt/netapp/cloudsecure/agent/install # ./ransomware_simulator.sh Error: Invalid directory provided. Usage: ./ransomware_simulator.sh [-e] [-d] [-i <input_directory>] -e to encrypt files (default) -d to restore files -i <input_directory> - Files under the directory to be encrypted
Encrypt command example: ./ransomware_simulator.sh -e -i /mnt/audit/reports/ Decrypt command example: ./ransomware_simulator.sh -d -i /mnt/audit/reports/
Encrypt your test files
To encrypt the files, run the following command:
# ./ransomware_simulator.sh -e -i /root/for/ Encryption key is saved in /opt/netapp/cloudsecure/cloudsecure-agent-1.251.0/install/encryption-key, which can be used for restoring the files. Encrypted /root/for/File000.txt Encrypted /root/for/File001.txt Encrypted /root/for/File002.txt ...
Restore files
To decrypt, run the following command:
[root@scspa2527575001 install]# ./ransomware_simulator.sh -d -i /root/for/ File /root/for/File000.txt is restored. File /root/for/File001.txt is restored. File /root/for/File002.txt is restored. ...
Run the script multiple times
After generating a ransomware attack for a user, switch to another user in order to generate an additional attack.
Workload Security learns user behavior and will not alert on repeated ransomware attacks within a short duration for the same user.
Create files programmatically
Before creating the files, you must first stop or pause the data collector processing.
Perform the steps below before you add the data collector to the Agent. If you have already added the data collector, just edit the data collector, enter an invalid password, and save it. This will temporarily put the data collector in error state. NOTE: Be sure you note the original password!
The recommended option is to pause the collector before creating your files.] |
Before running the simulation, you must first add files to be encrypted. You can either manually copy the files to be encrypted into the target folder, or use a script (see the example below) to programmatically create the files. Whichever method you use, copy at least 1,000 files.
If you choose to programmatically create the files, do the following:
-
Log into the Agent box.
-
Mount an NFS export from the SVM of the filer to the Agent machine. Cd to that folder.
-
In that folder create a file named createfiles.sh
-
Copy the following lines to that file.
for i in {000..1000} do echo hello > "File${i}.txt" done echo 3 > /proc/sys/vm/drop_caches ; sync
-
Save the file.
-
Ensure execute permission on the file:
chmod 777 ./createfiles.sh
-
Execute the script:
./createfiles.sh
1000 files will be created in the current folder.
-
Re-enable the data collector
If you disabled the data collector in step 1, edit the data collector, enter the correct password, and save. Make sure that the data collector is back in running state.
-
If you paused the collector before following these steps, be sure to resume the collector.