Recovering from a Cybersecurity Event

You are going to be hit with a cybersecurity event at some point. You don't when or how. You may not be able to prevent it, but I assure you, you can recover.

Traditionally, organizations have focused their IT security efforts on protecting against and preventing attacks. But attackers have learned to modify their attack methods to make protection more difficult, taking advantage of weaknesses in processes and people (think email scams) as well as technologies.

Stages of Cybersecurity

There are five parts of the lifecycle of a cybersecurity event that are critical for a complete defense:

  • Identify -- Know your assets, data, personnel, devices, systems, networks, and facilities that are important for the business purposes of the organization's risk strategy. Define the policies, procedures, and processes required to manage and monitor regulatory, legal, risk, environmental, and operational requirements.
  • Protect -- Ensure security policies, processes, and procedures are maintained and are used to manage protection of IT and assets.
  • Detect -- Discover anomalous behavior in a timely manner and determine the potential impact of events on security.
  • Respond -- Ensure processes and procedures are executed and maintained in such a way that they produce a timely response to cybersecurity events. Response activities should include internal and external stakeholders and external support from law enforcement agencies.
  • Recovery -- This includes the processes and procedures that are executed and maintained for timely restoration of systems and assets affected by cybersecurity events. Recovery planning and processes can be improved by incorporating lessons learned and experience gained into future activities. Use the feedback to strengthen the first four parts. Restoration activities need to be coordinated with internal and external parties, coordinating centers, Internet service providers, owners of attacking systems, victims, and vendors.

portable
Source: NIST Guide for Cybersecurity Event Recovery

Recovery from Cybersecurity Events

Organizations can improve security resilience by ensuring that their risk management processes include recovery planning, not just event response. Identifying and prioritizing organization resources helps to guide effective plans and realistic test scenarios. Advanced preparation enables businesses to rapidly recover from attacks and helps to minimize the impact on the organization.

Recovery can be described in two phases: tactical and strategic. The immediate tactical recovery phase is largely achieved through the execution of the recovery guidebook prepared before the attack. The second phase is strategic and focuses on continuous improvements that can mitigate the probability and impact of future attacks.

What You Need Before the Cybersecurity Event

The recovery guidebook should include:

  • An agreed upon set of formal recovery processes
  • Defined available resources such as people, facilities, technical components, and external services
  • Functional security diagrams highlighting dependencies and the order of restoration priority
  • Lists of the technologies and personnel who will be responsible for defining and implementing recovery plans
  • A thorough recovery communications plan that integrates the internal and external communications considerations, and how to share information

The Tactical Recovery

The steps/phases of the initial tactical recovery include:

  • A briefing from the incident response team about the cyber event
  • Determination of the impact of the cyber event
  • A well-crafted approach and specific actions
  • Increased monitoring and alerts for networks and systems, on premises and in the cloud
  • Discovery of the attacker's motivation
  • Rapid informing all those affected
  • A restoration plan based on collected data
  • Identification of the attacker's fingerprints throughout the IT and user environment

The recovery moves into the execution phase, which includes:

  • Execute the restoration by implementing the remediation countermeasures in coordination with the incident response team and other security personnel
  • Restore the business services and quickly communicate the restoration status
  • Measure the time that critical services were limited or unavailable, comparing the outage time with planned service levels and recovery times
  • Document all the issues; detail all indicators of compromise and newly discovered dependencies
  • Coordinate with management, C level leadership, human resources, and legal staff to discuss notification activities
  • Perform recovery steps including external communications and services that can restore confidence
  • Validate that the restored IT and assets are completely functional and satisfy the security position required

What you do after fixing the security issues is just as important as preventing the attack. If you don't learn from the discovered weaknesses, it will happen again. The recovery moves into the final termination phase, which includes:

  • Ensuring that termination criteria have been satisfied and informing everyone
  • Reassigning the recovery team until the next event and allowing them to return to their regular job functions
  • Performing continuous monitoring to discover potentially persistent malicious activities (you may not have been as successful as anticipated)
  • Formally producing a metrics report on the data collected during the event

Will It Ever Stop?

The answer is, emphatically, NO! There is no room for complacency with cybersecurity. As you improve your security operations, attackers will look for other weaknesses. But your biggest weaknesses are your users and contractors. In many cases they bring their private habits dealing with security to the office, not the other way around. All the best technologies cannot prevent the user and contractor from practicing poor security behaviors. Focus on the people as well as the technologies.

See my other No Jitter blog on this topic, "IT Security: Training and Beyond."