Recovering from a cybersecurity incident can be a challenging and stressful time for any company. Naturally, there will be a strong desire to return to normal business operations as quickly as possible, but it is vitally important that post containment recovery is a deliberate and well-planned process.
Cutting corners during the recovery phase could result in an access vector being missed or a system vulnerability being re-exposed which could put you back in the mess you have just climbed out of.
Here are five key areas that you should consider during the disaster recovery phase to ensure that you get it right the first time!
It is important that any recovery of systems is properly planned. You should prioritise the recovery to focus on business-critical systems and ensure that the individuals involved in the recovery understand their role in that process. Make sure that the steps required for recovery are documented and understood ahead of time. It may even be valuable to consider a ‘dry run’ of recovery activities in a lab or offline environment. Non-essential systems should be recovered later in the process, after it has been confirmed that essential services are up and running normally, without any indications of further compromise.
It is important to ensure that you are recovering to a ‘known clean’ state. In some cases, this may mean using older backups that are known to be in a clean condition. In worst case scenarios it may mean you have to re-build your environment from scratch. Having good backup procedures and technologies implemented ahead of time can help minimise the risk of this worst-case scenario but you must ensure that only clean backups are used for recovery.
2: Patching & Verification
As you bring systems back online it is vital that you verify their condition and ensure that they are immediately patched and updated to the latest possible standard. This is particularly important if the backups you are using for recovery are not recent. They may be vulnerable to the same exploits that led to the cybersecurity incident you are dealing with, and it is essential to ensure that, as you bring systems back online that you patch them appropriately before they are exposed to risk in the operational environment. Verify that these procedures have been successful for each system before you move on. Rushing through this step may well lead to more delays and problems.
You should consider installing, or increasing the coverage of your Antivirus and SIEM monitoring capabilities before you recover your environment. Make sure that you understand the root cause of the incident and if possible, identify the tactics, techniques, and procedures of the actor(s) you believe were responsible for the breach. Use this intelligence to pro-actively monitor your environment for indications that the actor may still be present in your environment and be prepared to continue this monitoring for several months post-incident. Threat actors will likely look to re-establish persistence in an environment after a recovery operation has taken place and you may remain at increased risk of attack for a considerable period post-recovery. Be ready to isolate systems again at the first sign of trouble and investigate any new indicators of compromise quickly to ensure you are not still dealing with unauthorized access to your estate.
You should ensure that the key stakeholders and colleagues within your organisation understand what is happening throughout this process and that their role in the recovery is understood. This may involve additional cybersecurity training for key individuals or entire teams. Ensure that business continuity plans are updated and well understood so that impact of the recovery operation on business activity is minimized.
Ensure that relevant regulatory bodies and other agencies are appropriately informed in accordance with the laws and legislation relevant to your organisation. Make sure you disclose any cybersecurity incidents to the affected parties responsibly and comprehensively. This not only minimizes risk to your own organisation but will help build the trust of your customers and partners that you can recognize and appropriately respond to the actions of criminal groups seeking to harm your business interests. Failing to communicate a cybersecurity incident promptly and appropriately can often be more damaging to an organisation’s reputation than the incident itself.
Don’t stop at the point of recovery! Take the opportunity to have the full circumstances around the incident investigated properly and produce a report outlining the full timeline of the incident. It is likely that forensic analysis of the affected systems will help identify exactly what happened during the incident but consider traditional investigation as well to understand the human aspects that maybe have contributed to the incident. Ensure that lessons learned are shared with Senior Management and other key stakeholders and that your policies and procedures are reviewed to take account of the lessons learned from the incident. The methods and techniques being used by cybercriminals and other Threat Actors are always being revised, reviewed, and improved upon. It stands to reason therefore that our processes, procedures, and overall defensive posture must do likewise if we are to keep pace!
Implementing these recommendations in the heat of a cybersecurity incident is not an easy task by any means. Many companies simply don’t have the resources, or the skills needed to achieve this at all, let alone in the short timescales that may be needed to protect your business interests! Systal Security Solutions can provide support for every aspect of a cyber security incident at any point in the attack lifestyle. If you are in this situation now or feel you may benefit from being prepared in the event of a cybersecurity incident then we are ready, willing and able to help so that you can rest easy in the knowledge that you have a plan in place and the team needed to action that plan in the event that the worst does happen! ➜ Contact us today.