Climbing the mountain of breach recovery: Guest view
The email seemed innocent at first, simply an “invoice for your weekly office supply purchase.”
This is rather standard procedure. So you submit the order and receive a PDF invoice, nothing malicious, or so you thought.
But the moment you opened that attachment, your entire day changed.
While you didn’t notice anything at first, your computer started to become sluggish. Not thinking much of it, you went to lunch. By the time you returned you were greeted with an unfriendly sight. Your computer had been compromised by ransomware and the only way to get your files back was to pay an absurd ransom of several thousand dollars in bitcoin.
This scenario may sound familiar. That is because cyber breaches impact thousands of people every day.
With data breaches at an all-time high and malware becoming increasingly more sophisticated, there is no better time to review your organization’s disaster-recovery plan. The National Institute of Standards and Technology, otherwise known as NIST, has published a document entitled NIST Special Publication 800-184 Guide for Cybersecurity Event Recovery, which lays out a roadmap for building an event-recovery plan for your organization.
The guide spells out three phases for recovering from every event: pre-condition or preparation; tactical recovery; and strategic recovery.
The preparation phase – otherwise known as “Pre-Conditions Required for Effective Recovery” – is the phase that needs to be completed before a disaster takes place. The key to effectively mastering this phase is for an organization to effectively achieve the following:
Identify assets, including people, processes, and technology, needed for the organization to function.
Create defined hierarchy and structure among members of the organization, assigning clear responsibilities during a disaster for both management and IT staff.
Create defined disaster-recovery procedures and test those procedures before an incident occurs.
Make sure all plans and procedures are clearly defined and easy to understand. Overcomplicating a disaster recovery plan is the best way to fail in an event of an emergency.
Tactical recovery phase
The tactical recovery phase is initiated when there has been some type of cyber security incident. It could involve a data breach, a cyber attack, or other cyber security-related incident.
It is during this phase that the bulk of the technical work is performed. There are three steps in the tactical recovery phase: initiation, execution and termination.
During initiation the incident response team will quickly need to jump into action to identify the scope of the cyber security event. Based on this information, management will need to be informed and the impact of the cyber security event will need to be determined.
Once all required information has been gathered and the incident maintained, the incident response team can execute the restoration process and begin restoring systems to their normal state.
During the execution process the incident response team will begin restoring systems. This could include restoring from backups or moving to a backup system. Once operations are restored, any potential issues should be documented, and metrics collected.
Strategic recovery phase
The strategic recovery phase consists of three main parts: planning and execution; metrics; and recovery plan improvement.
During the planning and execution portion, communication with teams and the public is critical. It is during this phase that business decisions are made on how to fix the root cause of the breach and prevent similar incidents from happening in the future.
The metrics phase consists of reviewing the metrics that were collected during the tactical phase and reviewing them for analysis.
Finally, in the recovery plan improvement phase, an organization use lessons learned from the incident to prepare itself for potential issues in the future.
This was only a small sampling of the vast information contained in the 53 pages of the NIST 800-184 publication. But by utilizing this free standard, an organization can vastly improve its event recovery process and cyber security posture.
Brandon S. Keath is cyber security practice lead for Appalachia Technologies in Hampden Township, Cumberland County.