Climbing the mountain of breach recovery: Guest view

The email seemed innocent at first, simply an “invoice for your weekly office supply purchase.”

This is rather standard procedure. So you submit the order and receive a PDF invoice, nothing malicious, or so you thought.

But the moment you opened that attachment, your entire day changed.

While you didn’t notice anything at first, your computer started to become sluggish. Not thinking much of it, you went to lunch. By the time you returned you were greeted with an unfriendly sight. Your computer had been compromised by ransomware and the only way to get your files back was to pay an absurd ransom of several thousand dollars in bitcoin.

This scenario may sound familiar. That is because cyber breaches impact thousands of people every day.

With data breaches at an all-time high and malware becoming increasingly more sophisticated, there is no better time to review your organization’s disaster-recovery plan. The National Institute of Standards and Technology, otherwise known as NIST, has published a document entitled NIST Special Publication 800-184 Guide for Cybersecurity Event Recovery, which lays out a roadmap for building an event-recovery plan for your organization.

The guide spells out three phases for recovering from every event: pre-condition or preparation; tactical recovery; and strategic recovery.

Preparation phase

The preparation phase – otherwise known as “Pre-Conditions Required for Effective Recovery” – is the phase that needs to be completed before a disaster takes place. The key to effectively mastering this phase is for an organization to effectively achieve the following:

Identify assets, including people, processes, and technology, needed for the organization to function.

Create defined hierarchy and structure among members of the organization, assigning clear responsibilities during a disaster for both management and IT staff.

Create defined disaster-recovery procedures and test those procedures before an incident occurs.

Make sure all plans and procedures are clearly defined and easy to understand. Overcomplicating a disaster recovery plan is the best way to fail in an event of an emergency.

Tactical recovery phase

The tactical recovery phase is initiated when there has been some type of cyber security incident. It could involve a data breach, a cyber attack, or other cyber security-related incident.

It is during this phase that the bulk of the technical work is performed. There are three steps in the tactical recovery phase: initiation, execution and termination.

During initiation the incident response team will quickly need to jump into action to identify the scope of the cyber security event. Based on this information, management will need to be informed and the impact of the cyber security event will need to be determined.

Once all required information has been gathered and the incident maintained, the incident response team can execute the restoration process and begin restoring systems to their normal state.

During the execution process the incident response team will begin restoring systems. This could include restoring from backups or moving to a backup system. Once operations are restored, any potential issues should be documented, and metrics collected.

Strategic recovery phase

The strategic recovery phase consists of three main parts: planning and execution; metrics; and recovery plan improvement.

During the planning and execution portion, communication with teams and the public is critical. It is during this phase that business decisions are made on how to fix the root cause of the breach and prevent similar incidents from happening in the future.

The metrics phase consists of reviewing the metrics that were collected during the tactical phase and reviewing them for analysis.

Finally, in the recovery plan improvement phase, an organization use lessons learned from the incident to prepare itself for potential issues in the future.

In sum

This was only a small sampling of the vast information contained in the 53 pages of the NIST 800-184 publication. But by utilizing this free standard, an organization can vastly improve its event recovery process and cyber security posture.

Brandon S. Keath is cyber security practice lead for Appalachia Technologies in Hampden Township, Cumberland County.

CPBJ Business Events

2019 Reader Rankings Awards

Wednesday, June 19, 2019
2019 Reader Rankings Awards

2019 Women of Influence

Monday, June 24, 2019
2019 Women of Influence

2019 Real Estate & Development Symposium

Wednesday, August 07, 2019
2019 Real Estate & Development Symposium

2019 Top 50 Fastest Growing Companies

Monday, September 09, 2019
2019 Top 50 Fastest Growing Companies