The best way to stop a cyber attack is to prevent it from taking place in the first place. While this is certainly true, the level of sophistication and persistence seen among today's hackers can often negate this strategy.
A proactive approach to data security is an absolute must, but chief information security officers and their teams must also know how to respond to a threat when it is detected, as well as how to recover after the incident.
Over the course of this series, we've been taking a close look at the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity. This framework includes five functions with the purpose of creating a more unified and standardized approach to infrastructure security. So far, we've covered the first four functions:
The final piece of this formula comes in the form of the Recover function.
Respond: NIST definition
After a cybersecurity incident has been detected and the CISO and his or her team carry out response efforts in order to contain the threat and mitigate the damage, the next step revolves around recovery.
According to the NIST Framework, the Recover function includes developing and putting procedures in place for resilience, as well as to "restore any capabilities or services that were impaired due to the cybersecurity event."
Similar to the Detect and Respond functions, timeliness is key when it comes to Recover. Any interruption to key systems and services can result in a number of damaging consequences for the business, its employees, as well as its clients and business partners. An inability to access critical data or utilize essential applications and platforms can translate to considerably reduced productivity, missed opportunities to connect with current and potential customers.
The Recover function is imperative, and the ability to carry out the associated actions quickly can help reduce the overall impact and prevent damage to the business's reputation.
Efforts connected with the Recover function are just as they are described: The purpose is to ensure that the business can recuperate following an attack, and that any impacted systems are able to rebound and activity can return to normal.
Categories under the Recover function include:
- Recovery planning: The CISO and his or her stakeholders lead as the recovery plan is carried out. Depending on timing, this can occur while the event is still taking place, or after the incident has ended. Again, the key here is timeliness – any systems or platforms impacted by the incident must be addressed and support restored.
- Improvements: It's important that lessons learned during the incident are identified and utilized to update and improve upon recovery plans. The CISO and his team should spearhead these efforts, and work to ensure the quickest response and recovery possible.
- Communications: The final part of this function includes coordinating efforts with internal and external stakeholders, where necessary. The CISO and his or her team should communicate recovery plans and processes with internal managers and the executive team. In addition, communication efforts can include working with internet and managed services providers, technology vendors and other owners of attacked systems to support public relations and mitigate damage to the company's reputation.
According to Federal News Radio contributor Jamie Hynds, response and recovery are two areas in which many businesses should look to improve. A survey from SolarWinds found that 12 percent of companies feel that their response and recovery plans and efforts following detection of an attack were "not at all mature."
Because a cybersecurity incident can result in considerable damage – to company intellectual property, to critical systems used to support daily operations, and to the company's overall reputation – it's imperative that CISOs take the time to ensure that their organization is able to recover effectively after a breach.
"[A]gencies must step up their disaster recovery efforts in the event of a successful threat," Hynds wrote. "Taking days to recover from an attack … is simply not an option."
Recover in the real world: Destructive attacks
While many different types of cybersecurity incidents can be considered damaging, some are more destructive than others. These include, namely, events wherein critical systems are made inaccessible or unusable, as well as when data is compromised or removed. In the cases of these particularly calamitous attacks, a quick recovery that includes the fast restoration of any impacted systems is critical.
One instance that illustrates this revolves around distributed-denial-of-service attacks. During these events, hackers bombard systems with a flurry of requests to overwhelm and crash it. In this way, the supported website or platform is inaccessible and unusable.
Last year saw one of the largest DDoS attacks to date against GitHub. Attackers hit the website with 1.35 Tbps of traffic, surpassing the former largest DDoS to date at 1.2 Tbps. As Trend Micro reported, these already damaging instances are becoming increasingly dangerous, as hackers have begun including ransom notes demanding cryptocurrency payments within the flood of traffic.
In these cases, the ability of the organization to recover quickly is imperative. Interruption to website access of this kind can reflect poorly on the business and heavily impact its overall reputation. This is particularly true when the website supports client-facing functions – restoring access to these in as streamlined a manner as possible can help mitigate the damage.
Another particularly destructive attack came in the form of the NotPetya attack, which presented itself as a typical ransomware infection – but was far more dangerous. As Trend Micro pointed out, this threat was especially vicious as the malware was able to use forced backdoor and other strategies to spread on its own. What's more, as opposed to traditional ransomware motivated by financial gain, NotPetya simply worked to destroy, breaking systems whether or not victims paid the ransom.
"It looks like ransomware, complete with a screen informing the victim that they can decrypt their files if they send Bitcoin to a specified wallet," CSO Online contributor Josh Fruhlinger explained. "[O]n computers infected with NotPetya, this number is just randomly generated and would be of no help in identifying anything. And it turns out that in the process of encrypting the data, NotPetya damages it beyond repair."
NotPetya provides a perfect example of the importance of a quickly-executed recovery plan. The faster an organization is able to recover following an attack, the less damage hackers are able to inflict on the business, its customers and partners, and its brand reputation.
"Are you sure you really recovered?" asked Ed Cabrera, Trend Micro Chief Cybersecurity Officer. "This is one of the hardest questions that CISOs have to answer when recovering from a data breach or cyber attack. The current threat of destructive digital extortion attacks requires organizations to have comprehensive disaster recovery plans."
The NIST Framework can provide a valuable series of steps and processes for CISOs and their stakeholders to follow in order to shore up and unify their cybersecurity plans. To find out more about how to build out your company's infrastructure protection procedures and solutions, connect with the experts at Trend Micro today.