A Survival Guide for Cybersecurity Event Recovery

Last week, we reported on the ominous trends for increased cyberthreats in 2017. We encouraged businesses to review their cybersecurity strategies and bolster their defenses. Still, no matter how strong those protections and given the craftiness of cybercriminals, it’s probably wise to assume your business will be the victim of a breach. And, in that case, it’s imperative to plan your recovery as well. That’s also the advice of the Federal government’s National Institute of Standards and Technology (NIST).  The agency recently published a guide for how to plan an effective recovery plan in response to a cybersecurity event.  Here’s a summary of the agency’s advice.

While NIST’s “Guide for Cybersecurity Event Recovery” is primarily written as a road map for other Federal agencies, it is also designed to be useful to private-sector firms across industries.  It complements previous guides, namely the “Framework for Improving Critical Infrastructure Cybersecurity” (a.k.a., the Cybersecurity Framework or CSF). The CSF defines five functions of a cybersecurity defense: Identify, Protect, Detect, Respond and Recover. The new guide focuses on the last function. NIST breaks down recovery into two phases.  First, the implementation of a recovery playbook prepared prior to the incident; and second, the application of lessons learned to improve cybersecurity defenses and lower the risk of a future incident.

Phase I — The Playbook

Creating a playbook to use in the event of a cyberbreach makes sense.  Having a plan of actionable steps to follow is much preferable to making it up as you go, especially when your company’s assets and reputation are on the line.  If you give thought to the who, what, how and when in advance and fashion a plan, you have a much better chance for a smooth, timely recovery with minimal fallout. NIST has some good suggestions:

Identify the key personnel who will be involved in recovery.

Who is on the recovery team? Who has the authority to activate the plan? Who is responsible for each process or procedure, including the communication of the status of recovery? Once the plan is created, make sure that individuals who have a role clearly understand their responsibilities.

Develop a list of assets (internal and external).

Know the assets used to achieve the organization’s mission and understand the interdependency of those assets.  This inventory will allow the prioritization of assets that are critical to operations and drive the order in which restoration of compromised assets should occur. Every organization should know how it will operate in a diminished capacity.

Include specific recovery procedures.

Your should take into account both technical and non-technical recovery procedures. On the technical end, think about:

  • restoring systems from clean backups
  • replacing compromised files with clean versions
  • installing patches
  • remediating software misconfigurations
  • changing passwords

On the non-technical end, consider:

  • business processes
  • IT policies

Consider the timing of recovery.

Recognize that if you alert intruders it could undermine recovery and prosecution.  It’s important to have a sense of the criminal’s objective and knowledge of the technical mechanisms being used prior to recovery. Understanding the root cause of a breach is important, but may not be possible to ascertain before a recovery effort is underway.

Create a communications plan.

Determine how information is related to outside interested parties as well as internally, both among people key to the recovery effort and others in the organization who may have to adjust work habits and protocols while recovery is in progress.  Also, consider what method of communications will be used (email may be down).

Phase II — Continual Improvement

A plan that is fine-tuned and practiced will better serve the organization. And, if a plan is actually utilized, important information can be gleaned that may help mitigate the risk of future threats. NIST urges organizations to:

  1. Conduct exercises to test the recovery plan using realistic scenarios.
  2. Get input from individuals who will be involved in the recovery to determine if the assumptions made in the plan are realistic and achievable.
  3. In the event of a recovery event, document actions and findings in a way that allows the lessons learned or realistic data to be applied to improve overall cybersecurity defenses across the five key functions.

The 45-page NIST guide for cybersecurity event recovery gives many more details about how recovery plans might be prepared.  Whether or not all of NIST’s suggestions are applicable to your business, the suggestion to plan ahead for a cybersecurity event is relevant and sage advice for any organization.

If you need help creating a recovery plan for your business, give us a call!