James McGoldrick, Digital Forensics and Incident Response Manager at Systal, a provider of managed network, security and cloud services, offers five tips to recovering from a major cybersecurity incident.
How likely is your business to experience a cyberattack? Evolving attack trends, world events, regulatory changes and shifting organisational priorities have made it much more likely than you think.
Recovering from a cybersecurity incident can be a challenging and stressful time for any company. As teams scramble to respond to the immediate crisis, preparing an actual recovery plan is often overlooked. Naturally, there will be a strong desire to return to normal business operations as quickly as possible, but cutting corners during this phase could lead to missed access vectors or re-exposed vulnerabilities, potentially dragging you back into the very mess you’ve fought so hard to escape.
Here’s the good news. There are fortunately five key steps that your company can take to recover from an attack as quickly and securely as possible.
1: Planning
It is important that any recovery of systems is properly planned. You should prioritise the recovery to focus on business-critical systems and ensure that the individuals involved in the recovery understand their role in that process. Make sure that the steps required for recovery are documented and understood ahead of time. It may even be valuable to consider a ‘dry run’ of recovery activities in a lab or offline environment.
It is important to ensure that you are recovering to a ‘known clean’ state. In some cases, this may mean using older backups that are known to be in a clean condition. In worst-case scenarios it may mean you have to re-build your environment from scratch.
2: Patching and verification
As you bring systems back online it is vital that you verify their condition and ensure that they are immediately patched and updated to the latest possible standard. This is particularly important if the backups you are using for recovery are not recent.
They may be vulnerable to the same exploits that led to the cybersecurity incident you are dealing with, and it is essential to ensure that, as you bring systems back online you patch them appropriately before they are exposed to risk in the operational environment. Verify that these procedures have been successful for each system before you move on. Rushing through this step may well lead to more delays and problems.
3: Monitor
You should consider installing, or increasing the coverage of your Antivirus and SIEM monitoring capabilities before you recover your environment. Make sure that you understand the root cause of the incident and if possible, identify the tactics, techniques and procedures of the actor(s) you believe were responsible for the breach. Use this intelligence to proactively monitor your environment for indications that the actor may still be present and be prepared to continue this monitoring for several months post-incident.
Threat actors will likely look to re-establish persistence in an environment after a recovery operation has taken place and you may remain at increased risk of attack for a considerable period post-recovery. Be ready to isolate systems again at the first sign of trouble and investigate any new indicators of compromise quickly to ensure you are not still dealing with unauthorized access to your estate.
4: Communicate
You should ensure that the key stakeholders and colleagues within your organisation understand what is happening throughout this process and that their role in the recovery is understood. This may involve additional cybersecurity training for key individuals or entire teams. Ensure that business continuity plans are updated and well understood so that the impact of the recovery operation on business activity is minimized.
Ensure that relevant regulatory bodies and other agencies are appropriately informed in accordance with the laws and legislation relevant to your organisation. Make sure you disclose any cybersecurity incidents to the affected parties responsibly and comprehensively. This not only minimizes risk to your own organisation but will help build the trust of your customers and partners so that you can recognize and appropriately respond to the actions of criminal groups seeking to harm your business interests. Failing to communicate a cybersecurity incident promptly and appropriately can often be more damaging to an organisation’s reputation than the incident itself.
5: Learn
Don’t stop at the point of recovery. Take the opportunity to have the full circumstances around the incident investigated properly and produce a report outlining the full timeline of the incident. Forensic analysis of the affected systems will likely help identify exactly what happened during the incident but consider traditional investigation as well to understand the human aspects that may have contributed to the incident.
Ensure that lessons learned are shared with senior management and other key stakeholders and that your policies and procedures are reviewed to take account of the lessons learned from the incident. The methods and techniques being used by cybercriminals and other threat actors are always being revised, reviewed, and improved upon. It stands to reason therefore that our processes, procedures, and overall defensive posture must do likewise if we are to keep pace.
It is currently accepted that, when it comes to businesses suffering a cyber incident, it’s not if it will happen, but more accurately when it will. Businesses can never feel confident that they’ll be able to repel any and all attacks, but you can try and keep ahead of those intending to do you harm.
However, implementing these recommendations in the heat of a cybersecurity incident is not an easy task by any means. Many companies simply don’t have the resources, or the skills needed to achieve this at all, let alone in the short timescales that may be needed to protect your business interests. If you are in this situation now or feel you may benefit from being prepared in the event of a cybersecurity incident, then finding the right partner can help you rest easy in the knowledge that you have a plan in place and the team needed to action it if the worst does happen.
