freshidea - stock.adobe.com
How to recover systems in the event of a cyber attack
Recovering compromised systems after a cyber attack isn’t easy, but understanding industry best practice offers a template for the key processes to follow
With technology playing a pivotal role in the modern business landscape, organisations cannot afford to stay offline for sustained periods of time after experiencing a devastating cyber attack.
For companies that offer digital products and services, users will quickly become frustrated and potentially flock to competitors the longer an internet product or service is offline.
And considering that so many employees use internet-based devices and software to complete their work nowadays, a company’s entire internal operations can come to a halt if it is the victim of a cyber attack.
Recent examples include Hackney Council in London and the British Library, both of which saw extended periods with systems offline as a result of being hit by ransomware.
Clearly, businesses must do all they can to contain and remediate cyber attacks and restart disrupted IT systems as quickly as possible. Unfortunately, this is a complex process - with businesses often torn between restoring systems from a clean backup or rebuilding them completely.
Restoring compromised systems after an attack may also result in new cyber threats and IT problems for businesses. But security experts agree that following simple best practices can be a big help.
Cyber attack recovery isn’t easy
Getting an organisation’s IT systems back online after a cyber attack is no different from tornado recovery, according to Azeem Aleem, managing director of UK and Northern Europe at cyber security company Sygnia.
“The IT team and C-suite have just run a mental marathon and now need to think about how to get the business functioning once more. Management needs to be conscious of this to avoid analysis-paralysis syndrome,” he says.
Aleem says the key to restoring systems and data after a cyber attack, as well as avoiding any confusion or ambiguity in the process, is to communicate clear expectations across the organisation and set up “a restoration roll-out protocol”.
As part of this process, he advises IT teams to pursue recovery and investigation efforts right away. He says: “By leveraging a ‘secure island’ environment in which key services are re-created before the compromised method has been cleared, the organisation can return to full business operations much faster. The remediation effort identifies and closes security and the attacker’s presence in the environment is eradicated.”
Aleem also suggests a two-step remediation process whereby businesses first take steps to restore critical applications and processes before addressing less-important elements of their operations.
While restarting IT systems compromised by a cyber attack is vital, firms shouldn’t neglect the importance of informing staff, customers and other stakeholders about cyber breaches. Aleem recommends that executives be fully transparent about cyber attacks, communicating “what has happened and forewarning how the recovery process may be frustrating with many applications and processes needing to be rebuilt”. Doing so will help organisations “shift the mindset of their employees to become solution-based” as they push ahead with recovery efforts.
He adds: “At the same time, there can be added pressure as customers and partners expect the same service as before. Employees need to be aware of the company's situation so they can adequately consider how the breach may have impacted external parties and be able to report their breach in line with regulatory requirements”.
Two recovery options
Businesses often face two options after experiencing a cyber attack, according to Nader Zaveri, senior manager of incident response and remediation at Google Cloud-backed threat intelligence specialist Mandiant.
The first option is using an uncorrupted backup to initiate restoration efforts. Or, cyber security firms have the option of recreating the disrupted systems from scratch. Either way, Zaveri says firms must create a comprehensive recovery plan focused on identity management, network segmentation and endpoint verification.
When creating new user accounts as part of identity management efforts, Zaveri says organisations must set strong passwords. And if a cyber security incident is still ongoing, he recommends resetting passwords every day.
Zaveri says network segmentation requires three different environments, including “a red network” for compromised environments, “a green network” for clean environments, and “a yellow network” for recognising compromises affecting systems that are now back up and running. He adds: “This yellow or staging environment restricts internet access and inter-network traffic, only allowing exceptions for specific security applications.”
Finally, he says, businesses must address endpoint verification while considering two important scenarios. He recommends that businesses “utilise a clean golden image certified by the incident response team” if they need to rebuild compromised systems.
But if there isn’t a need to rebuild a system, he says businesses should isolate it inside the “yellow network” and reactivate it there. This will allow the incident response team to use endpoint detection tools for ensuring systems aren’t affected by indicators of compromise.
Data recovery is critical
Focusing on data recovery is another critical step in restoring crucial systems following a cyber attack, according to Rubrik Zero Labs head Steve Stone. “These recovery motions will either be guided by visibility, prioritisation, and understanding the current attacker access or they will be conducted as ‘blind’ events,” he says.
He warns businesses against choosing blind recovery as they risk significant data loss due to recovering “for a longer period than needed” or “reintroducing the attackers if the recovery point is after attackers gained access”.
His view is that firms should instead make well-informed decisions based on the understanding that “everything can’t be recovered at once”. Businesses must therefore aim to ensure “attackers lose access by recovering from before the intrusion,” and they can prevent extensive data losses by conducting recovery efforts “as close to the intrusion as possible”.
The Computer Weekly Security Think Tank on incident response
- Mike Gillespie, Advent IM - Incident response planning is vulnerable to legacy thinking.
- Sam Lascelles, PA Consulting - Use existing structures to build your incident response plan.
- Jack Chapman, Egress - Incident response planning requires constant testing.
- Becky Gelder, Turnkey Consulting - Incident response plans: The difference between disaster and recovery.
- Chris McGowan, ISACA - Enhancing security: The crucial role of incident response plans.
- Theodore Wiggins, Airbus Protect - The plan for the inevitable cyber attack: Get the gist of NIST.
- Elliott Wilkes, ACDS - The best IR plans are well-revised and deeply familiar.
- Paul Lewis, Nominet - Breached? Don't panic .. if you created a robust IR plan.
- Mandy Andress, Elastic - Security incident response teams are human, too.
Businesses that implement recovery plans prior to a cyber attack will restart systems much faster than those without one, he says. Firms not prepared to recover from a cyber attack will be constrained by “reduced visibility” as they perform discovery and workflow mapping at the time of the event. Stone adds: “The most successful organisations will have previously tested recovery to ensure the viability of their plans and made adjustments based on lessons learned.”
Stone observes how businesses often find it easier to deal with the encryption threat of ransomware attacks, compared to the extortion element. He explains: “This is especially challenging when an environment is actively encrypted and/or undergoing an intrusion. The ability to assess if data was stolen, what that data contains, and how to deal with a potential data loss extortion threat, prove critical in modern ransomware intrusions.”
Successful system recovery
There are several factors that determine whether a system recovery is successful or not in the event of a cyber attack, according to Chris Denbigh-White, chief security officer at data loss prevention platform Next DLP.
First, security teams must not neglect essential business objectives as they look to recover compromised systems. Denbigh-White says objectives such as finding out the identity of the cyber criminals and ensuring they can’t re-access systems in the future must be aligned with core business aims. He adds: “From a business perspective, the primary aim is to minimise disruption and financial losses, even if this appears to contradict some IT and security objectives."
Second, businesses should be highly cautious after a cyber attack occurs. As such, rebuilding compromised infrastructure instead of opting for cleanup efforts may be the best system recovery solution.
Denbigh-White explains: “The challenge with a cleanup approach lies in providing assurances that the system is entirely free from compromise. Proving the absence of compromise can be arduous and time-consuming. Paradoxically, rebuilding systems might be more efficient and provide greater assurance.”
Third, firms should use monitoring capabilities to ensure systems have no further compromises after being cleaned up or rebuilt. Denbigh-White recommends either conducting log aggregation or use software capturing all the activity happening inside company IT networks.
“Additionally, it's crucial to allocate resources with both the capacity and expertise to comprehend and act upon the heightened monitoring data,” he adds. “Simply having logs populate a security information and event management (SIEM) system or data storage repository does not inherently enhance security. Monitoring must be actively interpreted and acted upon by knowledgeable personnel.”
Finally, businesses should ensure they learn from cyber attacks and subsequent recovery efforts. Denbigh-White says businesses shouldn’t overlook this as cyber attacks can provide “a valuable opportunity for organisational growth and learning".
“If handled constructively, without blame or finger-pointing, it can substantially enhance an organisation's security posture and awareness,” he says. “A well-executed lessons-learned process can help mitigate some of the damage inflicted on the business by the incident, ultimately strengthening its overall resilience.”
Experiencing a cyber attack can be highly damaging to businesses, causing issues ranging from data leaks to financial loss. Therefore, they must do everything possible to get systems back up and running quickly.
While recovering systems in the event of a cyber attack isn’t an easy process, creating a well-thought-out recovery plan that follows industry best practices and aligns security goals with business objectives will make all the difference. And as horrible as cyber attacks are, they can present valuable lessons for the entire business.
