In an era of escalating cyber threats, defense agencies are underscoring the importance of data backups for secure storage and swift recovery after cyberattacks. Critical questions arise as they enhance these efforts:

• Can the agency truly recover from disruptions in a trusted state?
• Can the agency recover fast enough for their mission to survive?
• Are the recovery processes and tools trustworthy, validated and tested?
• Can recovery efforts remain secure from threat actors?

Addressing these concerns is pivotal to ensuring recovery protocols are effective, trusted and shielded from foreign and domestic cyber adversaries.

The NIST Cybersecurity Framework (CSF) 2.0 has evolved to address the above, focusing on the trustworthiness and speed of recovery operations. This alignment is crucial for government agencies like the Defense Department (DoD), where operational resilience is paramount.

In the aftermath of a cyberattack, it is vital to implement measures that ensure the continued strength of cyber defenses. This involves not only immediate recovery but also long-term strategies to prevent future incidents:

1. Follow NIST CSF 2.0 guidelines: To bridge the gap, DoD must follow NIST CSF 2.0. The new framework version emphasizes comprehensive data protection measures, including the integrity and trustworthiness of backups. This is particularly crucial in the face of escalating cyberattacks, which often target backup systems as part of their attack vector. According to a Rubrik Zero Labs report, 96% of attacks target backups, of which 74% either partially or fully impact the backup’s or their victim’s ability to survive or recover from the attack.
2. Focus on backup and recovery: In post-attack recovery, many agencies grapple with where to start or how to scale their mission readiness effectively. Not all backup solutions are created equal. Compliance checking on the existence of a backup is no longer sufficient. To be effective, backups must be able to survive an attack, software bug, human error or insider threat and be recovered rapidly into a trusted state.

   Here’s a structured approach for defense agencies to follow:

   • Defense agencies should identify task-critical assets (TCAs). This involves mapping the landscape of mission-critical components and recognizing all dependencies, including those that might not initially appear significant but are, in fact, vital to mission success.
   • Validate the findings. Identifying critical components alone is insufficient. It’s crucial to correctly categorize them based on their criticality. Personnel often overlook or undervalue systems, putting mission integrity at risk.
   • Integrate comprehensive testing into agency processes. As updated in NIST CSF 2.0, it’s critical to rigorously test agency backup and recovery processes. This means simulating various scenarios to ensure effective and swift recovery protocols, offering absolute assurance in a post-attack scenario.
   • Review and update agency continuity plans, incorporating lessons learned from past incidents. This involves reassessing the criticality of various systems, ensuring that funding aligns with the identified priorities and addressing any shortcomings in previous plans.
   • Finally, blend thorough preparation and continual validation to ensure defense agencies recover quickly and with confidence in their operational resilience.
3. Define clear recovery point objectives (RPOs) and recovery time objectives (RTOs): Another step toward effective data recovery is defining clear RPOs and RTOs. This entails determining the maximum acceptable duration for data loss and the acceptable data and service restoration time frame.
4. Adopt immutable backups: Immutable backups guarantee that the data, once written, is protected from being altered or deleted. This is critical in protecting against ransomware, which often seeks to compromise backups. Adopting immutable backups can give defense leaders peace of mind that backup data remains untampered.
5. Conduct regular testing and validation: Engaging in tabletop and actual cyber exercises reveals the critical importance of backup and recovery components. Integrating this focus into DoD’s continuity planning exercises could enhance effectiveness. Specifically, examining backups as potential attack vectors for threat actors is necessary. This aspect has not received enough attention, resulting in a false sense of security or deprioritization over the years.
6. Leverage advanced analytics for visibility: Making informed recovery decisions requires understanding the impacted areas and their timing. Advanced analytics can help identify anomalies and accurately point out the last known positive state of the data. This speeds up the decision-making process, a critical component in minimizing downtime.
7. Invest in upskilling DoD personnel and cyber training: Technology alone is insufficient; the human element is equally critical. Continuous training and upskilling defense personnel to efficiently manage and respond to cyber crises can make a significant difference. Moreover, fostering a culture prioritizing cyber resilience ensures that defense agencies remain vigilant and prepared.

Ensure data recovery, maintain mission continuity

The DoD must prioritize data recovery and backup strategies to counter escalating cyber threats. The DoD can secure its cyber defenses by investing in workforce training, following the NIST CSF 2.0, and implementing immutable backups, among other steps outlined above. Emphasizing rigorous testing, leveraging advanced analytics and maintaining continuous training will enhance resilience against adversaries like China, Russia, Iran and cybercriminals. These measures ensure DoD is prepared to recover swiftly from disruptions, safeguarding national security in an ever-evolving cyber landscape.

Travis Rosiek is public sector chief technology officer at Rubrik.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.