A popup window appears on a company computer screen with a ransom message: your data is encrypted, pay up if you want it back.
At a different organization, suspicious activity shows up in a computer log review, pointing to the theft of personally identifiable information and customer financial data.
How do you reclaim that information, and what can that process do to help you prepare for the next attack?
The National Institute of Standards and Technology, in one of its latest publications, Guide for Cybersecurity Event Recovery, wants companies, organizations and federal agencies to be able to answer those questions.
“The number of cyber events continues to increase sharply every year leading to a widespread recognition that some cyber events cannot be stopped. As a result of this risk recognition, organizations have started to improve their prevention capabilities with modern technology and tools while augmenting their cyber event detection and response capabilities,” NIST stated in its guide. “The increased emphasis on detection and response leads to a greater awareness of and desire for cyber event recovery. If the assumption is that cyber events will happen, then recovery from those cyber events will also be needed. Recovery has also become more important to organizations because of the dependence on information technology (IT) for providing core business capabilities and meeting organizational missions.”
Recovery is one of the five functions of NIST’s Cybersecurity Framework (CSF). The other functions are identify, protect, detect and respond.
NIST said recovery takes two paths: an immediate “tactical” recovery, which is done through a playbook created prior to an attack, and the strategic recovery path, which looks at lessons learned and how to take those lessons and apply them to future attacks.
NIST clarified early on in its guide that the publication is simply guidance, and within that guidance an organization or agency can plan and prepare a playbook for recovering from a cyber event.
One of the first steps in planning a recovery strategy is choosing who will be responsible for defining the recovery criteria and plan, and making sure they understand their role.
An organization also needs to build an inventory of “people, process, and technology assets.”
“The organization should document and maintain the categorizations of its people, process, and technology assets based upon their relative importance,” NIST stated. “The prioritization of assets is critical, given that many agencies and organizations do not have sufficient resources to protect all assets to the same level of rigor and must prioritize the assets which must be recovered to support the mission.”
Prioritization can help an agency set a sequence and timeline of recovery activities because it knows the level of importance of each asset or system.
NIST encourages organizations that while they set those priorities, the interdependence of resources should also be mapped, “to understand how the organization’s critical services are dependent on a tiered structure of support.”
“Much of the planning and documentation for recovering from a cybersecurity event needs to be in place before the event occurs,” NIST stated. “The fundamental principle underlying threat modeling is that there are always limited resources for security and it is necessary to determine how to use those limited resources effectively.”
An agency or company needs to know the limits of its resources, as well as have an understanding of its system boundaries, NIST advised in its publication. Without that understanding, it’s hard to assign management and access controls, which can then lead to an insecure infrastructure.
Test, recover, repeat
NIST stated in its report that a recovery plan needs to be flexible to adapt to changing threats, but a recovery plan often includes communication steps, operational workarounds, off-site storage details, and recovery team membership.
Cyber attacks can target PII, which is why NIST advised an organization to select a privacy team, which will be responsible for highlighting an attack’s threat to individuals’ information.
To help an agency or company measure recovery progress, milestones should be set and done so with the understanding that “full recovery or restoration may not be the immediate goal.”
“Cyber event recovery planning is not a one-time activity,” NIST said. “The plans, policies, and procedures created for recovery should be continually improved by addressing lessons learned during recovery efforts and by periodically validating the recovery capabilities themselves.”
An agency can also talk to the people involved in the plan and ask for feedback, as well as conduct exercises and tests to build “organizational ‘muscle memory’ and [identify] areas for improvement.”
In a statement from NIST, computer scientist and one of the guide’s authors Murugiah Souppaya, urged organizations to prepare their plans and playbooks in advance of an inevitable cyber attack.
“Then they should run the plays with tabletop exercises, work within their team to understand its level of preparation, and repeat,” Souppaya said.