By Graham Stevens | Incident Response Consultant at Nettitude
Most businesses of a certain size will have a range of plans & policies put in place to help them when disaster strikes. These are often referred to as business continuity and disaster recovery documents, which will outline how the business should recover from a natural or human-induced disaster, and will include how the business will continue to run & support critical services or functions, or how to recover their technology infrastructure.
In the following blog post, we will discuss how to prepare a disaster and recovery plan and go into some of the identifying factors between a cyber-incident and a cyber-emergency.
Preparing Your Disaster Recovery Plan & Policy
There are two key documents which a business should ensure they keep regularly updated as they grow and as their IT infrastructure changes over time (such as the migration of critical functions to the cloud):
- Disaster Recovery Policy which will provide a high-level strategic view of why disaster recovery is needed, and how it will be implemented, which will then be backed by executive sponsorship.
- Disaster Recovery Plan will detail how the business should manage a catastrophic event, such as a natural disaster or loss of data. The plan will identify critical parts of the business and the priority in which they should be restored, as well as outlining the acceptable recovery point objective (RPO) and recovery time objective (RTO) for each system or application. The document will also detail how business departments such as marketing and legal will need to respond during the disaster recovery phase.
Cyber Incident Recovery
As you may have noticed already, IT disaster recovery is not just for physical events (such as flooding of your data centre or an earthquake near your headquarters) but also virtual disasters (accidental data loss) or a particularly destructive cyber-attack.
Take a ransomware attack for example – such an incident on your infrastructure is likely to be just as disruptive as your data centre being destroyed in a freak weather event. The cyber-attack may even be more disruptive, with some manually deployed ransomware strains also ruining any chances of restoring from backups by encrypting them too. There is also the added concern that the attacker may have exfiltrated large amounts of data, which may be publically distributed if the ransom is not paid.
In this scenario, your cyber incident response plan will most likely cover the identification, containment, and eradication of the attacker and their malware from your network. However this is of course only half the battle, as you must now attempt to recover your infrastructure and business critical functions – often referred to as the recovery stage of your incident response plan.
Not Every Security Incident is a Disaster Event
In the ransomware example above, the business is likely to invoke their disaster recovery process to ensure the business attempts to return to normal as quickly as possible, with the entire focus of its resources to minimise downtime.
However not all security incidents will need to utilise such steps during the recovery stage, with many being restored as business projects or included within other ‘business as usual’ activities. An example of this may be a low-level distributed denial of service (DDoS) attack which caused a few minutes of downtime on the public facing website. As long as this is within the maximum tolerable downtime threshold set by the business, the attack may naturally subside or be mitigated by your security team, with the recovery stage naturally occurring as web server resources return to experiences normal levels of traffic.
Not sure about the level of seriousness in a cyber exploitation you have found? Our Incident Response experts are able to conduct a Cyber Compromise Assessment to analyse how much damage could have been done and put your mind at ease, or if it’s worst case scenario, we can then put our Incident Response Team to work do minimise damage and secure your assets.
Reviewing and Exercising the Incident Response Plan
We always strongly recommend that your Incident Response plan should be regularly reviewed and exercised, to ensure it remains fit for purpose. This can take many forms, such a table top walkthroughs with key stakeholders in a room playing out how a security incident may unfold & how they would react to it. A similar approach is also undertaken with business continuity planning and disaster recovery, with many businesses exercising these processes with data centre fail-over tests or company-wide remote working days to ensure it can still function with little to no staff in the office.
Often these exercises or walkthroughs are conducted separately, however it is crucial that they too are tested simultaneously to ensure that a catastrophic security incident is correctly managed & that the recovery stage is transferred smoothly to those managing the disaster recovery efforts. This will also provide business units which rarely communicate the opportunity to work together and understand how they may interact more succinctly in the future, as well as building internal relationships between teams.
If you’re not comfortable testing your Incident Response Plan, it may be time to seek the help of cybersecurity experts. For more info on our Incident Response Testing services, have a read of the following info.
The Relationship Between your Incident Response Plan & Disaster Recovery Plan
As we have seen, the two documents will complement each other, with the cyber security incident response plan referring to disaster recovery where certain thresholds are met – such as maximum tolerable downtime, or widespread outages caused by an attacker or malware. Not every incident will need to invoke the DR process, however there may be times when this is necessary. It is during these times that it is crucial the relevant teams are able to communicate swiftly and easily, and this is something that can be practiced and improved upon by running regular cyber-attack exercises which summon both parts of the business.
For more information on effective planning and management of cybersecurity incidents, please don’t hesitate to get in touch with our team.
Did you know, we have a live incident reporting feature on our website which gives our customers access to emergency response within the hour! Yes, even if we’re all tucked up in bed…Our Incident Response alarms are at the ready! Not a customer? Don’t worry, our team will still reach out to you to give guidance on the next steps.