After a cyber attack, most organisations move to recover to the last-known good snapshot. However, malicious actors’ tactics have changed, and simply recovering to the last good snapshot is likely to lead to further attacks.
Now, organisations must eliminate the adversary, address vulnerabilities that led to the attack, and rebuild systems in clean environments too.
This emerged during the ‘Cyber up or shut down’ webinar presented by Cohesity and Sithabile Technology Services, in partnership with ITWeb.
Industry expert James Blake, VP Global Cyber Resiliency Consulting & Response Services at Cohesity, noted: “A persistent mistake is treating cyber recovery like traditional disaster recovery. In a cyber incident, you are recovering from a compromise, and it is important to address the mechanisms and vulnerabilities that caused it.”
Cohesity notes in a white paper: "Organisations that incur the highest costs of a destructive cyber attack are those where the backups have been rendered unusable by the adversary or where attacked systems are recovered without the appropriate remedial steps to remove the threats and vulnerabilities, causing those same systems to be being reinfected within seconds or minutes."
Blake said: “Typically, all cyber attacks, including ransomware and wipers, go through 14 tactics or stages, using hundreds of different techniques. It's not until the last two stages that damage is inflicted through exfiltration, or encryption or deletion – which typically only happens in the last 50-60 minutes of the attack. The adversary can be in the system for up to a couple of years. This means your data may have been compromised months ago. So if you restore back to the previous snapshot, your data still has the vulnerabilities and misconfiguration that allowed the attackers to get in.
“Best practices in cyber resilience don't start at the recovery stage – recovery is only the fifth step. You need to be able to prepare, identify, contain, remediate, recover and learn lessons. You need to restore trust in identity, accounts and all the core elements, and then you can start rebuilding the applications on top of them,” he said.
Blake said many organisations focus on recovering data and applications but overlook the foundations for trust, co-ordination and control, such as identity and access management, networking and DNS, privileged access controls, core security tooling, secure communication channels and even physical access systems, software licence keys, contact lists and insurance policies.
He emphasised that for remediation, organisations also need a ‘clean room’ – a contained environment for investigations and to rebuild trust into systems.
He advised: “Don't do volume-based recovery, because you may have good data but not good infrastructure. Too many people treat cyber resiliency as a massive project – it’s better to look at your weakest links, focus on those and deliver on those in a pragmatic and incremental way to restore the most critical assets to the business.”
Liz Borges, Account Director at Sithabile Technology Services, added: “A lot of companies fall into the trap of having a plan, but fail to execute it effectively. Risk, security and backup teams need to work together for enhanced cyber resiliency.”
Share
