If your business suffered a (successful) cyber attack today how would you respond? There are no cyber police to call, nor is there a fire department to come put out the flames. A disaster recovery plan is NOT the same as a cyber attack response plan. (CARP)
Cyber attacks are happening every second of every day against your business. At some point there will be a successful attempt no matter how much security training and planning you do. The goal of the CARP is to minimize the impact of the attack, capture needed information for analysis, and to enable disaster recovery to begin quickly.
We have seen many instances where businesses identified a successful attack, got a ransomware request, and started the recovery process BEFORE they even shut off the attackers access! This lack of planning extends the recovery timeline and keeps the business vulnerable to ongoing attacks.
The four steps of a Cyber Attack Response Plan are outlined below. It is important that this is kept updated along with your Disaster Recovery Plan, and reviewed on an annual basis.
Shut down the attack vector
Starting repairs on a house that is on fire makes no sense. The fire needs to get put out first! The same goes for a cyber attack. The first step is to shutdown the affected systems and find out where the attack started from. This will assist with determining what steps need to happen to stop the attack.
Ransomware is spread and controlled via network access. It is critical to shutdown network access, both inbound and outbound, until you can determine how the attacker got in. Typically you also want to shutdown local workstations on the LAN to keep an attack from spreading also.
Assess the damage
Your IT provider should have all networks, systems, and applications documented along with enabled access methods. Go through each of these areas to assess what is working and not. From there you can make a list of what needs to get restored along with a priority.
During this step communication is essential. Often it is difficult to understand what is working and not for remote teams, versus those onsite in a office. Get all involved parties on a call to run through this step.
Capture the logs and review backups
This step has become more important with the increase in cyber liability insurance claims. Many cyber insurance policies require you alert them and deploy their analysis tools when an attack occurs. This needs to be a part of your CARP, especially if that means your cyber policy will not cover the incident!
Attackers are generally in the network weeks in advance of an actual attack. This means that backups can contain the attacker's payload which will simply reactivate if you restore the backup. Prior to restoring any backups it's important to analyze them for any sign of prior infection.
Start your disaster recovery process
Now it is time to start the actual disaster recovery process. Execute the recovery plan by priority for each affected system and application you identified in step 2. When restoring files/servers it is important to conduct full offline scans of them BEFORE putting them back on the network!
Be sure to review our post on workstation recovery prior to starting this process. This will save a lot of time in your recovery process.