With so much at stake during a cyber incident—including financial loss, business interruption and noncompliance with laws and regulations that govern data protection—companies must include disaster recovery as part of their cyber incident response plan.
What is Data Recovery?
Data breach recovery (DBR) is the process of making usable copy of data available where the original was loss or damaged. DBR, also known as disaster recovery, is critical to get business operations up and running again, ensure data integrity and continuity, regain customer trust after a data breach and stay compliant.
This process is often more involved than many expect and can encompass everything from removal of the external threat to server rebuilds and encryption.
We spoke with Anthony Mongeluzo, President of PCS, about some dos and don’ts for a successful data breach restoration and how to protect yourself after a data breach.
- Start by eliminating the threat at hand. “An initial step in data breach restoration is containment and removal of the persistent external threat. This is a joint effort between the forensic analysis and technical remediation teams,” Mongeluzo says. “Deployment of a Monitored Endpoint Detection and Response Tool is typically leveraged here to provide system-by-system containment measures. For example, analysis of firewall traffic logs will typically result in the forensic analysis team providing malicious IPs that should be blocked for inbound and outbound communications. These two measures assist with the initial containment of the persistent threat.”
- Don’t make any sweeping changes to existing systems. An initial impulse in an attack situation is to make immediate infrastructure upgrades or configuration changes in response to the threat. This is a mistake, Mongeluzo says. “Changes to support immediate and critical containment measures are necessary, but any attempts to change infrastructure design, network configuration, or upgrade applications can significantly delay recovery objectives. It is recommended that recovery focus on restoring the environment as closely as possible to a pre-incident state while keeping in mind that, to an extent, changes will be required to implement critical containment and security measures. Separating restoration from hardening and improvement is essential to maximize efficiency in the restoration effort.”
- Use all the tools at your disposal, including backups. “Monitored Endpoint Detection and Response deployed to all endpoints and multi-factor authentication for network access are two of the most critical steps taken from a prevention perspective. However, since no method is 100% effective, it is equally, if not more, essential to have a solid backup solution.”
- Have a good backup strategy and test it. A backup is only as good as the quality of the data and the safety of its storage location. “A backup strategy, at a minimum, must include a hardened and segmented local backup repository and an offsite immutable repository for backup replication. Immutability of backups is a newer and more critical concept designed to prevent changes to backup data, including encryption or deletion of that data by a threat actor group,” Mongeluzo says. “Backups also need to be tested weekly if possible. Testing includes reviewing backup configurations to ensure all servers and data repositories are included, reviewing backup logs to ensure that any warnings/failures are addressed, and performing test restorations of files to ensure the backups are viable. With prevention measures in place and a strong backup solution, it is vital to put these to the test with routine and comprehensive penetration testing by a reputable security provider. Frequency is dependent on the size and sensitivity of your data but typically ranges from every six months to annually.”
- Adjust your recovery approach as needed. It’s not a one-size-fits-all, and the approach to recovery will depend largely on several factors, Mongeluzo says. “Once containment has been attained, the focus can shift to recovery. Recovery can include backup restoration, server rebuild, or decryption. Determination of strategy will be driven by the viability of backups, the level of threat persistence, and the likelihood of acquiring a decryptor. Recovery should be prioritized to bring Active Directory services back online first, followed by critical business functions.”
Does your organization have a practiced incident response plan (IRP) in place?
Is data breach recovery a part of your IRP?
If not, it is important to act now, before potentially becoming a victim to a cyber incident. At NetDiligence, we know that cyber incidents can devastate an organization. No organization can afford to be unprepared when a data breach occurs.
Learn more about our incident response plan solution, Breach Plan Connect®,
Breach Plan Connect, now available with mobile app, makes it quick, easy, and affordable to create and access your incident response plan in minutes.
Don’t delay. Get started with Breach Plan Connect today.