Back To The Blog

Breach Restoration 101

Incident Response / March 29 , 2023

The costs of cybersecurity breaches are many, but chief among them is the expense associated with business disruption.

Today, business downtime can cost on average anywhere from $100,000 to $1 million. The average total cost of recovery and downtime following a cyber incident more than doubled in 2020, according to an Allianz Global Corporate & Specialty study, growing from $761,106 to $1.85 million.

Yet few organizations understand that restoration experts can assist with the incident response process and reduce costs associated with business disruption or that they should be included among the cyber incident response service providers listed in an incident response plan.

We talked to Heath Renfrow, co-founder of Fenix 24, about the new generation of breach restoration services and how they minimize both business downtime and associated costs.

In your experience, why is breach restoration so often overlooked or prioritized relatively low in the incident response (IR) process?

The breach response process was originally designed over a decade ago. Back then, breaches were way less impactful and destructive, and the process itself was designed to bring in outside expertise primarily where internal staff lacked it—legal assistance, crisis communications, ransom negotiation, forensics, etc. Downtime was not a top five expense.

But things have really changed; ransomware attacks can be very systematically destructive, and downtime is now the most costly aspect of the incident. While the need to address downtime became a top imperative, the incident response process was much slower to change and respond to that need. It’s changing now though, since companies can’t afford to see their operations at a standstill and cyber insurers need to address these massive losses.

What is typically involved in the breach restoration process? Give us an overview of how breach restoration ensues after a computer security breach.

In the new process, we are working in partnership with Digital Forensics and Incident Response (DFIR) firms like CrowdStrike and Palo Alto Networks, we strive to do all of our restoration efforts remotely to save both time and client expenses. We are able to gain access to a client environment within a few hours of scoping a project.

We then are able to do network discovery, implement recovery domain controllers, and set up automatic deployment tools to push out the endpoint protection solutions for our forensic partners. This not only contains the threat in the environment, but also gets forensic data flowing quickly.

Instead of waiting days or weeks for forensic data to flow, we are able to have the data moving within 12 to 24 hours of initial contact from the client. At the same time, we begin planning the systems restoration strategy immediately, looking at which systems are the highest priority for operations so that we can restore them in a prioritized way for the customer.

The reason our partnership with DFIR firms is so vital is that the faster forensics flows, the faster restoration can begin. You must know what the threat actor did in the environment, what they touched, when they got in, etc., before you can start spinning an environment back up. When clients attempt to do all this work on their own, they become quickly overwhelmed and disorganized, and the recovery stretches into months, versus days to weeks with us.

Who is typically responsible for breach restoration and getting systems back online? Similarly, who needs to be involved in that process?

The previous restoration process fell on the internal IT team who is normally overwhelmed by the whole situation and struggled to even get the forensic tools deployed. Most companies don’t even realize that they not only have DFIR firms they can use for forensics, but a restoration firm like Fenix24 to come help organize and execute the restoration itself “hands-on-keyboard.” It is an old school mentality that only drives up the overall business interruption costs for the client and cyber insurer.

There are many options to wade through: greenfield (starting to rebuild from scratch), versus using backups, using a staged approach to prioritizing systems, etc. Leveraging expert partners to help guide and lead the process is reducing downtimes dramatically. Considering downtime can cost up to millions an hour for some highly transactional enterprises, it’s an important evolution.

What are some of the most common forms of business disruption due to a cyber attack?

Many of today’s ransomware variants have been engineered to replicate across distributed systems rapidly. The old type of ransomware that affects one person’s computer isn’t what we typically deal with—we see attacks that shut down multinational corporations’ entire systems estate, taking down their ability to conduct business, and municipal attacks, where the entire city’s support systems are down, affecting 911 services, police/emergency response dispatch, payroll systems, etc.

Downtime can be severe when it affects hospitals, which can no longer provide critical patient care, or government systems involved with defense. Really, think of any business, governmental department, critical infrastructure service, or utility, and imagine the impacts if it ceased functioning.

What can businesses do to better prepare restoration of systems to avoid business disruption?

After a breach, our sister company, Athena7, conducts complete assessments on organizations if they choose to determine security gaps, and we find there are often many vulnerabilities across organizational controls and configurations.

We believe it is important to first try to avoid being breached: understand compliance frameworks like NIST have limitations—they aren’t detailed or timely enough to secure all the doorways threat actors use to gain entry. It’s important to understand where your gaps lie, and then apply a layered approach to security across people, process, and technology, using a Zero Trust principle.

Second, companies must have an up-to-date disaster recovery/business continuity plan that maps out exactly what to do and who to contact in the event of a breach, and test that plan via tabletop exercises.

Third, know that not all breach coaches and cyber insurers understand the importance of having a restoration partner engaged early. Businesses should advocate for themselves and assert the need for this assistance, so that their downtime is reduced.

To learn more about Fenix24, visit their website.

To learn more about Mark Greisiger, visit this page.

To get a data breach response plan in place, start your 30-day free trial of Breach Plan Connect® from NetDiligence® today!


Related Blog Posts

Download 2023 Cyber Claims Study

The annual NetDiligence® Cyber Claims Study uses actual cyber insurance reported claims to illuminate the real costs of incidents from an insurer’s perspective.


© 2024 NetDiligence All Rights Reserved.