Have you ever been trying to solve a complex problem when someone says, “Just do XYZ?” The word “just” bugs me because it is used far too often in IT and security and oversimplifies the solution.
Specifically, the idea that you can just recover from a cyberattack in the same way you’d recover data from a power outage is problematic. There are a few extra steps since cybercriminals explicitly try to stop you from recovering. A flood won’t come back after you recover and soak down your servers, but an attacker will reinfect your systems to maintain their hold on your data. Want proof? Here are three examples of data breaches in recent history where companies just hit the recovery button and just didn’t.
- In 2017, a global shipping giant was one of the many companies affected by the NotPetya ransomware attack. Despite initial efforts to recover, they faced significant challenges due to reinfection risks and the widespread nature of the malware. The attack led to the reinstallation of thousands of servers and computers, significantly delaying recovery.
- In 2019, a city here in the U.S. was hit by the RobbinHood ransomware, causing widespread disruption to the organization’s network. As they attempted to block threats and recover, the fear of reinfection and the complexity of their IT infrastructure made the recovery process slow and arduous. Ensuring every system was clean before returning it online was a significant challenge.
- In 2020, a large university was targeted by the NetWalker ransomware. Their recovery efforts were complicated by the need to meticulously clean and verify systems to prevent reinfection. Ensuring the complete eradication of the malware from their network was a process that took considerable time and cost a significant amount of money.
Three key steps you can take before a cyberattack
These are just some examples where organizations lost control of their networks and had to deal with the loss of financial information and the reputational impacts of cyber incidents. Of course, the risk will be different depending on the business you’re in. The point is that recovering from a cyberattack is hard, and if you want to prevent data loss, you must be prepared to do some work before hitting the recovery button. This is probably why 69% of the organizations we surveyed in our latest Cyber Resilience Report admitted to paying a ransom—despite two-thirds of them having do not pay policies.
There are some things you can do to prepare and make the investigation process run smoothly. Below are three key steps you can take before a cyberattack that can give you the ability to recover from a cyberattack.
- Create what we’re calling a digital jump bag with all the tools and software you need to create a minimum viable response capability. Simply put, a digital jump bag is a virtual toolkit used in cybersecurity and IT incident response, designed to help teams quickly address and resolve security incidents. It typically includes a laptop with pre-configured security tools, external drives for backups, portable Wi-Fi hotspots for internet access, and tokens for multifactor authentication. The jump bag may also include mobile phones if the employees believe their devices have been compromised. You’ll also have forensic tools, antivirus, network security tools, scanners, log analyzers, and backup/recovery software. Contact lists, system architecture maps, and cheat sheets for fast action are often forgotten about during incident response plans. Similarly neglected but important are things like passwords for critical systems or even a copy of Active Directory. Services such as VPN access and tools for real-time event monitoring should also be part of your kit.
Key takeaway: A digital jump bag, virtually packed with handy tools for cybersecurity and incident response, can be valuable.
- Have an isolated, clean room environment ready to be used during the threat investigation. In our conversations with incident response partners, we’ve heard having these two things will save significant time when they get involved. Following industry best practices and in consultation with experts, we’ve assembled a set of product capabilities and workflows that organizations can use to achieve business continuity in this age of destructive ransomware and wiper attacks. The design can be segmented into three stages that allow organizations to prepare for the scope of a cyberattack and recover clean data into production.
Key takeaway: A clean room design provides a trusted foundation that speeds up incident recovery and augments SecOps teams’ investigations into suspicious activity while minimizing the risk of secondary attacks.
- The third and most important step is to train employees and remove all the assumptions from your incident response plan. Assumptions can create blind spots. If an incident response plan is built on assumed conditions or outcomes, it may not meet your organization’s specific needs in the face of an actual cyberattack. Removing assumptions ensures that your department is more prepared and decisions are based on verified information, enhancing the precision and reliability of actions taken during a cyberattack.
Key takeaway: Assume nothing. Verify everything.
Be prepared—it’s more than just a motto
Cybersecurity and recovering from cyberattacks and ransomware is hard. Cybercriminals continue to evolve and are motivated by money to gain access to your systems and data. But remember, business resilience is everything. Your goal is to get your business back up and running while protecting your data and your reputation.
There have been examples of some best practices you can follow to prevent data loss and smooth the investigation process. By grounding the incident response plan in facts and data, you ensure that it remains robust, resilient, and ready for a wide range of challenges.
Put another way, you built confidence in your response capabilities, so you’re able to recover without paying a ransom. Yes, it will take some effort, but the more prepared you are, the more smoothly your response will be. So to borrow from a popular catchphrase, just do it.
