Resilience is, by definition, the ability to withstand and recover from an adverse event. However, when applied to cyber security, especially critical systems, there is a tendency to focus on the ability to repel an attack. Unfortunately, the sad truth is that, even in air-gapped systems, nothing is 100% secure. In the current cyber security threat landscape, the single biggest threat is ransomware, and this has taught some very hard lessons on how lack of recovery plans can stop an organisation from running its basic functions.
Disaster Recovery and Business Continuity Planning are not new subjects. Organisations realised that apocryphal jumbo jet crashing on their data centre would require them to consider everything from data backups to switching to manual processes, at least this has been understood, if not universally planned for. But, ransomware, by its nature, showed that incident response plans can not be generic, and their success relies very much on the threat to which they are responded.
Having an “outage” in a single location can be planned for with backups of data and hardware. Sophisticated systems have been developed to allow hot standby systems to take over IT operations almost seamlessly. However, it’s not quite so simple when malware is doing its very best to traverse the IT network, lock every machine it can discover, and prevent possibilities of backups by encrypting anything that is connected, thus ensuring no current snapshot of the data in use across the network is readable anymore.
So, now you have to cope not just with an interruption to your operations but potentially a permanent loss of data caused by having to resort to non-real-time data backup. Very few organisations have a plan to do this.
Ransomware has also taught us that encrypting data on a network is not the only way to hold data hostage. The evolution of these attacks typically now includes exfiltrating the data so that the attacker has the only clear, current copy. Hence, even if you decide to completely rebuild your systems, the attackers can threaten to release your data unless you pay up.
Paying up is the motive that leads many to believe it is only criminals, interested in financial gain, who use ransomware attacks. Not so. National states can use them because they allow significant disruption of critical systems whilst maintaining plausible deniability. Use of “crime as a service” infrastructure, and arms-length-criminals groups undertaking targeted attacks, rather like mercenaries used to fight proxy wars in the Cold War, make it very difficult for one nation to attribute distributive activities to another state.
Paying up can seem like the quickest path to recovery. However, evidence suggests it is not only a way to make yourself a target for further attacks (who better to target than an organisation known to pay up) but even if the attackers give you the keys to decrypt your systems, it is often quicker to rebuild. The Irish Health Service found this when they were crippled by such an attack. The attackers “felt sorry for who they had caught in their net” and gave the decryption tool for free. The trouble was the tool was so inefficient it was quicker to start again.
There is always the risk if you cooperate with the attackers that they may leave something behind. Again, motive matters. It may look as if they want money for a ransomware attack, but they may want to leave spyware on your network as they are not interested in money at all. You may appear to recover only to find later that you have spyware roaming your network or, possibly worse, malware that is lurking ready to be commanded to disrupt the network at some future date.
The real key to recovering from cyber attacks is to understand the true, in-depth nature of the threat and how it would impact the availability and trustworthiness of your data. Understand that threat is different for each organisation. There is no such thing as an off the shelf cyber security recovery plan. But, there are certain generic steps to put in place around matters such as communication: who do I call if I think we’re being attacked?
Whatever plan you develop, it has to be exercised. There is no point dusting off your plan for the first time when you are attacked. Treat it like a fire evacuation plan and run drills. Your organisation will recover a lot faster.