Prevention is the best medicine, as the saying goes. Eating right, exercising, and monitoring your health is better than treating an illness when it happens. However, try as we will, everyone eventually gets hit by the bug. Going through recovery is inevitable.
We have been talking about being pro-active and taking measures to protect networks for years. We still talk about it…until we are blue in the face. We have been saying that not being prepared will lead to bad things happening. Now here we are today watching the news for the ransomware attack of the week. So let’s talk about recovery from a ransomware attack.
Let me preface this by saying that how quickly and how well you recover is highly dependent on how well you did on the prevention front, before the bug hit. When bad things happen it is important to discover exactly what caused the attack, how bad the damage is, and what has to happen to stop it from happening again. This requires a set of policies and practices that have to be established in advance. This requires planning. This is also a very intelligent approach that will help an organization determine what needs to be prioritized and where resources are best utilized. Let me explain.
Organizations may be aware that there is a need to monitor networks and may take an approach that implements network monitoring based on any of a number of criteria; however the best approach is one that considers the impact to the business and the cost of a delayed recovery when the attack causes a cessation in business.
The approach to monitoring the network should begin at the heart of the network with an assumption that everything before getting to the heart has failed, and what is the plan for recovery if that happens. This helps bring some clarity to question, “What needs to be protected the most?”
Once you have determined what needs to be protected, defense layers can be put in place as needed. Each layer should include monitoring as well as consistent vulnerability-discovery over time. What works today does not work indefinitely. With all that in mind, the hard part comes next. Despite all the time and effort and resources put into preventing the network attack, one has to assume complete failure. The systems put in place should take into consideration the need to monitor the recovery process in order to determine how well the recovery is going. Doing this in a theoretical manner is rarely very effective. It has to be put to the test.
Organizations need to build test systems and purposely break them to determine what is needed to get back up to speed. This is a difficult thing for some organizations to do. In order to be effective, those with the most knowledge of the system need to be part of the team that breaks it, and nobody likes to break something they have built, especially when they believe it is unbreakable.
The recent level of sophisticated attacks and growing interest of the malware community to find new ways of monetizing cyber crimes has changed the game. Organizational survival is highly dependent on taking more intelligent approaches, and there is no longer any room for hubris. The common cold once took many lives, and today not so much. Planning for recovery is just good sense.