Introduction
Since the rise of digital technologies in the business world in the 1970s, disaster recovery has undergone many transformations and evolved to its current state. However, destructive cyberattacks have shaken the fundamental architectural tents of disaster recovery and forced many organizations to rethink how they approach this domain.
In recent years, cyber recovery has emerged as a technical discipline. Cyber recovery aims to ensure that organizations can survive catastrophic cyberattacks and continue business operations under adverse cyber conditions.
This blog explains cyber recovery and provides practical guidelines for building cyber recovery capabilities.
Ransomware challenges traditional DR approaches
As part of a typical attack lifecycle, a ransomware operator must progress through several stages before deploying destructive malware, including:
initial compromise
foothold and persistence
privilege escalation
lateral movement
Arguably, privilege escalation is at the heart of a cyberattack. A ransomware operator with unrestricted access to a domain and the proverbial keys to the kingdom can inflict catastrophic damage to systems. This ability has broad implications for traditional disaster recovery, including:
Not only are elevated privileges often sufficient to deploy ransomware to a large number of systems, but they also allow a threat actor to delete backup before the deployment.
Suppose you run a hot disaster recovery site. If systems in the primary and disaster recovery sites are a part of the same domain, a threat actor can easily deploy ransomware to your secondary site too.
Ransomware often has an enterprise-wide impact, whereas traditional disaster recovery plans and capabilities focus on recovering individual systems and do not consider business recovery and orchestration.
Furthermore, traditional disaster recovery architecture focuses on minimizing data loss. In contrast, ransomware can lead to a complete loss of backup rendering metrics, such as Recovery Time Objective (RTO) and Recovery Point Objective (RPO) irrelevant.
I have witnessed numerous cases where a threat actor deleted backup before deploying ransomware, rendering recovery impossible and forcing the victim organizations to pay a ransom.
Cyber recovery aims to address the challenges outlined above by providing principles and architectural approaches that help organizations preserve critical data, applications, and infrastructure to ensure survivability and accelerate recovery during a business-impact cyber event.
Understanding what is critical to your business
The old mantra goes “you cannot protect what you don’t know.” Therefore, identifying
business-critical functions and processes that constitute a Minimum Viable Company (MVC) is an essential first step to building cyber recovery capabilities. An MVC is a set of functions, processes, people, data, and technologies necessary to fulfill an organization’s mission, sell products, and provide services to its customers.
Figure 1: Minimum Viable Company concept
The MVC concept matters to cyber recovery for the following reasons:
Building cyber recovery capabilities for the entire organization is often cost-prohibitive and may fall way outside your risk tolerance. Instead, focusing on what is essential will likely lead to a positive ROI.
Cyber recovery requires a paradigm shift. It is better to start small, demonstrate success, and then incrementally increase its scope.
Organizations must focus on recovering essential business functions and processes during a crisis to minimize losses. For this reason, the MVC concept can help leaders more effectively plan for a cyber crisis and prioritize business recovery during an event.
Starting a cyber recovery project with establishing an MVC has a significant benefit. It forces your organization to shift thinking away from an application-centric approach and focus on business process recovery planning. One of the reasons why traditional disaster recovery can fail during a catastrophic cyber event is a system-centric approach that does not consider an end-to-end business process and dependencies between applications, infrastructure, and data supporting that process.
To enable an MVC, you need to understand and map data flows and business transactions for critical business processes before considering the technical aspects of cyber recovery. This mapping will help you identify application and data dependencies necessary to establish a recovery order. This point is essential for business processes that depend on complex downstream and upstream transactions facilitated by multiple applications.
Enabling cyber recovery
Cyber recovery requires alignment between business and technology to achieve its intended outcomes. The following paragraphs outline the critical components that enable cyber recovery for your MVC.
Enterprise Recovery Plan
Cyber recovery focuses on a business process recovery that requires an orchestrated and cross-functional effort driven by business priorities and executed by technology recovery. Once you have mapped critical business processes, identified application data flows, and application, infrastructure, and data dependencies, it is time to create an enterprise recovery plan aligned to your MVC construct.
An effective plan addresses business recovery, technology recovery, priority management, technical management, resourcing, activity workflows, roles and responsibilities, and other essential components that must work in concert to minimize downtime and facilitate effective recovery.
Forensic Analysis and Data Validation
Ransomware and other cyberattacks corrupt data but also leave attacker residue on systems, such as malware and adversarial tools. For this reason, as part of cyber recovery planning, you need to consider security requirements. Restoring production systems without forensic analysis, containment, eradication may be counterproductive.
Conducting forensic analysis, scoping the compromise, and validating data integrity as part of recovery is essential. Forensic analysis is also necessary to establish a Recovery Point (RP) based on the attack timeline.
Another vital consideration is system hardening and eradication measures to ensure the adversary cannot exploit the same vulnerabilities and system weaknesses to regain access to the compromised environment. This step focuses on tactical remediation to support adversary eradication and business resumption. More strategic remediation will occur when you transition from a crisis mode to a steady-state.
Technology
While traditional resiliency technologies, such as data replication, system snapshots, and agent-based backups are still relevant, they are insufficient to guarantee cyber recovery. You need to consider a cyber vault solution for your MVC to minimize downtime and business interruption and assure your organization can recover from a destructive cyberattack.
Cyber vault is a solution that creates logically air-gapped snapshots or replicas of your production data and stores that data in a logically isolated environment with separate access controls and permissions. Storage plays a key role in a cyber vault:
It protects data against deletion and tampering by creating immutable replicas of production data.
It accelerates recovery by leveraging flash memory and storing data snapshots in arrays located in close proximity to the primary array storing production data.
Some vendors also implement a data verification and validation feature. This is often achieved by scanning the replica of production data for evidence of corruption introduced by malware and identifying patterns that may be indicative of ransomware encryption and data corruption.
Summary
Over the last several years, cyberattacks have challenged traditional disaster recovery approaches. In response, cyber recovery constructs have emerged to address their shortcomings. Cyber recovery starts with identifying business-critical functions and processes that constitute a Minimum Viable Company (MVC). Equipped with this knowledge, organizations can develop cyber recovery capabilities underpinned by cyber vault technologies, enterprise recovery planning, and forensic analysis of compromised systems. The synergy between those components allows organizations to minimize downtime caused by a cyberattack and accelerate recovery.