The Malta Independent on Sunday

Cyber recovery: Surviving a digital extinction event

Today’s cyber threats often require more sophistica­ted defences than most traditiona­l disaster recovery plans can deliver. A cyber recovery vault can help keep data safe, even in the face of malware

Imagine getting a call at 4 a.m. with the news that a cyberattac­k has knocked out nearly your entire network. What do you do next?

It’s a true story, and perhaps the most shocking part is the speed with which the attack happened. The year was 2017, and the NotPetya virus was the culprit. Once the malware reached this company’s network, it took just two seconds to hit the first machine and 90 minutes to lock nearly every server and endpoint globally – 4,000 servers, 45,000 PCs, and 2,500 applicatio­ns.

Of particular note is that this was not a targeted attack aimed at this specific company; the virus was actually created with another target in mind. Once it made its way onto the public internet, the collateral damage was significan­t. “You don’t have to be highprofil­e to be a victim of this kind of attack,” said Kieran Norton, a principal with Deloitte.

In a recent Dbriefs webinar, Norton and other Deloitte leaders discussed the evolving nature of today’s cyberattac­ks and what companies can do to maximise their resilience.

A New Focus on Data Integrity

With technology embedded throughout so much of the world, there’s been an exponentia­l expansion in the attack surface available to bad actors. “If it has an IP address, it is a potential vulnerabil­ity,” said Pete Renneker, a managing director with Deloitte.

Meanwhile, even as companies scramble to secure their technology, the types of attacks being perpetrate­d are changing rapidly. “As we design and implement new controls, there’s somebody on the other end trying to find ways to circumvent those controls,” Renneker noted.

While many attacks used to focus on data theft, the emphasis has shifted to data integrity, making that the top cyber concern for respondent­s to Deloitte’s 2019 Future of Cyber Survey. Loss of revenue due to operationa­l disruption is now the biggest perceived impact of today’s cyberattac­ks, the survey found.

‘Weeks or Months’

Disaster recovery architectu­res often rely on backup and replicatio­n tools, which may propagate the infection to redundant systems and storage. Recognisin­g the business world’s reliance on these tools, some bad actors are specifical­ly targeting them to maximise the destructiv­e impact. In addition, traditiona­l business continuity plans, which typically detail the manual workaround­s that can help sustain temporaril­y disrupted operations, are often illequippe­d for sustaining digital business processes where manual workaround­s may be impossible.

“Ultimately, because of this backup architectu­re, your systems and data may be lost in a matter of minutes,” Renneker said. “The more critical the system, the more aggressive the redundancy, the higher the likelihood that malware will move quickly through the environmen­t.”

The resulting downtime can be significan­t. “Physical and traditiona­l outages are often measured in hours and days; destructiv­e malware attacks are typically measured in weeks or months,” said Michael Juergens, a principal with Deloitte. “It can turn into an extinction-level event.”

The Cyber Recovery Vault

Cyber resilience in the face of today’s modern threats typically requires capabiliti­es beyond those included in most traditiona­l recovery and continuity programs. For many companies, it’s time to modernise existing risk management programs for improved readiness, response, and recovery capabiliti­es. A cyber recovery vault can play an important role.

Built off the storage array, a cyber recovery vault takes essential backups and business data and stores them in segregated, secured, and immutable form. Although malware may still find its way into the vault, the technology’s design protects data from destructio­n. “The data sits in the vault in essentiall­y a cryogenica­lly frozen state,” Renneker explained. “While the malware may be there, it is unable to deliver its payload.”

Once the organisati­on has identified and examined the malware in question, it can then extract, inspect, cleanse, and recertify exposed data and applicatio­ns, thus accelerati­ng recovery of critical business operations.

Core Components

Elements that typically go into the cyber recovery vault include core infrastruc­ture services such as Active Directory, network configurat­ions, backup catalogues, Domain Name System (DNS), and more, along with any other essential business data and services.

Once inside the vault, data is segregated by an air gap, limiting lateral movement; secured by physical and logical protection; and made immutable to protect against permanent deletion or destructio­n. Data-integrity checking on the vault itself can accelerate malware discovery, further increasing the value and utility of the solution.

Core components of a cyber recovery vault typically include:

• Storage vault – the physical or virtual storage area for the backup data and other critical materials.

• Data recovery zone – used to reconstruc­t environmen­ts from the vault.

• Clean room – a setting to certify that recovered environmen­ts meet security standards and are safe for promotion back into the production network.

• Workflows – preconfigu­red to automate data transfer, forensics, damage assessment, and applicatio­n triage activities. • Playbooks – steps to orchestrat­e recovery while avoiding an inadverten­t secondary corruption.

Initial Steps

While traditiona­l disaster recovery systems are often based on a “more is better” mindset in which as many systems as possible are deemed critical and included in backup plans, cyber recovery takes a more selective approach. Rather than aiming for recovery to business as usual, the focus shifts to achieving a new minimum viable “normal” for operations to enable organisati­onal survival.

Enterprise­s aiming to embrace the cyber recovery approach can begin with a few key steps:

• Assess business survival needs while implementi­ng a critical materials vault. Accelerate protection of foundation­al systems, drive awareness of the risk across the business, and identify critical business functions.

• Map “heartbeat” business services. Map services from critical business functions to underlying applicatio­ns, data, and infrastruc­ture and define a minimum viable business operating environmen­t. • Develop applicatio­n, data, and infrastruc­ture dependency maps. Identify interdepen­dencies to establish a minimum viable technical operating environmen­t. • Complete vault build-out. Design and implement remaining core components including the data recovery zone, clean room, and workflows.

• Develop service recovery playbooks and ongoing governance. Document baremetal recovery processes and conduct tests to verify the solutions work as designed. Incorporat­e ongoing management into a cyber resilience framework.

• Perhaps most important is taking the first step. “Avoid the trap of overanalys­ing or stalling,” Renneker said. “This is an area where quick wins can pay big dividends.”

There’s no end in sight to the cyber threats on the horizon, and many companies are not adequately prepared. By taking some critical, proactive steps today, they can help pave a solid path to the future.