Cybersecurity prevention efforts should not trump response capabilities. Experts at NIST spell out four steps to recovering from a cyberattack.
Preventing cybersecurity disasters—large or small—rather than having to recover from them is preferable, for obvious reasons. However, experts at the National Institute of Standards and Technology (NIST) are concerned that overreliance on prevention is as bad as being underprepared. In the NIST special publication Guide for Cybersecurity Event Recovery (PDF), authors Michael Bartock, Jeffrey Cichonski, Karen Scarfone, Matthew Smith, Murugiah Souppaya, and Greg Witte explain why:
“There has been widespread recognition that some cybersecurity events cannot be stopped and solely focusing on preventing cyber events from occurring is a flawed approach.”
That attitude among NIST experts started gaining traction two years ago when the Federal Government’s Office of Management and Budget published the agency’s Cybersecurity Strategy and Implementation Plan (CSIP). The following quote, in particular, captured the attention of NIST personnel:
“CSIP identified significant inconsistencies in cyber-event response capabilities among federal agencies. The CSIP stated that agencies must improve their response capabilities.”
The CSIP defines recovery as, “The development and implementation of plans, processes, and procedures for recovery and full restoration, in a timely manner, of any capabilities or services that are impaired due to a cyber event.”
The report continues, “Although there are existing federal policies, standards, and guidelines on cyber event handling, none of them focuses solely on improving cybersecurity recovery capabilities, and the fundamental information is not captured in a single document. The previous recovery content tends to be spread out in documents such as security, contingency, disaster recovery, and business continuity plans.”
NIST’s Guide for Cybersecurity Event Recovery
Enter the NIST’s Guide for Cybersecurity Event Recovery, which is a compilation of information and processes that can be used by private and public organizations to create recovery plans and be better prepared if a cybersecurity event occurs.
The Guide’s authors believe the recovery function consists of two phases: “The immediate tactical recovery phase is largely achieved through the execution of the recovery playbook planned prior to the incident with input from the NIST Cybersecurity Framework (CSF).”
More subtle is the second strategic phase, which according to the authors, allows organizations to improve pre-recovery functions mentioned in the CSF, in particular: Identify, Protect, Detect, and Respond (Figure A), reducing the likelihood and impact of future incidents.
Image: NIST, Michael Bartock, Jeffrey Cichonski, Karen Scarfone, Matthew Smith, Murugiah Souppaya, Greg Witte
Four steps to recovering from a cyberattack
The authors of the Guide go into detail on how to develop an effective recovery process. A brief overview of each step follows.
1. Plan for cyber-event recovery
Effective planning is critical, according to the authors. Planning enables organizations to:
- determine crisis-management and incident-management roles;
- make arrangements for alternate communication channels, services, and facilities;
- explore “what if” scenarios based on recent cyber events that have negatively impacted other organizations;
- identify and address gaps before a crisis occurs, reducing their impact on business; and
- exercise technical and non-technical aspects of recovery, such as personnel considerations, legal concerns, and facility issues.
2. Continuous improvement
The Guide’s authors warn that recovery planning is not static, adding, “Cyber-event recovery planning is not a one-time activity. The plans, policies, and procedures created for recovery should be continually improved by addressing lessons learned during recovery efforts and by periodically validating the recovery capabilities themselves.”
3. Recovery metrics
Rather than guessing if the recovery process worked as planned in a cybersecurity event, the authors suggest metrics to remove any guesswork. “It is beneficial to determine these metrics in advance, both to understand what should be measured and to implement the processes to collect relevant data,” mentions the authors. “This process also requires the ability to determine where the metrics that have been identified can be most beneficial to the recovery activity and identify which activities cannot be measured in an accurate and repeatable way.”
Some suggested metrics are:
- Costs due to the loss of competitive edge from the release of proprietary or sensitive information
- Legal costs
- Hardware, software, and labor costs to execute the recovery plan
- Costs relating to business disruption, such as system downtime, lost employee productivity, and lost sales
4. Building the playbook
The authors did not forget one of the more serious concerns presented in the Cybersecurity Strategy and Implementation Plan: Recovery guidelines do not reside in a single document, but are spread throughout security, contingency, disaster-recovery, and business-continuity plans.
Understanding mission-supporting information systems, as well as any dependencies surrounding them, is important under normal operating conditions. “In the event of a cybersecurity event, this information becomes paramount, and the processes and procedures need to be presented in an actionable manner to effectively restore business functions quickly and holistically,” conclude the authors. “The playbook is a way to express tasks and processes required to recover from an event in a way that provides actions and milestones specifically relevant for each organization’s systems.”
Throughout the Guide, the authors stress that the document’s main purpose is to provide guidance. “This document is not intended to be used by organizations responding to an active cyber event, but as a guide for developing recovery plans in the form of customized playbooks,” the authors explain in the executive summary. “As referred to in this document, a playbook is an action plan that documents an actionable set of steps an organization can follow to recover successfully from a cyber event.”