After a Breach: 5 Recovery Steps to Take

The “after” phase of a security event is an especially tricky and stressful time. This article covers steps you can take to recover in the aftermath of an attack.

recovery steps

6 minutes
image_pdfimage_print

Hopefully you’ve followed the necessary cyber recovery steps to prepare for the “before” and “during” of an attack. Here, I’ll discuss what to do next as you bounce back, reduce reputational damage and risk, and minimize the overall cost to your organization

In a recent Pure roundtable, four top CISOs discussed what organizations should really do in the moment post-attack. “Counter activity is important, but reactive activity is even more important,” one CISO explained. “Because it’s a question of when, not if.”

The reality is, you’ll recover from the attack eventually, as most organizations do. But the quality of your recovery is contingent on the quality of your response

Said another CISO, “It’s all about the ability to respond.”

Reality Sets In: What the Heck Just Happened???

When the worst happens and a threat turns into an actual attack, it’s time to calm down, get serious, and tally up the damage. Depending on the type of attack or security event that has occurred, you could be looking at these situations:

  • Files are encrypted, likely in tandem with a message sent including the attacker’s demands.
  • Your choice: to pay or not pay the ransom. Perhaps you’re sent to a website on a .onion domain where you can meet a negotiator for the attacker, agree to a ransom amount, and transfer a cryptocurrency payment to the attacker. After payment is received, the attacker might provide the private keys required to decrypt/recover the files—but there are no guarantees. 
  • Data is exfiltrated. An attacker may also use any exfiltrated data in a secondary attack, demanding payment to not post those files on the public internet.
  • Data is wiped. Wiperware is a highly destructive form of malware whose objective isn’t financial gain—it’s destruction. It aims to cause damage, disrupt operations, or even sabotage a target’s infrastructure. If your attackers choose wiperware to attack the organization, there’s typically no negotiation to get the damage reversed. 

5 Steps to Take After a Ransomware Attack

At this point, you’re working to minimize the damage, get back online, and alert the right people to the consequences. You’ve already got a response plan, but there’s a big difference between making a plan and putting it into action in the heat of the moment. Let’s look at how to follow up on an attack efficiently and in ways that deliver peace of mind. 

1. Prioritize Tier 2 systems for recovery and restoration based on your response plan.

In my part 2 covering during an attack, I noted that one of the key things to do mid-attack is obtain a clean copy of your data for migration to a staged recovery environment. This way, you can place the bare-minimum mission-critical systems back online. 

Next, begin prioritizing recovery and restoration of other systems.

Application restoration priorities or tiers should be well-defined so that business units know the timeline for restoring applications—and there are no surprises. The planning should include critical infrastructures such as Active Directory and DNS. Without these, other business applications may not come back online or function correctly.

2. Continue forensics efforts in tandem with your cyber insurance provider and any regulatory agencies.

Work with your forensics experts to uncover more details, such as: 

  • Were encryption measures enabled when the breach happened? 
  • What’s the status of backed-up or preserved data? 
  • Review logs to determine who had access to the data at the time of the breach. Who currently has access, do they still need that access, or can their access be limited or revoked? 
  • What types of data were compromised? Who was affected, and do you have their contact information? 

As you gather forensic reports, it’s important to do so in collaboration with the proper authorities including law enforcement, such as the FBI, and regulatory agencies that need to be involved—as well as your insurance provider.  

Related Reading: Changes Continue in Cyber Insurance 

3. Restore to an offline sandbox environment that allows teams to identify and eradicate malware infections.

I’ve recommended leveraging tiered security architectures and “data bunkers” on a few occasions. This approach can help you retain and protect large amounts of data and make it available immediately. 

As you begin to restore, check network segmentation. When your network was created, it was likely segmented so that a breach on one server or in one site couldn’t lead to a breach on another server or site. Work with forensics experts to analyze whether the segmentation plan was effective in containing the breach. If you need to make any changes, do so now. 

Learn about the Pure Storage ransomware recovery SLA, which ships clean arrays to use in recovery post-attack.

4. Keep the business informed of the progress of recovery efforts.

Create a communication plan that includes all affected audiences—employees, customers, investors, business partners, and other stakeholders. Don’t make misleading statements about the breach. Anticipate questions that people will ask. Address top-tier questions and provide clear plain-language answers. This can help limit customers’ concerns and frustration, saving your company time and money later.

Also, don’t publicly share information that might put consumers or the company at further risk. 

Read “8 Questions to Ask Your Security Team” for help with mapping out response and communication plans.

5. Investigate the third-party/service provider angle.

Were any third-party service providers, partners, or suppliers involved in the breach? Examine what personal information they may be able to access and decide if you need to change access privileges. Now is a good time to ensure your service providers are taking the necessary steps themselves to prevent another breach. If your service providers say they have remedied vulnerabilities, ask for verification this has occurred. 

Hacker's Guide to Ransomware Mitigation and Recovery

Your Key to Recovering After an Attack: SafeMode™ Snapshots from Pure Storage

As one CISO put it: “Sure, you can practice, but rehearsal won’t change what happens in the moment.” In short, this is the heat of battle, and there’s more to it than just running the processes you’ve practiced. From an incident response perspective, it’s more about managing people, egos, panic, and fires.

The successful approach is to test all of these processes and procedures in real life—or as close to real-life scenarios as possible—where decisions need to be made in a matter of seconds, not minutes. You’ll use whatever you have, which goes back to the best part of having Pure Storage immutable snapshots to go back to and look at.

Here’s where Pure Storage peace of mind from immutable snapshots can be priceless.

Stay Cyber Resilient with Pure Storage

Knowing the challenges you’ll face first and the immediate steps you can take after an attack’s early stages can help minimize loss, cost, and risk. Pure Storage can help you take swift action at the “after” stage by:

  • Driving the industry’s fastest rapid recovery rates of backed-up data (petabytes per day)
  • Supporting fast forensics recovery processes via instant, space-saving snapshots
  • A cyber recovery SLA to ship clean arrays after a ransomware attack or disaster

For more information and guidance, check out these two helpful resources:

Revisit part one for advice on the “before” phase of an attack and part two for the “during” phase of an attack.