Securezoo Articles
Article Topics   
By Frank Crast, 1/3/2017

This year could be one of the most important years in recent memory for organizations of all sizes to plan and prepare for the inevitable cyber attack. Although there is no substitute for proactive cyber defenses to prevent future attacks, the National Institute of Standards and Technology (NIST) released some good guidelines to help organizations in one critical area "Cyber Event Recovery" needed to minimize the impact of such cyber events if and when they do occur.

The new NIST publication, "SP 800-184 Guide for Cybersecurity Event Recovery," helps organizations more rapidly recover from security incidents and minimize the impact from data breaches. Good recovery planning also includes learning from past mistakes as well. 

The CyberSecurity Framework

The guide comes after the Federal Government established the Framework for Improving Critical Infrastructure Cybersecurity or "CyberSecurity Framework" (CSF) that includes five functions all critical for a complete cyber defense: 

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover.

The last and final phase, "Recover," is defined by the CSF as the process to "develop and implement the appropriate activities to maintain plans for resilience and to restore capabilities or services that were impaired due to a cybersecurity event."

According to the new NIST guidelines, Recovery can also be broken up into two phases: 

  • Tactical: the execution of a recovery playbook; see "Planning for Recovery" that should be completed before incident takes place)
  • Strategic: the continuous improvement and minimize the likelihood and impact of future incidents. 

The tactical phase of of the event recovery process is described in the next section. 

Planning for Recovery

Planning for a "Cyber Event Recovery" needs to take place before a major event actually takes place. For example, your organization should identify key critical assets and systems that are central to your organization's mission. Those systems should be continuously assesses to understand weaknesses and dependencies are well understood or addressed. 

A summary of some of the Recovery Planning recommendations from NIST: 

  • Identify key people responsible for defining recovery plans and understand their roles and responsibilities. 
  • Create a list of key people, processes and technology assets that are needed to achieve organization mission (along with dependencies)
  • Enterprise resiliency: organizations need to understand "how to be resilient" and plan to operate in a diminished capacity (to include cyber events)
  • Ensure there is a Cyber Incident Response Plan (CIRP) that is part of your organization's larger Business Continuity Plan (BCP)
  • Planning should be based on prioritizing resources relative to importance
  • Remember to document and maintain Recovery processes and procedures
  • Make sure to have a Recovery Plan that also includes:
    • Service Level Agreements (SLAs), such as availability percentage, maximum allowed downtime, etc. 
    • Primary contacts - two or more management staff
    • List recovery team members
    • Recovery details and procedures with diagrams
    • "Out-of-band" communications
    • A communication plan that includes how to notify/escalate communication to outside organizations, legal, public relations and HR during a cyber event
    • Offsite storage
    • Operational workarounds for if/when systems can't meet Recovery Time Objectives (RTOs)
    • Facility recovery details
    • Maintain a list of infrastructure, hardware and software that are used during the recovery process
    • Determine Recovery initiation and termination criteria and goals
    • Determine root cause and containment strategy.

Once Recovery Plan and related activities are documented and executed, organizations can then focus on "continuous improvement."

Continuous Improvement

Recovery plans, policies and procedures should be continuously improved based on lessons learned during the recovery efforts. 

The recovery efforts can be used to identify weaknesses in technologies and processes to improve your organization's security posture. Make sure to get feedback from stakeholders involved in the process and conduct post-exercise debriefs needed to analyze and incorporate lessons learned to improve employee competencies related to recovery objectives. Recovery personnel should also document issues along the way used to help in future debriefs as well. 

Also included in the NIST guidelines are some good examples of Cyber Event scenarios to include a network breach and destructive malware event. For each scenario, guidance is included on how the playbook would be executed. 

Finally, the first Appendix also included a handy "Checklist of Elements" that should be included in a playbook such as A1 or "pre-conditions" for effective recovery (such as list of people and technologies, communication plan, etc.), A2 or "tactical recovery phase" (Initiation, execution, termination) and A3 or "Strategic Recovery (such as metrics, plan improvement, etc.). 


Topic: Business Continuity Plan (BCP), Disaster Recovery Plan, Security Monitoring