Remote work era security: How to recover data after a cyberattack

Cyberattacks are up as the workforce goes remote. Here's what you need to know about data recovery if your organization is targeted
239 readers like this.

Recovering data after a successful cyberattack is more complex than the typical disaster recovery (DR) process – and it’s a situation companies are facing with increasing frequency these days.

According to a recent survey, 91 percent of enterprises experienced a rise in cyberattacks as a result of the new remote workforce. Ransomware attacks are up 72 percent since the beginning of COVID-19, and mobile vulnerabilities have climbed 50 percent.

While you should have controls in place to protect your critical data from cyberattacks, you must also be prepared to recover your data if those controls fall short. Here’s what you need to know to recover data following a cyberattack.

[ Also read: What does a business continuity plan include? 5 key elements. ]

Recovering data is a different type of recovery

If you approach data recovery thinking it’s covered by your longstanding disaster recovery (DR) program, stop right there.

[ Also read: How to build a remote security mindset.]

Traditional DR plans and capabilities are rarely sufficient in this case because the physical infrastructure is often unharmed. Recovering data in the aftermath of a cyberattack is a very different recovery case from physically focused data center disaster scenarios.

If you approach data recovery thinking it's covered by your longstanding disaster recovery (DR) program, stop right there.

Compromised data recovery happens differently, and it’s important to recognize and plan for these differences. If you don’t, your data recovery efforts will not go well, both in terms of delays and data loss.

The differences between data recovery and DR fall into four categories:

  • Triggering event: DR focuses on recovering infrastructure, applications, and network services following a data center compromising event; data recovery is about recovering data after a data compromising event.
  • Production impact: In a physical disaster, you leverage data that is typically already backed up within your recovery environment. In essence, you are standing up a new or temporary production environment. In a data recovery effort, you typically recover data in place, meaning you move “clean” data back into the original production environment.
  • Data focus: Data used in DR efforts is the data that was most recently backed up. In a compromised data situation, however, the most current backup data may have been compromised as well. Therefore, you need to analyze candidate data to find the latest available “clean” data. If your data backups are compromised, it may take days or much longer to sort it all out.
  • Likely recovery objective success: In DR, you should be able to meet recovery time objectives (RTOs) and recovery point objectives (RPOs) if your testing has been successful. In data recovery, RTOs and RPOs are rarely met because of the time needed to understand the nature of the attack and to find “clean” data.

The differences between these recovery cases are significant enough that data recovery requires special attention and planning.

[ Get exercises and approaches that make disparate teams stronger. Read the digital transformation ebook: Transformation Takes Practice. ]

Questions to ask with every data recovery effort

A DR effort is well-defined. It follows a scripted path, and you can rehearse it through proper testing. Compromised data recovery doesn’t behave that way – every situation is unique.

When the integrity and availability of your data are compromised by a cyberattack, you need to consider additional factors:

  • Do you have clean malware-free data that is not beyond its shelf life and is still of value to the business?
  • Do production machines need to be rebuilt, replaced, or hydrated? Should you use new ones that were never on the network?
  • If you’re in a ransom situation, are you willing to pay the ransom if it means you can recover faster and more cheaply?
  • Should you try to recover and negotiate a ransom in parallel?
  • How can you recover data while keeping unimpacted production operational?

Beyond these questions, you should also identify your vital data assets (VDAs). While this data may not be top tier within your DR program or even part of your DR program for that matter, it is still imperative to the nature of the business. For example, in the pharmaceutical industry, we could be talking about information that enhances key growth initiatives, like data on a 10-year study or FDA product approval.

This is the data that is so important that if compromised, could forever damage the viability and mission of your organization.

You’ll also need a defined program in place to ensure your organization can recover data effectively and efficiently.

Create a compromised data recovery architecture

Effective cyber-compromised data recovery starts with a 3-2-1-1 recovery architecture:

Three areas of separation

  • People – utilize a separate backup team
  • Process – utilize separate backup processes
  • Technology – utilize separate backup technology

Two recovery strategies

  • Data recovery – implement strategies to back up and restore identified VDAs
  • System recovery – implement application and system recovery

One offline copy

  • Maintain a minimum of one off-network or immutable copy. You can and should increase the number of historical copies for extra protection.

One secured environment

  • Maintain a secured environment for isolated data backups, analysis, clean copy identification, recovery, etc.

In addition to a well-defined architecture, you’ll need a capable and prepared team to execute the plan.

Establish a multi-faceted team

Your cyber-compromised data recovery should be guided by a specialized plan that coordinates and directs the multiple disciplines you’ll need to be involved in the response.

Your information security team is responsible for removing malware, performing forensics, and validating that the data targeted for repatriation into the production environment is clean.

Your infrastructure and operations and DR teams are responsible for standing up a safe space for analyzing candidate data prior to moving it into production, rebuilding servers from bare metal to assure they are malware-free, and determining other data that may need to be rolled back to ensure proper synchronization.

Business continuity (BC) plays an important role as well. BC strategies should be pre-defined to support the organization in the event of extended data unavailability or permanent data loss beyond the established RTOs and RPOs for disaster and emergency response (DER).

[ Read also: Business continuity vs. disaster recovery: What's the difference? ]

Ensure this multi-disciplinary team is ready to respond effectively and decisively in the aftermath of a successful cyberattack by regularly testing your plan for different scenarios.

How to ensure your data is recoverable

Data recovery is different than DR. It requires special planning, management, and capabilities.

By recognizing the differences between these two recovery cases, identifying VDAs, creating a well-defined architecture, and consistently and regularly testing your plan to ensure your team is ready to respond, you’ll be better positioned to recover data after a success cyberattack.

[ How can automation free up staff time for innovation? Get the free eBook: Managing IT with Automation. ] 

As a Principal Consultant at Sungard Availability Services (Sungard AS), John Beattie works closely with organizations to implement third party risk management programs, and reduce operational risk by establishing new business continuity and disaster recovery programs or transforming existing ones to improve effectiveness.