Responding to destructive cyber-attacks
With Russia and Ukraine consistently in the news there is more focus on the likelihood of cyber-attacks on Ukraine’s electric grid and the potential of retaliatory attacks on Europe and the United States given the possibility of sanctions on Moscow. The New York Times reports that the top US cybersecurity official met with NATO to discuss how to prepare, deter and perhaps disrupt any Russian cyber-attacks.
Many organisations have seen and are predicting further destructive attacks, both on Ukraine and allies (including Europe and the United States). Our previous advice will put organisations in good stead, in particular practicing incident response plans, which we focus on in more detail here:
Incident response needs to go further
Your incident response planning should go down to practicing how you would restore systems at the most basic level and with the most basic ability to do so – simply practicing restoring files is not enough.
Typically, destructive attacks stop devices from booting and cripple network systems such as your AD and DNS, which backup services often rely on. In addition, a lot of enterprise systems, such as WiFi and access switches are integrated into these systems, which can increase your attack surface or simply further diminish the recovery options available to you.
As a result of this, it’s critical to consider how you could fully reinstall, from offline, with non-bootable servers, network devices and endpoints. Relying on network and cloud backup is not likely to work – if your OS won’t boot then most backup software won’t work and if an attacker gets hold of cloud credentials, they will simply delete all cloud files, including backups. It’s likely that your backup software needs the network too or needs to authenticate or relies on DNS which could all be out of action.
‘Break-glass accounts’ and ‘bare metal’ restore processes could be critical
Many organisations will have ‘break-glass accounts’ – those that are off the network and could be used to physically access a site or device following a destructive attack and plug into it directly. However, these only work so long as the software and network configs are backed up in advance (and offline) and backups go far enough back to a point you are confident the threat doesn’t exist. Consider how you would reset a device completely or reinstall it from fresh and then re-establish authentication and restore critical data.
Backups that would work for a ‘normal’ ransomware attack are not likely to work with a destructive attack, as described above. Effective backups in these situations typically need to be offline – the traditional tape or removable hard drives and need to include ‘bare metal’ restore and even how to reinstall the firmware or BIOS from known good sources.
A key challenge here, without forward planning is the fact that the AD will normally need to be restored first – forethought is paramount here as AD is often poorly backed up - are you confident your AD is being backed up effectively and can you ‘bare metal’ restore it? Without this planning your offline backups can be missed, making recovery that bit harder and more costly.
Focus on your incident response plan: how you would quickly DETECT and then CONTAIN / ISOLATE a threat to reduce damage is key here – how quickly could your organisation do this 24/7/365? Being properly prepared to RECOVER when your network and authentication services are taken out will give you the best chance of reducing impact.
Some of this may seem to be over-the-top and aimed to scare organisations, but by planning for the eventualities of a destructive attack, whether that’s in the next few weeks or years from now, you will improve your overall incident response and recovery capability.
You likely have most of the technology, people and processes already, but have you thought through this end-to-end process, documented it and tested it? If not, that’s where to start – and its simply good IT/best practice so why not make it a priority today?
Contact us today to talk about your incident response plans or for any further advice.