Every disaster preparedness strategy starts by asking the right questions. Do you have a team? Does that team have a plan? What’s in that plan?
Organizations have been asking these kinds of questions since before the cloud. If a mainframe flooded or a Californian data center caught on fire, organizations still asked 1.) who needs to be called and 2.) what should they do about it? These have always been considerations, but now we have a fancy term for it. When the disaster is related to a cyberattack, the vernacular de jour is an “incident response plan” or IRP.
The reason why IRPs, or cyber incident response (CIR) plans, are talked about a little differently than other disaster recovery (DR) plans is because they have some different components. Cyber disasters pull in teams that IRPs might not have to utilize for more straightforward disasters. In those events, organizations are going to call on risk and compliance teams, in addition to possibly getting legal and outside counsel involved.
The nuance behind these different responses (i.e., DR vs. incident response plans) comes in because, in the case of ransomware incidents, your organization has an active adversary who is maliciously trying to stop you from carrying out your IRP. This is not the way things would be if you were responding to a natural disaster or human accident.
When you think about a normal IT crisis at-scale, you think of a fire, flood, hurricane, or tornado. In all these cases, it is an IT-centric crisis, so the business is essentially just waiting for IT to resume services. When you talk about cyber incidents, one of the most important differentiators is that you’re actively being threatened by a bad actor. Beyond that, there’s the pragmatics of completing the recovery too. For example, if you’re recovering from a flood, you recover the servers that are dripping wet. If you’re recovering from fire, you recover the ones that are crispy. Easy, right? However, being able to assess and recover servers that are still blinking and running can be an arduous undertaking.
What is an IRP?
IRPs focus directly on actions that should be taken in case of a cyberattack or other outage. IRPs can also be housed within a broader DR plan, or they can be used in parallel. These recovery plans are crucial because the impacts of a cyberattack often aren’t as transparent as the results and damages that can be seen from other types of disasters. For example, if there is a tornado, people understand that you might be down because your data center got wiped out. However, in the event of a ransomware attack, the goodwill of the general public is in much shorter supply.
As such, you must exercise higher levels of caution with regard to what information you release, what you say, and to whom you say it to. Often, in events like cyberattacks, there are regulatory statutes in place that give you somewhere between only 24 and 72 hours to report the attack. Having an IRP in place helps your organization launch a much more comprehensive recovery effort while making the most of the window of time before the news of your attack becomes public.
The case is clear for having a team and having a plan. In fact, out of the 1,200 victims surveyed in the 2024 Ransomware Trends Report, all but 2% had a team, and all but 3% of those had a plan already in place. So, a total of 95% of the victims did have a team and a plan. To dive deeper into those stats, here’s an Industry Insights livestream you can watch to catch up on what the data said.
There are several key actions in an CIR plan that we also want to highlight to help you plan your organization’s rapid recovery. These actions include detection, containment, eradication, recovery, and learning.
Detection
Veeam integrates with third-party security tools and techniques to help detect and identify indicators of compromised data within backup archives as part of the backup process. Veeam also alerts and passes security events to other SIEM systems, which can trigger backups if needed. These features ensure that the relevant teams receive appropriate alerts and that a broader communication plan has been established.
Containment
This aspect often takes the form of content analysis, indication, and isolation of compromised data. This can prevent data destruction on relevant infrastructure through hardened deployment and security protocols like encryption. Air gaps can also be applied at a logical, protocol, and physical level through multi-stage and diverse repositories.
Eradication
Scanning for indicators of compromise and having them identified in the Veeam console stops compromised data from being restored. Further comparisons can be made with production data to ensure the consistency of restored data. In addition, Secure Restore provides “in-flight” scanning as part of the restore process to prevent reinfection.
Recovery
Since it’s difficult to know exactly which attack vector will be used, the exact angle of compromise, or how the broader infrastructure will be impacted, it is imperative that you have flexible, platform-agnostic recovery options. At scale, orchestration and automation can also reduce human error and provide faster recovery outcomes.
Learning
Veeam Data Labs can be used for forensic and root-cause analysis. Veeam audit reports and alert trails may also provide further investigatory evidence. Automated recovery plans can also execute documentation that can provide guidance on adjustments that need to be applied during the preparation phase.
The Necessity of a CIR Plan
Like many best practices, their necessity is most felt in their absence. If your organization doesn’t have an IRP in place, you could face the full ramifications of an attack — ones that go well beyond just financial hits. On an organizational level, the 2024 Ransomware Trends Report called out:
- 45% increased pressure on IT and security teams
- 23% reduced customer confidence
- 22% damaged brand reputation
- 22% exposure disclosure of data to public
- 21% loss of data
On an individual level, 45% said that their workload greatly increased and 40% said that their stress also greatly increased. Your organization’s IRP doesn’t only have to account for the results of the outage; you also have to consider the figures around financial losses, reputational damage, and all related issues that your organization could suffer.
The Essential Pillars of a Strong CIR Plan
Your security team, your executive team, your corporate communications team, and your IT infrastructure team are all going to be some of the first calls made in the event of an attack and are therefore crucial pillars of your CIR plan.
A way to take a fresh look at this data is to ask, if you had a breach — and let’s say the bad actor did all the worst possible things — who are you going to invite to the meeting after that incident to discuss what happened? What teams should be involved in that conversation? Since every single role that would be in that meeting two weeks after an attack ought to have a seat at the planning table, they should also be involved either as an active participant or a stakeholder in the team development and IRP formation.
With this in mind, one of the best ways to make sure all your key players are in the recovery room is to create a designated response team. Specifying a team of internal IT staff, security professionals, and even external consultants is another crucial pillar of a successful IRP.
Some best practices for assembling this team include:
- Involving legal and PR representatives to manage the broader fallout.
- Clearly defining the roles and responsibilities of who should do what during an incident, including decision makers, technical experts, and communications leads.
- Documenting critical asset inventories, network maps, system configuration information, and vendor/partner contacts.
- Developing step-by-step playbooks and procedures for common attack types (e.g., ransomware, phishing, etc.).
Once you have your team in place, it’s time to make sure they’re able to detect and analyze any threat that comes your way.
- Invest in firewalls, intrusion detection systems (IDS), endpoint protection, and Security Information & Event Management (SIEM) platforms for centralized log analysis.
- Configure your devices and systems to generate detailed logs and actively monitor them for anomalies and suspicious activity.
- Train employees to spot phishing emails, suspicious links, and unusual system behavior.
In addition to the all the internal teams, 94% of cyber victims also engage third parties as part of their remediation efforts, including backup vendors, security vendors, reseller partners or service providers, forensics specialists, and ransom negotiators. The last two are especially notable since Veeam recently acquired the industry leader in forensics and negotiation, Coveware, to limit the damage (and therefore claim size) that a ransomware attack can have on your organization.
Post-Incident Activities
In the aftermath of an attack, one of your first actions should involve a root cause analysis. Many cyber victims talk about zero-day exploits that are taken advantage of by clever, cutting-edge hackers. The truth is, according to the experts at Coveware, most breaches are not caused by super sophisticated hacks. Instead, most breaches are caused by people not securing remote access endpoints that are connected to the internet or not patching things after a critical vulnerability was discovered six months ago.
The root cause analysis on these things is frequently discouraging since these are errors that shouldn’t happen but are a risk nonetheless since organizations aren’t patching as frequently as they should. Maybe they don’t have multi-factor authentication (MFA) on all their systems or maybe it’s something else — there are so many different factors that can end up being the root cause of a breach.
In addition to analyzing the attack, you must remain aware of reporting and compliance requirements around the incident. After all the dust clears, you can use this analysis and the lessons learned to revamp your IRP, address what gaps need fixed, and learn how to be more resilient in the face of future attacks.
Veeam’s Role in Cyber Incident Response
Of the 1,200 organizations that suffered attacks in the report, the top three components of their CIR plan were:
- Viable backups.
- Assuredly clean backups.
- A plan that alternate infrastructure could failover to.
Veeam can help meet those needs in a variety of ways with a wide range of tools and supports cyber incident response plans by promoting the zero-trust model. This way of thinking assumes a breach is an inevitability and that the threat actor is already in your network. If you assume this and prepare your organization accordingly, then you have a good chance of surviving an attack. If you are not in the mindset of assuming that bad actors are going after your data, you will lose the fight. Bad actors target backups in 96% of attacks according to Ransomware Trends Report 2024.
Veeam is software only, which means there’s no long wait times behind implementing Veeam-level protection. You can use whatever pre-existing cloud services or hardware you already have and Veeam has multiple ways within that flexibility to guarantee immutability for your environment that means your data really will survive.
Testing
You don’t want your first time checking if your recovery works to happen after the attack. Test your IRP by running simulations. Through these tests, organizations often discover things that they’ve left out or maybe haven’t thought of before. To pull a statistic from the 2024 Data Protection Trends Report, when organizations tested their large-scale recovery capabilities, only 58% of the organization’s servers came back online within their expectations.
When organizations tried to do an IT recovery in the past, on average less than three out of five servers came back online when expected. And that’s even when you knew which servers needed to failover and were able to triage what could be infected before you began. In this day and age, if you think about cyberattacks as a more complex and arguably more dangerous version of any other IT disaster, then consider trying to hit the easy button on DR: Veeam Recovery Orchestrator.
Cyber Insurance
Like many insurance policies, one of the values of cyber insurance, especially lately, is that it’s harder to get unless you’re already doing the things you ought to be doing anyway. It serves as a forcing function. If your organization’s risk management program mandates that you have cyber insurance, you’re going to have to do a lot of the things that are being talked about in this blog in order to get it, since cyber insurers are getting a lot more prescriptive about what they expect. Collaborate with outside teams, like Coveware’s incident response team, a Managed Security Service Provider (MSSP), or incident response consultant to ensure your team has the highest level of expertise and preparedness.
Insurers also want to see an organizational emphasis on inter-departmental and vendor collaboration. An infallible incident response plan relies on open communication between departments, vendors, and possibly law enforcement.
The Time to Act is NOW
Cyber threats are relentless and ever evolving. Don’t wait for an attack to force you into action! Proactive cyber incident response planning is not optional; it’s an investment in your business’s survival. It’s about:
- Minimizing damage: Detecting attacks early and acting swiftly to limit their impact.
- Protecting your reputation: Demonstrating preparedness builds trust with customers and partners.
- Fulfilling your responsibility: You owe it to your stakeholders to safeguard their data and your systems.
Veeam can be your ally in preparing for and recovering from cyber incidents and our secure backup and recovery solutions are designed to be your last line of defense. Ready to explore how Veeam can reinforce your data resilience? Contact us today for a personalized assessment or explore the resources below:
Don’t let cyber disasters dictate your future. Prepare. Respond. Recover.