Ransomware has put an increased emphasis on organizations putting together a viable cyber resiliency strategy. This entails organizations appropriately identifying and classifying which software they use falls under the cyber resiliency umbrella. However, they must do more than simply identify products as cyber resilient. They must also validate they satisfy established goals that make it cyber resilient.
Classifying products as integral to an organization’s cyber resiliency strategy may not equate to the offerings themselves as being cyber resilient. Organizations should evaluate products used as part of their cyber resiliency strategy in the context of the four goals as laid out by NIST. Each product’s ability to meet each goal helps organizations quantify its viability in their overall cyber resiliency strategy.
Cyber Resilient Goal #1: Anticipate
DCIG finds it almost a statistical certainty that every organization will at some point experience a ransomware attack. This likelihood of an attack translates into the need for each cyber resiliency offering to expect an actual attack to occur.
In anticipation of an attack, cyber resilient products should continually take steps to defend themselves. These preparations may show up in various ways. It may:
- Utilize third parties that monitor and alert on ransomware attacks occurring regionally, nationally, or globally.
- Monitor the hardware and network resources it uses for any unusual or suspicious activity.
- Take steps to scan and analyze the data under its management to detect for ransomware.
In short, products should continually monitor their own health and the environment in which they operate to prepare to act appropriately.
Cyber Resilient Goal #2: Withstand
Knowing they will experience a ransomware attack does not mean organizations know in advance how an attack will occur. For instance, an attack may occur either covertly or overtly over a period of hours, days, weeks or even months. This puts the onus on organizations to implement software and technologies that can withstand both overt and covert ransomware attacks.
Overt ransomware attacks, while potentially disruptive and devastating, do have one advantage over covert attacks. These attacks often begin to immediately impact IT and business operations. Software and technologies core to a cyber resiliency strategy simply need to survive and remain operational during this period. Organizations may also optionally take these systems offline or air gap them to secure them.
In the case of a covert attack, organizations may fail to recognize it. As such, organizations must ensure their cyber resilient software and technologies protect themselves over long periods. Cyber resilient software and technologies should secure and monitor all activity that occurs on them to withstand covert attacks. Otherwise, if a covert attack becomes overt, organizations may find their cyber resiliency solutions already irreparably compromised.
Cyber Resilient Goal #3: Recover
Achieving the first two goals to ready and secure their cyber resiliency software and technologies does not prevent a ransomware attack. Ransomware may still circumvent their cyber security solution and encrypt part or all their production environment. Meeting these first two objectives only positions organizations to recover.
This requires organizations to take heed. An operational cyber resiliency solution only positions organizations to recover. It provides no guarantees as to the success, speed, completeness, or outcome of the recovery.
For example, DCIG knows of a ransomware attack that compromised production systems. The organization first had to replace the production hardware and software before it could restore its applications and data. In another example, the only ‘good’ or clean backups an organization possessed resided on tape. Unfortunately, these were not viable for recovery. The restorations took too long to complete. Further, the data was outdated for recovery purposes.
Organizations need to configure their cyber resiliency solution to place the right data on the right storage media. This placement ensures they can recover as quickly as they need. This media may be the cloud, disk, flash, tape, or some combination thereof. They also must test their recovery processes to account for either covert or overt ransomware attacks.
Cyber Resilient Goal #4: Adapt
This last goal represents perhaps the most difficult one for organizations to consistently achieve. IT environments change regularly within organizations. Aggravating the situation, these changes may occur with little notice and without consideration for the impact they have on the cyber resiliency strategy.
To keep their cyber resiliency strategy viable, organizations must identify ways to monitor and track changes to their IT environment. Only by doing so can their cyber resiliency solution adapt to these changes as they occur.
Organizations may still find it impractical for their cyber resiliency solution to adapt in real time as production changes occur. However, they can identify and deploy cyber resiliency solutions that monitor their environment. In this way, the cyber resiliency software and technologies may adapt sooner rather than later.
KEEP UP TO DATE WITH DCIG
To be notified of new DCIG articles, reports, and webinars, sign up for DCIG’s free weekly Newsletter.
Technology providers interested in licensing DCIG TOP 5 reports or having DCIG produce custom reports, please contact DCIG for more information.
 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-160v2r1.pdf. Pg 26. Referenced 4/20/2022.