Search
  • Julie Liu

So You've Declared a Disaster. Now What?

Mitigation => Contain, Eradicate, Recover. Document.

Your critical computer systems have become infected beyond repair. An insurmountable volume of your sensitive data has been lost, stolen, and corrupted. Your day-to-day business operations have come to a near standstill, and you have reached your maximum tolerable downtime. You declare the incident a disaster. Now what?


Business Continuity and Disaster Recovery planning costs lots of money with little immediate return, but these plans are essential to ensuring a quick recovery from an adverse event. Hopefully you have invested into this important capability -- now is the time to call upon your team, and put your plan to the test.


What if you have no team and you have no plan?


Then you must put together a vetted team of experts that can act quickly to contain, eradicate, recover, and DOCUMENT. Only then can you start to learn from your mistakes and prevent another disaster declaration.


Before you can even start, you need to figure out how you will communicate. Assemble a "command and control" center. Weigh your available options - your email servers might all be compromised, your file servers are gone, so you don't have a list of all the important contacts in one place. Who will communicate to the public with a clear and unified message? You MUST figure out your communication channels first.


Containment - You must prevent further infection. It is too late for haphazard isolation. If this means powering off almost all your systems, then you power off your systems. If this means sealing off your network by disconnecting all your incoming and outgoing connections, then you disconnect.


Eradication - You must fix your vulnerabilities and thwart the "enemy". Root out the weaknesses that brought you to this state. Figure out what happened and how far it reached. You might have to implement a rigid, but thorough, anti-malware platform that makes all your systems slower, yet offers 100% eradication. You might have to change all your authentication and authorization servers. You might have to get rid of extraneous systems and third-party vendors. And don't forget to preserve and keep track of all your forensic evidence. You will need this "epidemiological" data! If you cannot completely address your initial vulnerabilities, you will not be able to progress to recovery.


Recovery - Return to normal. Bring your critical systems back first. You have an estimate of how long each system takes to restore, and you have a list of your prioritized assets. Refer to your dependency map (which you hopefully have), to know the order in which your systems must come back online.


When you have determined that your systems have been restored to a known good state, the vulnerabilities have been remediated, and the "enemy" is no longer in the environment, you can declare the end of the recovery phase.


Documentation - Do you really want to reinvent the wheel the next time you are hit with a potentially disastrous incident? You must document your experience. The evidence you diligently preserved must hold up in court. Provide concrete metrics. Now is your chance to be better prepared before the next attack occurs. Get your expert teams in place, know your communication channels, have your plans written and tested, and use what you have just lived through to make sure it does not happen again.


For more information, you can refer to the following publications:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf

https://csrc.nist.gov/publications/detail/sp/800-34/rev-1/final