Rubrik has been assisting our customers with recovery from cyber attacks since 2018. We immediately took notice of these attacks, and early on, began developing processes and procedures to respond more effectively to better assist our customers. Our spirit of continuous improvement and execution of lessons learned from the field has led to a number of improvements to both our products and processes. One key takeaway is the development and deployment of our Ransomware Response Team (RRT) in early 2021.
No two customers nor cyber attacks are the same. There are a large number of variables that come into play during a cyber incident. At a high level, this includes the methodology and execution of an attack, the scope, impact, and severity of the attack, and the necessary actions required to respond and recover. Add to this the involved internal and external stakeholders, their interactions, and dependencies, and it can get very complicated. That all being said, there is one thing fully within a customer’s control to optimize the response and recovery process: Being properly prepared, with a comprehensive and tested incident response and recovery plan.
We touched on customer preparedness in our January 2023 blog “Ransomware Recovery: RTO and Optimizing the Recovery Process” and felt the need to reiterate and provide further insight. Preparedness can be delineated into pre-attack and during/post-attack phases, with key actions for each:
Pre-Attack:
- Incident response playbook, well-tested
- Alternate means of communications
- Defined roles/responsibilities for internal stakeholders
- MFA for all administrative accounts
- Validated recovery strategies
During/Post Attack:
- Executing playbook processes
- Determining the scope/impact of the attack
- Containing/neutralizing threats
- Engaging your trusted vendors, including Rubrik
- Post-incident lessons learned
As an example in pre-attack preparation, establishing an incident response team communications plan is essential. This should include alternate forms of communications outside of and independent of your corporate infrastructure. Many times some or even all of corporate communications are either taken offline or cannot be trusted during and immediately after an attack
An often overlooked example in post-attack response preparedness, it is critical to remember the order of operations regarding recovery efforts. Ensure your foundational infrastructure (Active Directory, DNS, Certificate Services, etc.) is online and trustworthy before any higher-order restorations such as applications and lines of business are attempted.
Rubrik is a foundational element in our customer’s recovery workflow. Rubrik’s RRT and Support are here to provide assistance to you 24/7 with the highest levels of urgency, continuity, and confidentiality. We will remain engaged until our customer’s recovery is complete and they have returned to normal business operations. By nature of being a Rubrik customer, all business-related interactions are under NDA. We are one of your trusted vendors and are here to help when you need us most. For us to assist you most effectively:
Ensure all of your internal teams, leadership, third-party partners, and cyber insurance companies are aware that Rubrik is a trusted vendor.
Ensure all of your internal teams, leadership, third-party partners, and cyber insurance companies are aware of Rubrik’s product and support capabilities.
Facilitate collaboration and communications between your trusted vendors and your internal teams.
For more information and details regarding preparation, please refer to our Ransomware Preparation and Incident Response whitepaper, available on the Rubrik Support Portal.