There’s a perfect cybersecurity storm happening. We’re seeing more attacks than ever before but there aren’t enough infosec experts out there to defend organizations, meaning that infrastructure and operations teams are unwittingly put on the front line (especially in cases of ransomware).
Protect as best as you can but be prepared for the worst
The industry has already woken up to the idea that it’s not about ‘if’ you’re hit, but ‘when’ you’re hit and this means that preparations must be made accordingly. The good news is in the last few years CEOs have increased information security budgets due to the increased amount of attention attacks are generating.
So how should you spend it? Ultimately, you should build a robust program, but if a single failure results in a catastrophic outcome is that going to get you ahead? No. What will get you ahead is the continuity of business critical infrastructure, when the worst occurs.
Design your infrastructure like a ship
Your job is to create an infrastructure that has the ability to bounce back. So how do you prepare for an attack you cannot stop? Two words: passive survivability.
Ships are designed so that - if they are damaged in a storm, or a crash - they can continue to sail in a deprecated manner, but most importantly: not sink. There’s an inherent resilience built into them, that should also be built into your data centre’s infrastructure, so you’re not completely knocked out of the water by an attack/outage. This is subtly different from network segmentation, and should be thought of as failure compartmentalization or failure domains.
After all, there’s no longer a frontier or perimeter to protect. With cloud, mobile devices, IoT, and SaaS, the perimeter is expanding every day. Passive survivability gives you a defensible infrastructure as a way to hold the fort, so to speak. While it’s not going to replace security controls or your security program, it is the safety net that keeps the business upright when it all goes wrong.
Prioritizing is paramount
The first thing to do is get the infosec team and infrastructure and operations team to meet. All too often this first meeting happens due to a breach occurring. Get ahead of the cyber-criminals by realizing together that not everything in your business is a top priority.
In a cyber-attack scenario, if your HR team is offline, it’s not an immediate risk to your customer loyalty. Similarly, the risk to reputation is low if peripheral departments can’t access non-essential documents. What you’ll care about is your business-critical processes, as that’s the reason you exist as a business.
If that’s to deliver letters, then you need to find a way to continue to deliver those letters. If it’s shipping containers, then you have to get those containers transported and delivered.
Too often, the number one business priority is realized in the midst of an attack, when production lines stop or finished products are piling up outside HQ with no way of transporting them. You need to understand what the most important process is for your business, what applications support these processes, and build the infrastructure around that.
Backing up means bouncing back
The next step in the process is to be able to bounce back really quickly. Can you rely on your backup? Unless you’re protecting it, it’s going to be hit next. Examine the existing architecture and implement compartmentalization and isolation of backup infrastructure and immutability of data. Ensure the backup administrator accounts are using unique credentials in case domain administrator accounts are compromised.
Can you bootstrap critical infrastructure such as AD, DNS, and time servers? How fast? We’re talking mass assembly line process here - live mounting large numbers of machines for example to establish the application dependency chains needed. Does your backup let you instantly recover?
Identify attackers with automation
Once your critical processes are back up and running, then it’s time to identify exactly where the attackers have hit and at what point in time. Can you do this quickly? Automation can save your team a lot of guesswork and resources.
Take heed
When considering how to protect ourselves from a cyber-attack, we should follow the same logic as we do with other vital and valuable assets. Just as we try to protect our bodies from ailments by following the widespread advice that taking preventative measures is more effective than treatment (or so we should), protecting our businesses from cyber-attack should also be something we’re starting to be aware of long before an attack actually takes place.
By combining passive survivability with attack identification, remediation and instant recovery, what we have is a master recipe for a cyber-attack safety net, should the worst happen. Up front preparation will have an amplified effect when it comes to saving the team time and resources! Following this, you’ll be well-equipped to protect your business-critical processes (the soul of your business) and get back on your feet quickly.