For many years, DXC’s forensic and remediation teams have supported customers during recoveries and exercises to help them regain control of their compromised IT environments. Recently, there has been a significant increase in demand for the review of existing preparedness capabilities in leadership, response and recovery from ransomware and destructive IT cyberattacks, and our recommendations for improvement.
Destructive IT cyberattacks are sometimes launched by organised crime gangs or nation-state-sponsored attackers, with the overall purpose of intentionally destroying or damaging data or physical objects, including inflicting personal injury and even death. Cyber warfare is also a manifestation of an intentional destructive attack.
The significant increase in demand for security and incident response (IR) consulting is not surprising given the increase in frequency of such attacks and the average time to identify, detect, contain, respond and recover from them. While DXC’s forensics and remediation teams typically review many areas of an organisation, what we have consistently found is that the organisation’s business continuity planning, including disaster recovery planning, does not sufficiently address the challenges and specifics that ransomware and intentional destructive IT attacks bring with them.
The goal of this paper is to:
- Describe the common gaps or shortcomings we have observed in business continuity planning in mid-to large-sized international organisations, independent of industry.
- Give specific recommendations for how to update a business continuity management program to address the destructive attack threat.
- Trigger organisations to verify whether their existing business continuity planning and incident response processes and plans are as optimised as possible for leaders and teams to respond to, and manage, a destructive attack threat.
The challenge
When DXC reviews an organisation’s processes and plans around incident response, one topic is of special interest:
“How does an organisation plan to cope with an attack that intentionally tries to impact or destroy an IT infrastructure to make political statements or to extort money?”
Business continuity planning generally uses an all-hazards approach to address the impacts of disruptive incidents, focusing on the response to and management of the loss of people, processes, IT systems and locations that support defined mission-critical activities while maintaining operational resilience.
The challenges of coping with cyber incidents and destructive IT attacks are:
- Lack of understanding of the potential impact of these threats on the organisation, weak patch management and inadequate planning for the response
- Insufficient preparation to protect systems and to educate and train people to deal with these types of attacks
- Inadequate speed and technical ability to identify, assess and respond at the time of the incident
- Inability of an organisation’s leadership to respond to the potentially catastrophic impact of this type of event, including how leaders communicate to, and manage the relationship with, customers, suppliers and regulatory bodies
Let’s be clear — threat actors and organised crime gangs are extremely powerful. They can:
- Access environments by elevating their credentials up to enterprise administrators, and exfiltrate data at all levels and areas of the organisation
- Intentionally destroy the core business services and data in all compromised environments by deploying destructive software (e.g., ransomware, wiper) that may replicate/synchronise through the whole environment, including backup and recovery systems
In the event of a catastrophic loss of the production and recovery environments, the victimised organisation is left with unusable data and the inability to provide even the most basic IT services, impacting the very continuity of all the organisation’s processes.
The general technological approaches documented in a typical business continuity program range from normal backup, cluster creation and realtime mirroring over flashback copies to imaging. These approaches in isolation are not sufficient to respond to, and recover from, an attack.
How can our business continuity programs and plans be further enhanced to prepare leaders, teams, IT systems and processes to be cyber-warfare ready? If your organisation hasn’t reviewed its business continuity management program through a cyberattack lens, then now is the time to do it.
Let’s examine common gaps in business continuity planning and how to address them in a business continuity management program.
Common gaps
When addressing ransomware and destructive IT attack risks, many organisations have common gaps in their business continuity planning. These include:
- Lack of focus on specific threats (ransomware and destructive acts). It is essential to identify and assess the potential impact of specific threats on the organisation's operations. This could include the impact on critical systems, data and processes.
- Undefined or badly-communicated roles and responsibilities across incident response, business continuity and crisis management. Often separate teams work on their own responses to the same incident, duplicating efforts, consuming resources and potentially using incompatible approaches.
- Insufficient data backup and recovery planning. A common gap in business continuity plans and disaster recovery plans is failure to ensure that critical data is backed up; the backup is offline, airgaped and secured; and the recovery process is tested and effective. This is particularly critical in the case of ransomware attacks, where the attacker may encrypt or delete data, making it difficult or impossible to recover. In addition, organisations need a good understanding of which systems must be cleansed or rebuilt first, and how long that will take. In real-life exercises, we have seen databases of several terabytes take up to a week to be recovered, and then during the copy job the process stopped. The whole exercise had to start over. Key activities to protect an organisation against ransomware and help recover from an attack are described in our ransomware guides:
- Inadequate incident response planning. Many business continuity plans lack detailed plans for responding to ransomware or destructive attacks, including the identification and isolation of affected systems, the investigation of the attack, and the prioritised restoration of systems and data. There should also be procedures in place for communicating the incident to stakeholders and restoring operations.
- Insufficient exercising. Once the business continuity plans have been developed, testing through simulation exercises is essential to identify gaps or weaknesses. This helps ensure that the plans are effective in the event of a real cyber incident and enables teams to provide realistic predictions, based on experience and known variables, to senior leadership.
- Failure to consider supply chain risks. Ransomware and destructive attacks can impact not only the targeted organisation but also its supply chain partners. Many business continuity plans do not consider the potential impact of these attacks on the organisation's suppliers and customers.
- Out-of-date business continuity plans. Cyber threats are constantly evolving, so it is essential to regularly review — at least annually — and update the business continuity plans to ensure they remain relevant and effective.
- Insufficient employee training and awareness. Many business continuity plans do not include detailed plans for educating employees about the risks and steps they can take to reduce the organisation's exposure to ransomware or destructive attacks. Employees need training to understand their roles and responsibilities, including how to identify potential cyber threats, report incidents and follow the business continuity plan.
- Ineffective senior leadership engagement. Educating senior leaders on preparing for cyberattacks can be challenging given that typically senior leaders do not have a deep technical understanding of cybersecurity. Implement effective approaches for engaging senior leaders:
- Communicate the potential risks including financial losses, reputational damage and legal liabilities. Highlight the types of attacks most likely to occur and potential business impact.
- Provide real-world examples of cyberattacks that have affected similar organisations. This will underline the importance of cybersecurity and the need to take proactive measures to prevent cyberattacks.
- Offer cybersecurity training to senior leaders, describing the nature of potential threats and risks. This can include training on phishing, social engineering and other common attack methods, as well as best practices for securing sensitive data and preventing breaches.
- Develop a cyber incident response plan, working with senior leaders, that aligns with your organisation’s incident response, business continuity program(s) and crisis management program.
- Conduct regular security audits and share results with senior leaders to help them understand the organisation's level of risk and the need for ongoing investment in cybersecurity.
- Use data visualisation tools to support the communication of the organisation's cybersecurity posture. This can include dashboards that provide real-time insights into the organisation's security metrics, including threat detection, incident response times and risk levels.
- Failure to learn from previous incidents. Run post incident analysis to learn what went well and what could be improved. Identify actions and deadlines, track to completion and update plans.
Recommendations adding a cyber lens to business continuity management programs
To address the gaps, organisations need to expand their cybersecurity preparedness. A business continuity management program that mitigates against the impacts of ransomware and destructive IT attacks, and aligns with the organisation’s incident response capabilities, is essential for the organisation to survive and thrive. DXC recommends that organisations add a cyber lens to each phase of their business continuity management program (Figure 1) as follows:
Figure 1. Phases of a business continuity management program
1. Understanding business continuity context
Know your business:
- Know the operating and business environment, including where your people are and where services are delivered from.
- Understand applicable Service and Organisation Level Agreements (SLAs) and legal and regulatory requirments.
- Review your organisation’s policies — cyber, IT, business continuity and crisis management.
- Understand your organisation’s cyber resilience, incident response, business continuity and crisis management capabilities, and roles and responsibilities.
2. Business impact analysis
The business impact analysis (BIA) is a key document for anyone responding to a disruptive incident, especially in a fast-moving situation like a cyberattack, when people need to quickly determine the impact and scale of an incident. The BIA:
- Determines the following:
- business activities that are mission critical
- amount of downtime the business can tolerate
- amount of data that will be lost or will need to be reentered (Recovery Point Objective) after an outage
- amount of time after which the viability of the team, and possibly the organisation itself, will be irreversibly impacted if the disrupted activity isn't resumed (Recovery Time Objective)
- Captures who supports an activity, roles and responsibilities, processes and procedures, equipment, IT and data, and any supplier involvement.
3. Risk assessment
The risk assessment (RA) identifies potential hazards and risks, their likelihood of occurrence and their scale of impact to your operations in specific locations. Hazards and risks include natural disasters, cyberattacks and equipment failures. The RA and BIA are the key inputs required to determine recovery strategies and priority of recovery. Business continuity teams should work with their cyber team to understand the current cyber environment and types of attacks they need to consider.
4. Check suppliers
Check that your suppliers can continue supporting you in delivering mission critical business activities should any disruptions, including a cyberattack, impact their organisation. Suppliers should know what your expectations are, and their obligations, during a disruption, and should be aware of escalation routes and limitations.
5. Recovery and continuity strategies
Recovery strategies need to meet critical recovery parameters, be reasonable and affordable, and align to contractual and regulatory obligations. Using the information gathered in the previous phases, organisations should plan their recovery prioritisation and identify the most appropriate recovery strategies for people, locations, IT and data.
- Recovery prioritisation:
- Proactively agree upon your key and essential business services and assets and plan your recovery prioritisation accordingly.
- Know the dependencies and prerequisites for the prioritised items. Also, verify and update the key contacts responsible for the prioritised assets.
- Analyse how potential isolation or containment activities could impact essential capabilities (e.g., remote administration) and try to separate such services to enable more accurate containment strategies.
- Document, communicate and test the prioritisation and recovery strategies in incident response plans and update them at least annually.
- Discuss and research temporary alternative infrastructure approaches (e.g., cloud technologies) to bridge downtimes.
- People and locations recovery strategies:
- How do you contact and keep in touch with your teams and stakeholders if your organisation’s communication systems are impacted?
- Have you trained and exercised your employees on using manual or alternative automated solutions to continue mission critical activities?
- How do you secure your locations?
- IT and data recovery strategies (backups):
- Regularly back up your data. This is the most important step you can take to protect against destructive attacks. Depending on the criticality of your data, you should have daily, weekly or monthly backups. Make sure that your backup schedule is frequent enough to minimise data loss and keep downtime to a minimum. Different groups within the organisation may have different requirements. The strictest requirements define the backup requirements that should be applied.
- Use offline or off-site backups. It is important to keep your backup data offline or off-site so that it is not accessible to a threat actor. If you use cloud backup services, make sure they have adequate security measures to protect against ransomware attacks. DXC and Dell Technologies have developed an airgaped VAULT solution that, when used with an additional tool that employs pattern recognition and file entrophy, helps to identify suspicious file and backup operations. If a suspicious activity is detected, the files are quarantined and customisable activities can be triggered (e.g., mail, alert, script execution). This approach makes it harder for a threat actor to hide in older backups and rebuild backdoors into the environment. Depending on requirements, other backup approaches can also be considered such as snapshot and Write Once Read Many (WORM).
- Review the backup architecture. We regularly see that backups are built based on virtualised infrastructure components. If the virtual environment is impacted, this often leads to unavailability of the backups. This may also happen if systems get disconnected to contain the spread of suspicious malware within the environment. The organisation should ensure the independence of the backup solutions or should at least understand dependencies.
- Implement the 3-2-1 backup rule. The 3-2-1 backup rule means having three copies of your data, stored on two different types of media, with at least one copy stored offsite. This rule ensures that you have redundancy and protection against data loss in the event of a destructive or ransomware attack.
- Test your backups. Testing your backups is important to ensure that your data can be restored in the event of an attack. Regularly test your backups by restoring them to a test environment to ensure that they are complete and accurate. It is important to test restoring or recovering not just a specific file but a whole system, as the processes and requirements may vary significantly between the two.
- Keep your backup software and hardware up to date. Keeping your backup software and hardware up to date is important to ensure that you have the latest security updates and features. Regularly update your backup software and hardware to keep them secure and optimised.
- Use access controls and authentication. Implement access controls and authentication for your backup data to ensure that only authorised personnel can access it. This will reduce the risk of an attacker gaining access to your backup data.
- Monitor backups. Make sure that the systems hosting the backup data are tightly monitored to ensure that suspicious activities can be detected.
- Encrypt your backups. Backup encryption is important because backups often contain sensitive information such as financial records, customer information and confidential business data. If this information falls into the wrong hands, it can be used for fraudulent activities, identity theft or other malicious purposes.
6. Create a business continuity plan and share with stakeholders
Create a business continuity plan or plans based on the information gathered in previous phases, and obtain the necessary reviews and approvals before sharing with stakeholders. Key actions:
- Have an incident response and/or crisis management representative review your business continuity plan to understand your expectations.
- Ensure that those with roles and responsibilities identified in the plan have a hard copy of the plan or store a digital copy on an alternate system that is easily accessible.
- Keep a hard copy of the business continuity plan(s), along with the location’s emergency response plan, in an “emergency grab bag” on site.
7. Train and exercise
Time is of the essence in a disruption. Exercises provide a safe environment to practice roles, improve recovery capabilities, and help validate the recovery strategies and business continuity plans. The more you encourage active participation, the more the teams will understand the process and the part they play. Key actions:
- Train and exercise your team to understand their roles and responsibilities and practice responding to incidents, including cyberattacks, using the incident response and business continuity plans. If you don’t train regularly, people will forget roles and responses; new people will not gain experience; and your response will be slow and labored.
- After any exercise or actual disruption, the team should document what went well and what could be improved. Actions identified should be tracked to completion and recovery strategies and plans updated accordingly.
8. Business continuity program maintenance
Business continuity program maintenance is an annual schedule of activities that keeps the overall program and business continuity plans up to date and teams trained, exercised and ready to respond should a disruption occur.
The maintenance phase builds and matures continuity capabilities to meet the requirements of the business continuity policies and continuity obligations, as well as legal and regulatory requirements.
This phase requires at minimum an annual review of each phase of the business continuity management program. Specifically, when reviewing the risk assessment, the business continuity teams should collaborate with the incident and cyber response teams and experts to consider what’s new and what to be looking out for in the future.
Keep plans current and in sync
Business continuity programs and plans are an established part of any organisation’s risk mitigation and security controls. Unfortunately, even if organisations review and update their cybersecurity response plans, many do not apply and align those changes to their business continuity strategies, and even fewer enforce technological updates or changes.
If you are responsible for the security of your organisation’s IT infrastructure, and your incident response, business continuity and/or disaster recovery plans have not been updated to reflect threat actors’ change in behavior, you should review your programs and plans as soon as possible and update them if required.
If your organisation needs assistance with business continuity planning and cybersecurity challenges, DXC can help.