Cyberattacks: dealing with (and responding to) uncertainty

Hacker 1If you’re not viewing a cyberattack as a whole-business crisis, you’re likely not taking the threat of attack seriously enough. You’d never dismiss out-of-hand the threat of a hurricane, yet few businesses realize that, from a business continuity perspective, cyberattacks can be just as dangerous.

Complicating the response to a cyberattack, says consulting firm Gartner in a recent report, is the fact that attacks bring with them a high degree of uncertainty.

Some of these uncertainties include:

  • How big is the scope? How much of your IT infrastructure have attackers infiltrated? Typically, says Gartner, “the cyberattacker has been observing and learning your environment for some time, and will have installed customized malware on strategic elements of your IT infrastructure.”
  • Can you shut down, or do you need to pretend everything’s normal? Keeping production operations may be required by the people who are investigating—they may need more information about the cyberattack forensic or law enforcement purposes.You also may not want to let your attackers know you’re there by shutting down production systems—especially email and log reviews—because they are often the same systems that cyberattackers actively monitor for the very activity you’re considering. Often, attackers try to inflict major damage if they become aware you’re trying to block them.Finally, you may also need to consider the possibility that an internal actor is responsible for the attack. The wrong response may tip that person off.
  • Which is the best way forward? Wondering how to safely restore your affected applications, systems and data? The answer, Gartner says, may not be obvious right away. “You may have to try a few approaches until you find the one that will safely and more quickly return your enterprise to a normal operating environment.”
  • Is it even safe to restore? Don’t discount the fact that the backups you’re about to use for recovery may themselves be compromised. If so, says Gartner, “a traditional cutover to the IT disaster recovery (DR) environment might be the wrong thing to do, because the cyberattacker will be right there in the recovery environment as soon as you switch operations to your alternate data center facility.”
  • Are you leaving yourself open to future attacks? A root cause analysis will help you get to the bottom of the attack, but you might not be able to conduct one for some time after the “dust” has settled. In the interim, this could leave you vulnerable to the possibility of an attack happening again.

Gartner suggests leveraging business continuity best practices to boost your organization’s ability to control the damage resulting from a cyberattack—which we’ll discuss in our next blog post.