Whitepaper - Plan, Disrupt, Recover

PLAN, DISRUPT, RECOVER - Ensuring Attack Readiness through the Cyber Event Cycle.

Logical planning for a cyber event

By: Paul Marco

Published, October 31, 2022

We rely on technology for every aspect of our lives, and as our world becomes more and more connected, so does the probability that we will be impacted by a cyber event. Failure to plan for a cyber event will leave organizations exposed resulting in the realization of cyber risk and prolonged impacts to our organization.

Understanding The Cyber Event Cycle:

Proactively managing a cyber event means understanding how you can position your organization to prepare for, attempt to control and, if necessary, rebuild after your organization has realized a cybersecurity risk. We have organized these steps into a cycle which follows the cadence of PLAN, DISRUPT and RECOVER.

PLAN: The plan phase represents the actions that an organization can take ahead of an attack. Proper planning can ensure the organization will optimize both their ability to disrupt an attack or respond to it effectively should response be necessary.

DISRUPT: The disrupt phase evaluates the presence of, efficiency, and readiness of cybersecurity controls. The focus here is to maximize the controls that will work to disrupt a specific attack along its progression. Disruption can align with any of the elements of the TALAS control stack framework with the intention of slowing, detecting, or stopping an attacker from advancing.

RECOVER: The recover phase outlines the plans, activities, responsibilities, and processes in place to recover from an attack. Once recovery is complete, a review of the event then becomes an input back into the PLAN phase. This feedback ensures your organization can implement future safeguards meant to prevent this event from occurring which completes the cyber event cycle

Preparing for The Cyber Event Cycle:

Preparing for a cyber event will vary between organizations and is recommended to be based on need, budget, and risk appetite. Below are some examples of what actions an organization can take across the phases of the cyber event cycle.

PLAN

Establish a Critical Services Inventory: A critical services inventory is where an organization identifies the services that are absolutely required for its operation. These services can vary, but may include systems such as Human Resources, Payroll, or Email. Identifying and ranking these services will help other organizational decisions such as backup strategy and identifying the need for fallback systems.

Downstream Impact Analysis: The downstream impact analysis will document what services would be impacted if larger systems are unavailable due to a cyber-attack. An example here may be a disruption to your ability to process payroll if your printing services are impacted and physical checks can not be printed.

Communication Plans: Communication plans allow an organization to identify the types of communication needed should business be disrupted. This includes both predefined internal and external communications requirements and the methods to enact those communications should systems be impacted. For example, if your email systems are unavailable, how would you communicate with your organization or customers?

Incident Response Planning: Incident response planning involves laying out how an organization will respond to a specific attack or cybersecurity event. This may include how and when to implement emergency processes, as well as establishing cross organization roles and responsibilities.

Cybersecurity Insurance: Securing Cybersecurity insurance before an event can help to off-set some of your cybersecurity risk in the same way other insurance products work.

Proactive Control Identification: Proactive control identification is the feeder into the process of disrupting an attacker. This includes evaluating the threats against your organization and proactively implementing control elements (technology, process, policy, etc.) for the purpose of attack disruption. Refer to our article titled Defining Control, for a detailed discussion on control elements.

DISRUPT

Disruption will occur based on the implementation of the controls identified in the PLAN portion of the event cycle. Here the goal is to anticipate what attacks your organization may face and organize controls in a way that will disrupt those attacks specifically. Refer to our article titled Modeling Threats Against Your Organization, for a detailed discussion on using threat variables as a way to model attacks against your organization.

RECOVER

Fallback Systems: If critical systems have been identified, one method to ensure availability is to establish alternative or fallback systems that can be invoked in the event of a cyber-attack. An example of this may be if your internal payroll systems are down, can you leverage an online payroll processing service to ensure continuity of that business process?

Backups: System backups enable an organization to recover systems or data that has been impacted because of a cyber event. You may also want to consider the immutability of those backups and how susceptible they are to being tampered with.

Recovery Communications: Enacting predefined recovery communications during an incident will ensure communications are timely and consistent. This will include predefining templates, recipients and types of information that needs to be communicated.

Recovery Teams: Predefining your recovery teams as part of incident response planning will clearly define the roles and responsibilities of those individuals. This will ensure that those individuals are aware of what actions to take at the various points of a cyber event.

Emergency Process: Defining emergency processes are how you would ensure that your organization is able to operate if critical systems are down and cannot be recovered in a timely manner. Examples of emergency process could include system restoration, or the process for engaging cyber insurance.

Being proactive about cybersecurity means understanding the types of cyber events you may face and how those events will disrupt your organization. It’s important to understand that this is meant to be an iteration. Networks, attackers, and their tactics are changing constantly, which is why this framework is represented as a cycle. The more you can identify, review and plan for cyber events, the better prepared you will be to detect, slow or prevent attacks on your network and minimize those impacts when they occur.

We at TALAS Security are passionate about control. We hope this article has helped you understand how looking at the cyber event cycle will enable you to better PLAN, DISRUPT and RECOVER from a cyber incident. Our mission is to enable your cybersecurity advantage, and making cybersecurity accessible is one of the ways we achieve that mission.