Ransomware attacks are hitting organisations every day and infrastructure & operations (I&O) leaders are aggressively bolstering protection, detection and response capabilities against attacks.
However, questions remain as to whether existing disaster recovery (DR) and business continuity plans are sufficient for ransomware recovery.
To address this, I&O Leaders must consider five areas between the two recovery approaches, to better establish whether existing plans can withstand a potential ransomware attack.
- Similarities and Differences
Traditional DR and ransomware recovery have many similarities, including the need to coordinate with business continuity management, prioritise via recovery tiers and understand dependencies. Both also require procedures to assess the impact, declare and activate recovery plans, execute plans, and obtain clarity around access and maintenance.
However, ransomware recovery involves greater complexity and unpredictability and so it’s important to consider the business demand of the differing recovery steps in the process, which will naturally involve different stakeholders. These include varied recovery approaches, location, data loss, recovery time and the speed of a return to business as usual.
- Disaster Recovery Protects Against ‘Predictable’ Disasters
Traditional DR planning assumes that an entire location or application has failed, requiring failover to a DR location. These events can vary in scope, from regional power outages to IT equipment failure, and even natural disasters such as earthquakes, tornadoes and flooding, which destroy all infrastructure.
Planning for these events requires active or hot standby application infrastructure across data centres, which enables the failover to happen within a reasonable time, and with minimal or no data loss.
- Disaster Recovery Not Always Suitable for Ransomware Attacks
As of today, ransomware attacks are mostly well-planned where the attack can start weeks or months before the final ransomware assault. Typically, ransomware is only activated as the last step in a this well-prepared cyberattack, with attackers still having access during the attack.
Traditional DR usually relies on the replication and synchronisation of applications, data, and foundational network services between the primary site and the DR location. So, all the work the attackers do to compromise the production site will be replicated on the DR site. Consider that the contamination of the DR site will make it impossible to use standard recovery procedures after a cyberattack.
Contemplate that you may have to build from scratch in a worst-case situation and this will require planning to recover from alternative infrastructures, such as isolated recovery environments, cloud infrastructure, relocation sites and services.
- Disaster Recovery and Ransomware Recovery Follow Different Processes
Traditional DR activation follows a straightforward process where — after the disaster event is detected — an assessment is conducted to decide whether failover is required or not. After that, failover is executed and validated, and business continues. A well-planned failback (when applicable) can be executed when the primary environment is recovered.
Recovery from ransomware, on the other hand, requires multiple and more complex stages. In the first phase, there is a focus on stopping the attack from execution and propagation. In the second phase, forensic analysis is required to find out what happened, what ransomware was executed, the security issues at hand and how it infiltrated the infrastructure. During the third phase, analysis is required to find which network artefacts, apps, data and backups are affected.
Through phase four, there is a focus on the recovery of foundational infrastructure, by either a restore or a rebuild of all artefacts in the network, as well as storage and compute infrastructure, followed by a rebuild or recovery of network services like DNS and AD. In phase five, a dedicated isolated recovery environment (IRE) is leveraged to scan, repair, and validate operating and application/data systems to prepare for recovery back to the primary environment. Finally, in phase six, systems are migrated out of IRE back to production.
This level of impact on the entire infrastructure is what makes ransomware recovery so complex and unpredictable, as you need to first recover and resecure every impacted element in your infrastructure environment before you can recover systems, applications and their data. Examine the complexities that come along with the different processes and the demands this may ask of your organisation.
- Ransomware Recovery is a ‘Team Effort’
DR is often led by the DR team, which consists of the server team, network team, storage team, backup team, who all report to the DR manager, who then reports to the CIO. DR is part of the wider business continuity management process, where DR is responsible for the recovery of IT systems in a disaster situation.
Ransomware recovery, on the other hand, is initially led by the cybersecurity incident response team, which reports to the chief information security officer and is supported by other infrastructure and operations teams, including the DR team. Hence, recovery from a ransomware attack is far more of an all-enterprise effort and consider whether you have the resources to approach this appropriately.
Gartner analysts will further explore and compare disaster recovery and ransomware recovery at next year’s Gartner Security & Risk Management Summit 2023, taking place 26-28 September, in London, UK.
Jerry Rozeman is a Senior Director Analyst at Gartner
