We heard a lot to have frequent backup as mitigation measure to recover system from attack, most likely from ransomware.
While periodic backup is important, the hard part is when do we know if the recovered system still carried the malicious codes that threat actor has planted? That said, the backup has already included the persistent threat.
This is complex and situation specific. Some thoughts can be considered:
- Have digital forensic expert to examine the infected system, understand the attack path and the trigger for malicious codes, revalidate these behaviors after complete system recovery before back to business
- Segregate contents from codes; so that a clean system can be built. The challenges are the configuration and data connector; whether persistent threat is stored as data (usually in external supplied content like readers’ comment)
There is no bullet proof solution but to maintain a hygiene information processing environment in reducing the likelihood:
- Adopt SecDevOps to address weakness during development and subsequent operations
- Conduct periodic holistic cybersecurity assessment as compensating controls
- Bring up regular situation awareness to strengthen the people aspect
- Establish sufficient resilence to maintain minimal business service in meeting the required pledge
- Execute regular BCP or DRP to validate readiness and seek for improvement