The Third Scenario – Business Continuity Planning in the face of Cyber Threats

This post is also available in: עברית (Hebrew)

12219308_sOur lives are interlaced in a gentle existence fabric that is usually balanced between everyday routine and special events.  Exceeding that precious balance due to an unusual event such as a flat tire in high noon, a cancellation of a much needed connection flight in the dead of night or your firstborn waking up with a fever in the light of a new day, all are events that remind us how evasive and slippery that “warm and cuddly” routine is.

In our private lives we can’t always effectively prepare for any emergency or threat scenario, we can try and prepare for a specific and collective threat or to invest in expensive cover plans that may quiet our anxiety, however the real important aspects of our private lives are irreplaceable and we can’t prepare for every possible scenario.

In contrast, in the business world we are often required to put aside feelings and other considerations and rationalistically deal with major and complex threats that can escalate to a clear violation of our organization business and operational continuity.

While every Business Continuity Plan (BCP) is unique to each organization and reflects the operational and commercial profile of the organization and the variables unique to him, still there are common guidelines for all Programs and Plans. The first step in any plan is to define the threat domain, most of the plans today are developed as a preparedness factor aimed to deal with a national emergency or a geographical one (natural disasters, climate and Terrain events or force majeure/man-made environmental events).

The definition of the emergency/threat parameters will be accompanied by analyzing all business and operational processes sectioned by commercial activities or employee required resources and will define what alternative infrastructures and resources will be allocated and activated based on importance, urgency and the required recovery time.

While most methodical organizations knows how to plan and practice recovery from a Geographical or even a National emergency scenario, most of them tend to ignore the Third Emergency Scenario – a Cyber event.

Recently, there is an alarming escalation in cyber threat and we now often witness a sharp transition from “classical” IT security threats such hacking and leaking information (events that has no immediate effect on the availability of the organization in the short term) and “one-dimensional” attacks (attack with a single malicious payload) that can be relatively easy to identify and neutralize to advanced and complex threats that combines multiple mechanisms in a startling synergy, accompanied by a C&C (Command and Control) Channel, and operating in perfect stealth.

Complex threats such as APT – Advanced Persistent Threats, Distributed Network and Application based Denial of service (DDOS) attacks and “Engineered” Malicious Codes have direct impact on the continuity of organizations in the civilian and in the Military/HLS domain.

It is estimated that the annual impact of cyber events is measured around 400 billion dollar worldwide, roughly around two-third of that is associated to collateral damages, partly due to the un-continuity of the attacked organizations.

Dealing with complex cyber-attacks requires an holistic approach and a significant wider recovery plan than when dealing with “standard” IT security threat.

Adding a cyber-threat scenario to the business continuity plan is not trivial since cyber threats operates in a more complex domain than national or geographical threats.

First and foremost this is a threat that is not bound to the limitation of space and time, if we try to compare it to other emergency scenarios than even the most formidable Tsunami wave will lose its energy at some point and even a horrifying missile attack must end due to lack of ordnance or finalization of the campaign. Cyber-attacks however can theoretically continue for a long period of time, provided there is someone who “fuel” it, sponsor and maintain it.

Even a geographical distance is not a mitigation factor, if you are among the organizations who believe that there is no single square feet around that is considered safe and choose to establish the backup/DR site in another country or even a continent away you will find that the cyber threat can be activated at the backup/DR site at any given moment. Don’t bother trying to roll back from and older copy as well,  most likely the dormant malware code is already part of most backup cycles, all it requires is a simple DNS transaction and your precious (and expensive) DR site will experience the same attack as the main site.

Business continuity plan that incorporates cyber-attack scenarios should address three main stages:

Prevention – combining unique cyber defense security mechanisms and enforcement of policy to assure the actual risk reduction. Unlike classical IT security concepts that focus on neutralizing the threats as soon as they enter the organization, cyber threats require a more pragmatic approach and focus on neutralizing the dimension of the threat, by neutralizing C&C Channels, deploying deception and behavioral algorithms and hardening resources.

Inquiry – Performing cyber incident analysis and identification of the source and origin of an attack is a critical step for dealing with complex threats and to ensure rapid recovery. Technologies such as Network Forensics and Metadata Analysis enables focused analysis of complex threats.

Recovery – Implementing Security Mechanisms that will prevent “migration” of threats to alternate/DR sites, Integrating Cloud based or on-Premises solutions for dealing with massive DDOS attacks and holistic BCP methodology will enable recovery to normal operation.

By Tomer Nuri

VP Technologies

Netcom (Malam-Team Communication) Ltd