Zero-day attacks, which strike software vulnerabilities that are unknown and thus unpatched, are inherently difficult to prepare for. Your security team probably has some strategies and protective technologies in place, but few BC/DR experts have factored these attacks into their recovery plans. Because such attacks are unpredictable, enterprises should rank the risk the same way they do disasters such as mass outages, and then prepare accordingly, said Solomon Hykes, CEO of platform-as-a-service provider dotCloud, which must protect tens of thousands of customer applications.
The ability to recover applications and data from zero-day attacks depends on a strong systems management foundation. Because you don't know where an attack will hit, the key is visibility: Know what's going on in your network, monitor logs and traffic, run key system metrics on every server, and be prepared to pull as much data as possible and make it available to the ops team. Do top-level data recording so the team can spot abnormalities quickly.
"We saw high levels of DNS traffic," Hykes said of an attack his organization experienced. "Someone had to say, 'Let's monitor that.' Then someone added high-level charts and trend alerts so that when the DNS traffic increased 10,000%, a human operator was ready to detect it and act on it."
Automation has its place, but BC/DR teams should have people trained to spot and be first responders to zero-day attacks, until the specialists arrive. Put processes in place ahead of an attack so that everyone is aware of who is in charge during an incident and what their roles are. Examples of best practices, as discussed in our recent "Diary Of A Breach" feature, include the following:
-- All anomalies should be investigated, diagnosed, and resolved--not just for security's sake, but for operational reasons.
-- As soon as a breach is suspected, involve security. And security teams should avoid finger-pointing or complaining about false alarms.
-- Know your priorities beforehand. Some organizations will focus on ensuring that customer data is protected, while others will prioritize preventing an attacker from penetrating the network further.
-- Document which system components are most important to the business so that IT can prioritize recovery. That means performing impact analyses and determining criticality of various business services before you're under the gun. What are the infrastructure and resources, people, and technology needed to deliver services? What must you do to get those services up and running?
-- Document dependencies from top to bottom.
Other steps for zero-day preparedness:
-- Realize that the crisis will not stop when you end your shift. "Have a plan in place for who will take over coordinating the enterprise's response after you have put in a full day, so that you have continuous action on the incident 24/7 until it is resolved," said Hykes.
-- Communicate with data owners and application stakeholders that their data may be compromised, that there is a plan in place, what that plan is, and what their roles and responsibilities are.
-- Realize that you may be obligated by law to inform your employees and customers in the event of an attack. Check with counsel before deciding that you don't need notification that a disaster-recovery server was attacked. Also check in with the compliance officer.
Where The Cloud Comes In
"The key to the cloud is automation, which helps you execute better during an incident," Hykes said. "In the cloud, it becomes realistic to spin up a whole replacement setup while patching the live setup. Cloud-based automation enables you to apply emergency patches without breaking your change management."
Speaking of change management, when in full alert mode, you need defined processes that help you to shut down components, trigger failovers, and apply emergency patches when they become available. "You don't want to be in the position where someone reverses the patch because it is a one-off and no one documented it," said Hykes.
And, of course, a complete, well-tested BC/DR plan is the bottom line in weathering any disaster. Be prepared to move data to a DR site on the fly and, if needed, get people to the site to bring applications up so employees can get back to work.
Prepare for zero-day attacks with redundancy, replication, continuity, and high availability. What they all bring to the table is speed.
Virtualization may be the best thing to ever happen to BC/DR, followed closely by public cloud services. "You don't need a lot of hardware at your DR site," said Dan Lamorena, director of product marketing for Symantec. Heck, you don't even need a site. We profiled 13 cloud storage vendors in our InformationWeek Buyer's Guide to Cloud Storage, Backup, and Synchronization. And we discuss cloud-based BC/DR in depth in our research report, which explains how pairing internal virtualized apps with cloud-based virtual machines allows even small enterprises to achieve seamless recovery affordably. A side benefit is that the data center facilities these providers use are staffed with top-of-the-line security technologies and staff.
One zero-day threat that keeps Hykes up at night: attacks that take advantage of authorized interactions with the system. That's because these are permitted, expected behaviors. Still, there is a bigger threat, one that's plagued BC/DR programs for decades. "The worst enemy of application security is neglect and a lack of day-to-day operations," said Hykes. The answer: frequent testing and updating of processes and documentation.
Finally, look at the tools at your disposal to recover from zero-day attacks, and fill in where it makes sense. Hykes' team uses rsync for snapshot backups and recovery along with open source software and a lot of homegrown tools in its 100% Linux-based shop. Oh, and the cloud: "A lot of our stuff is in the Amazon EC2 cloud," he said. "We have a separate, spare cluster available that we can spin up quickly in the event of an attack."