Disaster Recovery In The APT Age

Does your resiliency plan take into account both natural disasters and man-made mayhem? If the CISO hasn't signed off, assume the answer is no.

Michael Cobb, Founder, Cobweb Applications

November 7, 2014

4 Min Read
InformationWeek logo in a gray background | InformationWeek

Download Dark Reading's November Tech Digest on disaster recovery, distributed in an all-digital format (registration required).

They say it's an ill wind that blows nobody any good. More extreme weather, more fear of terrorist attacks, and more dependence on data have been a boon to the disaster recovery industry, however. The DR-as-a-service market alone is forecast by MarketsandMarkets to be worth $5.77 billion by 2018.

Don't take all that spending to mean we're ready to cope with anything that comes our way, though. Seventy-three percent of companies are failing at disaster readiness, the Disaster Recovery Preparedness Council's 2014 annual report concludes. InformationWeek's 2014 Backup Technologies Survey shows just 23% of respondents extremely confident that they could get their businesses up and running again in a reasonable time frame after a major disaster that takes out the main data center.

Not to pile on, but these figures would be worse if they took cyber attacks into account. Business continuity plans focus mainly on preparing for natural disasters and destructive man-made events, like a fire or bomb blast. Yet the annual impact of cyber events worldwide is estimated at $400 billion, much of it associated with the inability of the victims to continue operations.

Is having your data locked up by ransomware really less of a problem than a fire destroying servers?

It can be worse, in fact, in terms of public perception. When major disasters such as Hurricane Katrina hit, there is a certain amount of public sympathy for businesses caught in the ensuing chaos. Companies that fail to handle cyber attacks are often viewed as careless or incompetent. Loss of trust can be much more difficult to replace than data, so companies need to put targeted cyber attacks on the list of catastrophes from which they can bounce back.

Yes, you're almost certainly a target
Many IT organizations assume that only government agencies and big players in certain industries, such as pharma research or defense, are at risk from targeted attacks. But reports from security firms including Mandiant and Arbor Networks suggest that this is not the case. More than 20% of respondents to Arbor Networks' Worldwide Infrastructure Security Report say their enterprises experienced an advanced persistent threat (APT) attack. This puts the risk of occurrence higher than either fire or flood, or of being hit by a violent storm even if you're in a high-risk region such as Tornado Alley.

Business continuity planners need to consider two types of targeted exploits: high-profile and publicly visible assaults, such as distributed denial-of-service and DNS attacks; and the invisible APT attack, which requires a different strategy to thwart.

The main drivers of high-profile attacks are hacktivism, extortion, and vandalism, and those behind them range from nation states and cyber criminals to hacktivists, extremists, and the employee or man in the street with a grudge. This range of motivations makes any organization a potential target.

Mandiant's 2014 Threat Report says the list of potential APT targets also has increased because information about how businesses work and make decisions has been added to the list of intellectual property worth stealing. This means contents of email accounts, appointment details, meeting minutes, budgets, human resources records, policies, and procedures are all reasons a company could become an APT target.

Attackers also target small businesses as a first step toward launching an attack against one of the business's customers, much as Target was compromised via a contractor. Law firms that hold confidential merger and acquisitions information and sensitive intellectual property are an obvious example.

One reason few companies include such attacks in their business continuity planning is that estimating the likelihood of a targeted cyber attack -- and the impact it would have on the business -- is not as straightforward as calculating for natural disasters.

Yet the general process is the same: risk assessment, business impact analysis, plan development, testing, activation, and maintenance. 

If a risk assessment concludes that a targeted attack is a realistic threat, the next step is to decide whether it merits inclusion in the business continuity plan. That decision happens by completing a business impact analysis (BIA).

The impact of visible targeted attacks is relatively straightforward to calculate: the real and measurable cost to the business of dollars lost per minute in downtime, along with the impact on productivity and reputational damage. The potential impact of an APT is far more difficult to quantify as it entails more conjecture.

To read the rest of this story,
download Dark Reading's November Tech Digest on disaster recovery.

About the Author

Michael Cobb

Founder, Cobweb Applications

Michael Cobb, CISSP-ISSAP, CLAS, is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights