Expert Commentary

Cyber-Security Event Recovery Plans

In December 2016, the National Institute of Standards and Technology (NIST) published a guide on cyber-security event recovery that provides information about developing a recovery plan in the form of a customized playbook before a cyber-event, as well as examples of recovery plans for a ransomware attack and data breach. This article sets forth items that can be included in a playbook.


Cyber and Privacy Risk and Insurance
February 2017

While the NIST Guide for Cybersecurity Event Recovery applies to US federal agencies, it should be useful to any organization. The guide extends, but does not replace, existing federal guidelines regarding incident response. A cyber-incident response plan should be developed as part of a larger business continuity plan, which may include other plans and procedures for ensuring minimal impact to business functions (e.g., disaster recovery plans and crisis communication plans).

Recovery activities encompass a tactical recovery phase and a strategic recovery phase.

Tactical Recovery Phase

The tactical recovery phase will depend on performing the following actions before and during the cyber-event.

  • Create and maintain a list of the people, processes, and technology assets that enable the organization to achieve its mission (including external resources), along with all dependencies among these assets. The creation of a map or diagram of the dependencies will help in planning the order of restoration.
  • Document and maintain categorizations for all assets based on their relative importance and interdependencies to confidently prioritize recovery efforts.
  • Identify and document the key personnel who will be responsible for defining recovery criteria and associated plans, and ensure these personnel understand their roles and responsibilities.
  • Develop comprehensive plan(s) for recovery that supports the prioritizations and recovery objectives, and use the plans as the basis for developing recovery processes and procedures that ensure timely restoration of systems and other assets affected by future cyber-events. The plan(s) should ensure that underlying assumptions (e.g., availability of core services) will not undermine recovery and that processes and procedures address both technical and nontechnical activity affecting people, processes, and technologies.
  • Develop, implement, and practice the defined recovery processes, based on the organization’s recovery requirements, to ensure timely recovery team coordination and restoration of capabilities or services affected by cyber-events.
  • Ensure that the correct underlying assumptions (e.g., availability of core services, trustworthiness of directory services, or adversary’s motivation is well understood) are made during the initiation of the recovery to prevent an ineffective recovery.
  • Define and document the conditions under which the recovery plan is to be invoked, who has the authority to invoke the plan, and how recovery personnel will be notified of the need for recovery activities to be performed. Additionally, key milestones, intermediate recovery goals, and criteria for finalizing active recovery efforts need to be defined.
  • Ensure initial restoration planning addresses the need for the recovery efforts to be tactical in nature to prevent recovery from negatively affecting the incident response (e.g., by alerting an adversary or by erroneously destroying forensic evidence).
  • Examine the cyber-event to determine the extent that recovery must be carried out, and initiate the corresponding plan for recovery.
  • Develop a comprehensive recovery communications plan while clearly defining recovery communication goals, objectives, and scope, including information-sharing rules and methods. Based on this communication plan, consider sharing actionable information about cyber-threats with relevant organizations, such as those described in the NIST Guide to Cyber Threat Information Sharing.
  • Gather feedback for the recovery plans and capabilities from those stakeholders that will have a role in recovery activities.
  • Formally implement cyber-event recovery exercises and tests at a frequency acceptable to the organization. These events should include realistic objectives with specific roles and responsibilities for exercising and testing recovery capabilities. Based on the results of these recovery activities, the organizations should update cyber-event recovery plans, policies, and procedures. They should also use the information learned from recovery activities to improve the organization’s cyber-security posture, ensuring the ability to meet its mission.
  • Vet recovery capabilities by soliciting input from individuals with relevant responsibilities and conducting exercises and tests.
  • Execute the tailored playbook that has been created during the cyber-event.
  • Continually document issues during recovery so that there is enough information to expand on documentation and improve capabilities later in the recovery process or immediately after recovery is achieved.
  • Implement monitoring for events, signatures, etc. to alert the organization about known malicious behavior. Monitor the artifacts and evidence found during detection and response. This monitoring will extend into the strategic phase.

Strategic Recovery Phase

The strategic recovery phase will depend on performing the following actions before and during the cyber-event.

  • Develop and implement an improvement plan for the organization’s overall security posture based on tactical phase results.
  • Continually execute communications plans to inform appropriate internal and external stakeholders of the progress of the recovery effort. Internal stakeholders should be notified of any improvements that need to be made to people, processes, and procedures, while external stakeholders will need to be notified of any impact to them.
  • Review defined milestones, goals, and metrics gathered throughout the tactical phase. This information can help quantify the effectiveness of the recovery effort and identify areas that need improvement.

Checklist of Playbook Steps for a Cyber-Event

Appendix A to the guide includes the following checklist of steps that should be covered in the playbook for a particular cyber-event.

A.1 Preconditions Required for Effective Recovery

The organization understood the need to be prepared and conducted planning to operate in a diminished condition. The playbook includes the following critical elements.

  • A set of formal recovery processes
  • The criticality of organizational resources (e.g., people, facilities, technical components, or external services) that are required to achieve the organization’s mission(s)
  • Functional and security dependency maps to understand the order of restoration priority
  • A list of technology and personnel who will be responsible for defining and implementing recovery criteria and associated plans
  • A comprehensive recovery communications plan with fully integrated internal and external communications considerations, including information sharing criteria informed by recommendations in the NIST Guide to Cyber Threat Information Sharing

A.2 Tactical Recovery Phase

The following steps summarize the activities of the recovery team in the tactical recovery phase.

A.2.1 Initiation

  • Receive a briefing from the incident response team to understand the extent of the cyber-event.
  • Determine the criticality and impact of the cyber-event.
  • Formulate an approach and set of specific actions.
  • Heighten monitoring and alerting of the network and systems.
  • Understand the adversary’s motivation.
  • Identify the adversary’s footprint on the infrastructure, command and control channels, and tools and techniques.
  • Inform all parties that the recovery activities have been initiated.
  • Utilize all available information gathered to create the restoration plan.

A.2.2 Execution

  • Begin to execute the restoration by validating and implementing remediation countermeasures in coordination with the incident response team and other information security personnel.
  • Restore additional business services and communicate the restoration status with predefined parties.
  • Track the actual time that critical services were unavailable or diminished, comparing the actual outage with agreed-upon service levels and recovery times.
  • Document any issues that arise, any indicators of compromise, and newly identified dependencies.
  • Coordinate with representatives from management, senior leadership, human resources, and legal to discuss appropriate notification activities.
  • Additional recovery steps are initialized, including external interactions and services to restore confidence and to protect constituents.
  • Validate the restored assets are fully functional and meet the security posture required by the organization's security team.

A.2.3 Termination

  • Determine that termination criteria have been met, and declare the end of the tactical recovery event.
  • Stand down recovery team, and have staff return to their normal job functions.
  • Continue to monitor the infrastructure for potential persistency of malicious activities, and inform the incident response and recovery team of any evidence.
  • Finalize the metrics collected during the event.

A.3 Strategic Recovery Phase

The following steps summarize the activities performed during the strategic recovery phase.

A.3.1 Planning and Execution

  • Support the various communication teams as they interact with internal users and public customers.
  • Close the loop with external entities who have been involved during the tactical phase.
  • Develop a plan to correct the root cause of the cyber-event.
  • Implement changes to strengthen the security posture of the organization.

A.3.2 Metrics

  • After recovery is completed, review metrics that were collected.
  • Review achievement of key milestones and assumptions that were made prerecovery.

A.3.3 Recovery Plan Improvement

  • Use lessons learned from the recovery process to enhance the recovery plan.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More