When even your defense-in-depth approach to cybersecurity cannot prevent threat actors from infiltrating your network, incorporating a recovery-in-depth approach can help you get back to business with minimal losses. To illustrate this approach, here's a tale of two real ransomware attacks, carried out by the same ransomware group in February 2022:

Company A was impacted by Hive Ransomware. They stored their backups online. Unfortunately, threat actors deleted the backups, making it impossible to avoid paying the high ransom. Total loss for Company A? $480,000.

Company B was also affected by Hive Ransomware. Their recovery plan included offline backups and therefore, they were able to restore their network easily without paying the ransom. Total loss for Company B? $61,000.

The lesson: Your recovery plan matters

According to the Coalition 2022 Cyber Claims Report, ransomware claims frequency increased 23% in the second half of 2021, and policyholders saw a 20% increase in ransomware demands averaging $1.8 million. As such, organizations are implementing more thorough risk management programs to address the persistent threat of ransomware. One type of mitigation tactic to minimize the cost and disruption of ransomware, companies need to act as if a ransomware attack is highly likely and adopt a defense-in-depth posture. But even organizations with a strong defense-in-depth approach can experience a damaging breach. There are no silver bullets in cybersecurity. In these instances, having a thorough recovery-in-depth program alongside your insurance coverage could be the difference between a minor inconvenience for your business, and paying a ransom with significant business interruption loss.

Building a recovery-in-depth plan

Here are five steps to implementing a strong recovery-in-depth approach:

1. Create an incident response plan specific to your business — and test it It’s never a bad idea to prepare for the worst. A good incident response plan will outline how your organization will respond to a breach in four key event stages:

Detection is the initial assessment and triage of security incidents on your core systems. If a breach is detected, this stage includes escalating the issue to assigned business stakeholders and assigning an incident priority level. A thorough plan will include steps to follow based on priority level.

Analysis of the incident’s impact will help properly prioritize the additional response actions required to minimize the loss. In this stage you’ll want to begin evidence preservation and containment activities while moving forward with initial recovery activities. Better data logging and retention capabilities can assist with more clear visibility of an adversary.

Recovery involves taking the severity of the incident into consideration and mitigates the impact by finishing containment and eradication activities. During this phase, activity often cycles back to detection and analysis. For example, while eradicating a malware incident, you may also run additional detection and analysis processes to see if additional hosts are infected by the malware. Set a recovery time objective in your incident response plan and identify forensic vendors if you don’t have appropriate in-house resources. If executed properly, the end of this stage results in a network that is restored to its pre-compromise state.

Post-incident actions should also be laid out in your plan, including how to issue a report to key stakeholders that details the root cause and total cost of the incident. This report should also outline steps the organization should take to prevent this type of event from reoccurring. The most important part of this stage of recovery is learning lessons to improve your defense-in-depth, and recovery-in-depth for next time.

2. Collect security data that allows you to detect and respond to threats quickly In order to perform proper analysis and get to the root cause of what allowed the breach, reliable logging systems must be in place to collect the right data. This can include EDR logs, firewall logs, web logs, etc. You cannot retroactively collect this data, and without it you cannot truly understand what happened. Restoring blind could lead you to another compromised state. With higher quality data, you’ll be able to paint a more accurate picture, which should make it easier to identify what was compromised. Start with network and host-based log collection. Network logs will help you identify where the adversary deployed the ransomware as they traveled around your network.

3. Analyze the data

With the data you’ve collected, you can build the story or timeline of what happened in your network. The analysis process will help you determine the extent of the breach, which machines are hosting sensitive data and need to be analyzed first to minimize loss. Once the attacker foothold is cut off, deploy backups based on which avenues may be blocked by the ransomware event. Deploying backups to recover the most critical information will help resume operations. Make sure to pull in any supportive external partners such as your cyber insurer and privacy attorney who can provide direction on who needs to be notified based on liability requirements.

4. Take steps to recover data to resume business as normal

During the recovery process, you will take everything you’ve learned through the analysis and execute the recovery process. This often includes deploying backups, re-imaging machines, notifying customers or stakeholders, and working with incident response firms to avoid recovering to a compromised state.

5. Post-incident reflection of lessons learned

Your incident response plan is a living document. After a cyber event, update the plan to better address the challenges your organization faced during recovery. General lessons learned from Coalition policyholders include:

1. Find the root cause of the incident

2. Ensure backups can be deployed

3. Rearchitect the network to limit damage

4. Establish a plan to keep servers updated

For organizations without cyber insurance, adding coverage is often the first lesson learned.

Stop ransomware in its tracks

The goal of recovery-in-depth is to stop the attack before it spreads too far and Coalition is here to help. Our Active Insurance is just one way that we can help you build your defenses and strengthen your protection. To receive a free risk assessment that outlines your organization’s cyber risk profile, reach out to Coalition.