Review of NIST Publication SP 800-184, Guide for Cybersecurity Event Recovery

Ruslan Rakhmetov, Security Vision

With the growing number of cyber attacks in the mid-2010s, the cyber community came to a logical conclusion: it is impossible to prevent all cyber incidents, as the arsenal and capabilities of attackers are constantly improving, and defence measures often fail to adapt to the ever-changing cyber threat landscape. This led to a disappointing conclusion: cyber defence, detection and prevention strategies had been described and studied in great detail by then, but not cyber incident recovery plans, which were fragmented and fragmented in various documents and recommendations. As a result, in late 2016, NIST developed NIST SP 800-184, Guide for Cybersecurity Event Recovery, which outlined recommendations for business continuity and recovery from cyber incidents, including the development of response and recovery plans, guidance, playbooks, and recovery playbooks, as well as metrics for assessing the effectiveness of the cyberattack recovery process . This document is what we will be familiarising ourselves with in this publication.

So, the NIST Cybersecurity Framework lists five functions for preventing cyber incidents: identify, protect, detect, respond, recover. However, it is the cyber incident recovery phase that is critical to a company's cyber resilience to cyber attacks, as it not only brings the infrastructure back to a known operational state prior to the attack, but also improves all IS processes through post-analysis of a successful intrusion and subsequent optimisation of all cyber security phases to mitigate potential damage and reduce the likelihood of similar incidents occurring in the future.

The recovery planning phase of cyber incident recovery plays a key role in ensuring a company's cyber resilience. The recovery planning process should be incorporated into the overall IS management system and integrated with other cybersecurity processes. For example, recovery planning helps build asset and business process relationships, define key employee roles, agree in advance on alternative communication methods, services and facilities, and conduct what-if analyses to model cyber incidents and create appropriate response scenarios (playbooks). NIST SP 800-184 also stresses that a cyber incident recovery plan should be embedded in the corporate Business Continuity, Disaster Recovery programme, and the interrelationships between systems, assets and business processes should be reflected in Business Impact Analysis documents, Service Level Agreements/Operational Level Agreements, and system interdependency maps. The importance of inventory and asset categorisation for prioritising recovery actions, the need to consider applicable technical, operational, legal and legislative requirements during recovery, and the importance of understanding the boundaries of information systems, trust relationships between them, and the access rights of entities in the infrastructure are also highlighted.

The recovery plan is part of the cyber incident response plan with a focus on recovery from an IS incident and includes key provisions such as:

1. Service Level Agreements (SLAs) with cyber incident response service providers (MDR, Managed Detection and Response) or MSSPs (Managed Security Service Provider) outsourcing a portion of IS functions;

2. A document containing the contact information of company executives who have the authority to activate the recovery plan;

3. A document containing the contact details of the company's responsible employees who are to perform the recovery plan activities;

4. A document describing detailed procedures for information systems recovery with all technical details, connectivity diagrams, methods of activation of alternative (backup) ways of ensuring operability of dependent business processes;

4. Backup communication methods and communication channels that can be used by team members during recovery actions, assuming that the primary communication methods and channels are controlled or substituted by the attackers;

5. A communications plan that includes specific notification or escalation procedures applicable to dedicated information systems (e.g., if contractors or customers need to be notified when a system supporting them fails);

6. A document specifying the storage location and describing how backups of critical data will be deployed;

7. A document describing alternative actions to be taken if data cannot be restored as normal within a regulated time;

8. A document for notifying employees with the addresses of backup offices and data centres in case of failure of the main ones;

9. Data on the infrastructure, hardware, and software used during the recovery of core systems and services.

As part of the description of the cyber incident recovery planning phase, NIST SP 800-184 also provides the following recommendations:

1. Identify and document a list of key personnel who will be responsible for defining recovery plans and parameters;

2. Develop detailed recovery plans that prioritise recovery objectives and use these plans to develop recovery processes and procedures to restore infrastructure elements in a timely manner. The plans should describe technical and organisational actions involving people, processes, technology. It is recommended that as many recovery procedures as possible be automated to speed up and reduce human error, and this can be achieved, for example, through the use of IRP/SOAR systems;

3. Develop, implement and test plans outlining recovery processes based on corporate requirements to ensure operational collaboration and recovery of services affected by a cyber incident;

4. Develop and document the terms and conditions for launching a recovery plan and the list of individuals authorised to launch a recovery plan, as well as the method for notifying responsible employees who will directly perform recovery actions;

5. Identify checkpoints at which recovery objectives are verified and further actions are terminated when results are achieved;

6. Adjust policies for detecting and responding to cyber incidents to eliminate the negative impact of recovery procedures (e.g., by inadvertently alerting attackers to the actions being performed or by removing forensic artefacts on devices);

7. Develop a cyber incident recovery communication plan, and use the provisions of this plan in recovery policies and procedures;

8. Clearly describe the goals and boundaries for communication, including rules and methods for communicating information, and specify how meaningful information about the cyber attack and recovery will be shared as part of the cyber intelligence sharing process with stakeholders.

To continuously improve the cyber incident recovery process, NIST SP 800-184 recommends the following actions:

1. Perform feedback collection on recovery plans and procedures from responsible personnel involved in the recovery process;

2. Perform regular drills and testing of recovery procedures, documenting the results to improve the recovery process;

3. Conduct in-depth post-training analyses to identify errors, adjust recovery plans and procedures, and improve employee fitness levels;

4. Continuously adjust and improve recovery policies, plans and procedures based on post-incident analysis data;

5. Identify deficiencies and defence weaknesses in technology, processes and employees when analysing the results of completed recovery actions;

6. Regularly validate the capabilities of recovery procedures based on input from responsible employees and the results of drills and tests;

7. Thoroughly document all recovery challenges for future revisit.

To measure the effectiveness of cyber incident recovery processes, the authors of NIST Publication SP 800-184 recommend the following metrics:

1. Financial loss from reduced competitiveness when sensitive information is disclosed;

2. penalties, legal costs;

3. Software, hardware, and human resource costs to perform recovery actions;

4. Financial damage due to business process downtime, reduced efficiency of work, unconcluded contracts;

5. Reputational damage, reduction of customer base;

6. Frequency and limits of testing and training on recovery procedures;

7. Number of significant cyber incidents that were not considered in the cyber risk assessment;

8. Number of unaccounted for assets, links between assets;

9. Number of deficiencies identified in testing and training of remediation procedures that can be considered to improve the company's IS processes;

10. Number of business process disruptions that occurred due to IT infrastructure failures;

11. Percentage of company executives satisfied with SLA compliance during recovery;

12. Percentage of IT services meeting availability (uptime) indicators;

13. Percentage of successful and timely restores from backups;

14. Number of restores that achieved recovery time and recovery targets.