Most organisations are still insufficiently prepared for a possible compromise of their Information System, leading to its destruction. Taking this risk into account right from the project design stage will enable them to significantly strengthen their resilience capabilities.
On 17 April, the ANSSI published the first doctrinal documents concerning remediation, which is defined as the project to regain control of a compromised information system. These documents are the fruit of the Agency’s experience in supporting victims of security incidents.
This corpus consists of three sections: strategic section, an organisational section, and a technical section. Currently, the technical section focuses on the remediation of tier 0 of the Active Directory1, or core of trust. This section will be supplemented with additional documents in the future to enhance its content.
The approach proposed by ANSSI (E3R) is divided into 3 stages:
- Containment of the attacker
- Evicting the intruder from the heart of the IS
- Eradicating the adversary’s strongholds
These stages are illustrated by 3 typical remediation scenarios, each with increasing ambition levels based on the urgency of the restart and the costs incurred by the long-term damage resulting from the attack:
- Restore vital services as quickly as possible
- Regain control of the IS
- Seize the opportunity to prepare for long-term control of the IS
The publication of this corpus is a timely step in the reflections and projects currently being carried out by many public and private players, with a view to strengthening their resilience in the face of a successful cyber-attack that would compromise or even destroy their Information System on a massive scale.
In practice, the time required to establish a proven remediation system extends over several years for most players, rather than just months. This timeframe may be out of sync with the evolving threat landscape and the regulatory deadlines imposed on certain entities.
There are several reasons for this, which vary from one player to another. However, there are three key factors which contribute to this variation:
- Awareness of cyber risk is growing; however, many decision-makers still lack adequate understanding. Balancing immediate priorities with long- term preparation in the face of potential compromises often leads to difficult decisions regarding the allocation of valuable human and financial resources.
- The interruption of an organisation’s activities following an IT disaster has historically been dealt with using Disaster Recovery Plans. Their advantages and limitations in terms of remediation are still poorly understood within organisations:
- Depending on the recovery principles adopted, they may offer advantages in terms of IS recovery sequencing know-how (similar to an electrical shutdown/restart), capabilities for unitary and grouped reconstruction, restored data resynchronisation and reconciliation, among others.
- Remediation efforts can leverage this know-how, provided it has not been lost because of the adoption of new solutions (e.g., active/active backup) or when a ‘debt’ in terms of maintaining operational conditions and DRP exercises has built up.
Nonetheless, these plans also have significant limitations. Their architecture relies on technical interconnections and data replication with backup infrastructures, which can inadvertently propagate compromises. Furthermore, while their relevance is proven in a deterministic context (where a given disaster corresponds to a given solution and plan), their effectiveness becomes much less certain when confronted with the diverse characteristics and possibilities of evolving cyber attacks
This calls for a hybrid approach involving operational, DRP and cyber resilience players. This can be facilitated or hindered depending on the governance that has been put in place between these populations.
To accelerate the necessary rise in maturity of players on the subject of IS remediation following a cyber-attack, several approach can be considered. Outlined below are four potential strategies, and the subsequent information will provide a more detailed explanation and elaboration for each approach.
- Helping decision-makers to understand the specific nature of cyber risk;
- Anchoring “compromise by design” in everyday life;
- Have several remedial options at your disposal;
- Sharing and capitalising on feedback.
Helping decision-makers understand the specific nature of cyber risk
The vast majority of players do not totally rule out the possibility of being vulnerable to a successful cyber-attack that would paralyse their activities through the logical destruction of their IT assets.
On the other hand, a significant proportion of players have not yet grasped the fact that their existing IT backup resources are rarely adapted to the specific characteristics of this type of attack. A cyber-attack can jeopardise the availability and non-compromise of operating and administrative resources, right down to the workstations of those involved in IS recovery. The timeframe for remediating an Information System (IS) that has suffered extensive destruction due to a cyber-attack is typically considerably longer compared to the recovery time communicated to the business in the event of a physical disaster.
A number of players have not yet fully assessed the impact of the cyber threat on their ecosystems, for example:
- If their first-tier IT service providers (outsourcer, cloud service provider, etc.), or even higher-tier providers, are themselves affected by a successful destructive attack;
- If a player is the victim of a cyber-attack, whether proven successful or not, its partners who have knowledge of the attack will be able to isolate it unilaterally for protection purposes.
The awareness of an organisation’s decision-makers of the cyber risk, its systemic implications and the impact on its business must be developed. In the financial sector, the DORA regulations, or their equivalents in certain non-European countries, as well as the stress tests announced by the European Central Bank for 2024, should contribute to this.
For many decision-makers, too many technical words are used to describe the risk of cyber destruction. Unlike compliance issues such as the RGPD, which can be understood by the uninitiated, this risk is perceived as a matter for technical experts. Nevertheless, the subject is increasingly being addressed at executive committee level, for example through the presence of the CISO on the Executive Committee and/or through external speakers with experience in acculturating senior management.
Anchoring “compromise by design” in everyday life
By considering the possibility of an IS compromise that could result in its destruction and incorporating this perspective from project design to operational activities, the resilience capabilities of the IS can be significantly bolstered.
From the earliest stages of a project, the business units can be called upon to identify and evaluate, with the support of the technical teams, cyber-resilient design solutions. These may include:
- To use suppliers of nominal solutions that are technically independent of the organisation’s IS, so that its activities are not based exclusively on it’s IS;
- To host and operate backup solutions outside the organisation’s IS;
- Use cyber-resilient architecture models based on an on-premises catalogue or hosted in the Cloud. They are also designed to allow their resilience to be tested while limiting the impact of tests on production;
- Designing projects that enable operation in degraded mode via :
- Periodic extraction of business data in office format, outsourced and protected in an external file storage service;
- The ability for applications (and services such as restoration) to operate without certain cross-functional services such as the AD authentication repositories via local backup accounts, etc;
- Drawing up downgraded business procedures based on downgraded IS resources such as those defined above.
In addition, the appropriateness of certain practices, although incompatible with the objectives of standardisation and industrialisation, can be considered at the technical design stage, in particular:
- Encouraging diversity of technologies to limit the exploitation of a vulnerability.
- Limiting the dependency of applications on cross-functional information systems, so that they can be rebuilt and made operational more quickly.
During the acceptance phase, business operations in degraded mode and the ability to rebuild an application can be systematically tested before going into production. This test can be reviewed if necessary for each major change. It should be reiterated periodically through exercises that will enable remediation capabilities to be tested and enhance the skills of the various operational players.
Moving beyond the project phase, the integration of asset reconstruction practices into Business As Usual (BAU) operations enables better mastery of these practices. This, in turn, benefits a larger number of participants in the event of remediation, for example;
- Reconstruction, once or twice a year, using non-IS resources (e.g., Cloud services or off-line resources), of workstations used for administrative tasks and/or critical activities;
- Reconstruction, once a year, of infrastructures essential to the recovery of the IS (e.g., restoration infrastructures, core of trust, virtualisation base, etc.), to be determined on the basis of the threat and risk analysis;
- Development of CI/CD practices on a daily basis, particularly in Cloud environments, in order to automate the recreation of servers to apply changes to them, such as version upgrades or patches.
Finally, keeping the IS map (including its interconnections with partners and the Internet) and its interdependencies up to date daily is a key factor in remediation, which must be supported by appropriate processes, tools (cyber-resilience) and controls.
Having several remediation options at your disposal
Given the difficulty of predicting the course of a cyber-attack and the evolution of its impact in advance, the preparation of a plan requires a balance to be struck between two excesses:
- Developing reconstruction solutions tailored to too few attack scenarios, with the inherent risk of deadlock,
- Or, on the contrary, seek to cover all possible scenarios, at the cost of a significant loss of efficiency.
An updated risk analysis of possible attack scenarios, based on a threat watch, makes it possible to prioritise those to be covered, such as those with the highest probability of success and the greatest impact in the context of the organisation.
This analysis makes it easier to identify the assumptions that will be used as inputs to the development of plans. For example ;
- Just a year ago, planning for the industrialised reconstruction of the virtualisation layer of physical servers did not appear to be a necessity for most players, but it has now been identified as essential.
- The destruction of Cloud resources through the compromise of access to the tenant (master accounts or API access) or even the compromise of the Cloud provider itself, appears to be a new risk that needs to be considered in the Cloud resilience strategy of several players.
Once the working hypotheses have been chosen or ruled out (e.g., the types of components and technologies impacted, the residual capacities of the malicious code once its means of interacting with the attacker have been cut off, etc.), it is possible to assess the relevance of the various possible means of reconstruction and to prioritise the work more effectively. The following are possible means of reconstruction.
- Restore systems and/or business data from backups, if necessary, in an isolated environment (e.g., from snapshots, offline or “immutable” backups);
- Cleaning up restored environments that may have already been compromised when they were backed up (e.g., Using antivirus software for office files and systems that may have been compromised, using an EDR on systems that have been restarted in an isolated environment, or using solutions that can clean up the backed-up image of a virtual server directly);
- Reinstallation of compromised technical layers (e.g., OS, middleware, etc.);
- Replenishment of virtual infrastructures (e.g., Terraform, etc.);
- Strategies and solutions that can cover both the risk of a conventional disaster and a cyber disaster (e.g., a backup IS that is independent of the nominal IS, with business data refreshed by a device that maintains technical watertightness).
This assessment should lead to the development of a “catalogue” of remediation methods, the application of which should be contextualised at the time of the attack. As a complement to each reconstruction solution in the catalogue, the identification of an alternative – perhaps less industrialised – solution will enable us to deal more effectively with the vagaries of the attack context.
Sharing and capitalising on feedback
To gain maturity and efficiency in remediation more quickly, market players benefit from capitalising on the experience of others.
This may involve capitalising on:
- Studies, such as the body of doctrine published by ANSSI;
- Direct exchanges with peers or via third parties;
- Working groups in which its ecosystem of partners will be represented if possible.
The feedback to be sought can relate to the specificity of the cyber context in remediation but also to more traditional aspects linked to the reconstruction of an IS such as:
- The methods and approaches used;
- Proven market solutions (beyond promises);
- Performance achieved (reconstruction times)
- Costs;
- Logistical and HR aspects (similar to crisis management);
- More functional aspects such as data reconciliation, following different restoration points and lost flows with third parties.
Other articles on the subject of remediation :
Surviving an Active Directory compromise: key lessons for improving the rebuilding process
Cyber-attacks: what are the risks for backups and how can you protect yourself?
Active Directory rebuild: approaches to quick Active Directory recovery
Next on https://www.riskinsight-wavestone.com/ : workstation remediation
