Welcome to the Pell. No out to a network Cyber Security Academy, Secure Business Systems Administration Cyberattack Lifecycle Restoration presentation.
While complete restoration of business operations and services does occur in the re mediation phase of the Cyberattack Lifecycle management plan, the restoration process actually begins as soon as an attack is detected
during a cyberattack. Cybersecurity administrators need to quickly detect and protect Resource is that are affected by the attack.
Removing services offline is one step forward in protecting an eventual restoration.
Once a response playbook has been consulted
and the first stage of the attack has been mitigated, then the cyber security administrative stakeholders need to work together and plan a restoration sequence of events
in most incidents. Events would happen in the following sequence. First attack detection, second event classifications, third communications and forth response.
However, as aforementioned response, events may begin immediately upon attack detection,
so attack detection can begin by looking at anomalies or unusual activities and then applying additional inspection reviewing logs an additional monitoring to gauge the scope of the attack.
At the detection phase, testing an inspection of normal business operations should also be performed in all areas, even those that do not seem to be adversely affected.
It could be a big mistake to assume that the attack scope is focused and limited to just one set of resource is
any available resource is that can be easily taken off line should be quarantined then Backup processes for all critical operations should be performed as soon as possible.
An incident response plan should serve as guidance for deterring the attack.
At first, detection of words need to be sent to members of an incident response team and also to any business stakeholders whose re sources are affected.
Resource is that are targeted should be taken off line as soon as possible and then, as more information is gathered, declassification for the attack and determine the scope of what needs to be performed.
If an attack escalates, so should the classifications.
No attempts to restore services should be performed until the full scope of the attack is determined.
It's important that response team efforts are coordinated when responders start to act independently. Their response efforts can be fractured, conflicting and ineffective.
Communications with external partners and stakeholders should be performed as soon as possible. But Onley when a unified message can be delivered.
Human resource is legal and other managerial teams should coordinate and approve any messages to outside parties.
An incident response plan should have instructions for rapid re mediation.
Rapid re mediation could be a focused restoration for only a small partial set of affected resource is, but should also consider prioritizing the most critical set of business operations and services.
Forensic measures should also be clearly identified in any rapid re mediation response.
Restorations should not interfere with any collection of evidence
during restoration processes. Stakeholders should receive status updates as to which restoration measures have been performed and how systems testing is progressing if possible, or restoration, timeline should also be communicated.
The severity of an incident, as outlined by classifications that are described in the Incident Response Plan, should dictate the membership of the response team and who will receive notification and updates as re mediation proceeds.
The business response team should be fully consulted before any delivery of any public notifications.
Administrators who have worked through a cybersecurity attack will attest to the difficulties of crafting proper responses and re mediation.
Critical information is often discovered after a response has been put into place and the gathering of data and evidence related to into attack can be delayed and fragmented.
An enterprise security solutions such as Palo Alto Networks Cortex XDR can dramatically limit the effects of a cybersecurity attack by providing a deep set of metrics in real time. Security administrators then can use that data to determine a more focused and accurate response
in significantly reduced response times.