1. DISASTER RECOVERY PLAN
FOR DATA RECOVERY FROM A
CYBERATTACK
BY: JAMES BOHL, NISHEETH AGRAWAL, SATISH LAKSHMANAN, AND STEVE REED
Team 1
Bullseye Corporation
B
Corp.
Bullseye
2. DRP- PURPOSE AND SCOPE
Purpose of this DRP is to provide a detailed guide for
the DR team and other teams who may be involved
Scope of this DRP is cyber attacks on customer and
employee data
Some data is encrypted thus reducing the risk
Customer general information – no encryption
Customer login, credit card information – encrypted
Employee general information – not encrypted
Employee personal information - encrypted
B
Corp.
Bullseye
3. DR PLAN OBJECTIVES
Identify the risks of the systems security attack
Define teams
Provide recovery procedures including recovery
checklists for cyber-attacks
Provide company policies for disaster recovery
Have the right tools for our teams to do the appropriate
tasks
B
Corp.
Bullseye
4. ASSUMPTIONS
Various teams are already created – they are identified
and addressed in this document
Corporate management structure is identified in other
documents
Network plan and security detail as well as “how to
protect” is documented in other documents that are
available to DRP teams
B
Corp.
Bullseye
5. INCIDENT – DISASTER ESCALATION PROCESS
INICIDENT
RESPONSE
TEAM (IR TEAM)
Incident is escalated to
disaster after IR team
assessment
IR Team notifies DRT of the
declared disaster. DRT
evaluates disaster
independent of IR plan.
Is the disaster caused by an
EXTERNAL source?
INTERNAL
Assign task
to INTERNAL
Disaster
Team (IDT)
EXTERNAL
NO YES
DISASTER
RECOVERY
TEAM (DRT)
Report to
Human
Resources (HR)
department
Reports to Public
Relations (PR)
department
EDT Activates DRP:
Stop the attack: isolate, quarantine,
shutdown the breached access.
Assign task
to EXTERNAL
Disaster
Team (EDT)
B
Corp.
Bullseye
6. DISASTER RESPONSE PHASES
RESPONSE PHASE
Initial
Assessment
Manage
Communications
with Employees
& Stakeholders
Contain Damage:
Protect the database
and secure the
network
Continue
planning for
restoration
Identify
additional
needed
resources
Finalize
implementation of
primary functions
Initialize implementation
of primary functions, i.e.
recovery phase and
secondary functions, i.e.
hot site
Recover Critical
Business
Functions
Coordinate data
recovery efforts
Acquire Resources to
replace damaged /
destroyed equipment
Evaluate need
to implement
BC Plan
RECCOVERY PHASE RESUMPTION PHASE RESTORATION PHASE
Restore data at
the primary
site while hot
site handles
critical
operations
Restore data
from the tapes
both from the
backup center
and hot site
Restore
normal
operations at
the primary
site
Stand down DR
team, conduct
after action
review
Continue
recovery and
restoration at
primary site
DISASTER RESPONSE PHASES
B
Corp.
Bullseye
7. DISASTER RESPONSE
Identify the disaster
Contact proper response team leads
Contain the disaster as much as possible
Conduct damage assessment once contained
Determine the resources and immediate funding needs
Update the management team regarding damage
Contact recovery and restoration teams
B
Corp.
Bullseye
8. DISASTER RESPONSE
Begin evidence collection (Forensics team only)
Eradicate the vulnerabilities and backdoors that may
have caused the disaster
Begin system cleanup and data recovery
Document the disaster and document any updates to
this document
B
Corp.
Bullseye
10. DISASTER RECOVERY
By this point:
Infected portions of the system have been sanitized
Vulnerabilities have been corrected
The system removed from internet access (internal intranet is
made live if system is at all functional)
The disaster recovery phase involves getting basic
operations up and running to a functional state. – focus is
DATA & SYSTEM RECOVERY.
When the system has been breached and data
compromised, recovery and restoration of
company data along with systems operations
are critical.
B
Corp.
Bullseye
11. DISASTER RECOVERY
Connect to the DRaaS department on secure
connection
The DRaaS will:
Attempt to recover as much current, undamaged data
from the system as possible
Utilize proprietary software designed to repair as much
damaged data as possible
Run proprietary diagnostics software on the system to
check for damage to the OS and hardware
B
Corp.
Bullseye
12. DISASTER RECOVERY
DRT will Install additional storage drives if required
DRaaS will:
Restore system operations and applications to a
functional state
Transfer recovered and repaired data along with
remaining data from offsite backup storage to unused
(and possibly newly installed) storage drives on the
system
B
Corp.
Bullseye
If The System Passes Diagnostics Inspection:
13. DISASTER RECOVERY
DRaaS will:
Setup the off site recovery system’s critical operations
and applications: hardware, OS, ERP software,
networking, etc. - at warm site
Transfer recovered and repaired data along with
remaining data from offsite backup storage to recovery
system at warm site
B
Corp.
Bullseye
If The System DOES NOT Pass Diagnostics
Inspection:
14. DISASTER RESUMPTION
Begin the process of resuming the operations
Most critical capabilities during this phase
Database rebuilding from backup
Network security resumption and repair
Resumption phase occurs in parallel with initial
response and recovery
Prioritization of activities in this phase is key
B
Corp.
Bullseye
15. DISASTER RESUMPTION
Critical steps:
Establish data backup schedule per corporate procedures
Implement hot site if needed
Brief senior management on hot site activation
Hot site ready for company data operations
Begin repair of critical operations at primary site
Keep workforce / management informed on progress of
the primary site
B
Corp.
Bullseye
16. Corrupt
Data
DISASTER RESTORATION
Primary purpose
Normalize business operations
Return the organization to its pre-disaster state
At end state, data operations and network security may have to change to
prevent future disasters
Critical steps:
Data backup from original site and hot site must be restored to the
main servers at primary site; hot site handles critical operations
Transport backup tapes from the backup center, hot site, and original
data farm to the disaster/primary site and restore on new servers
Restored data is backed up; data backup policy in effect
Run queries to ensure all databases are restored
Prepare restoration report
Conduct after action review
B
Corp.
Bullseye
17. SUMMARY
DRP guides Bulleye’s efforts recover from a cyber attack.
Confidentiality, integrity, and availability are key aspects of our managed data to
ensure success.
This standard builds confidence in our customers, stakeholders, and employees.
Response Phase: stop the breach; contain the damage.
Recovery Phase: focus on our most critical business functions and assets;
immediate recovery of databases and their proper security.
Resumption Phase: determine move or no move to hot site; initiate
move if needed; regain primary and secondary business functions.
Restoration Phase: merge data from hot site and original site into single database.
IMPORTANT…keep employees informed throughout the disaster recovery
process.
B
Corp.
Bullseye