Mare: Ron, three weeks ago, we promised to tell our readers about how NetApp storage can help them save the evidence AND get back to work quickly after their network is hacked. We’re looking like slackers here…
Ron: I know, Mare. What can I say? I’m full of turkey.
Mare: Don’t worry, you’re not alone. So let me tee this up for you: my network is hacked. I’ve had a “cyber incident.” Now what?
Ron: There are several steps you need to follow. First, you verify that an event has really occurred. If an event has really occurred, then you need to determine if it caused physical damage.
Mare: Wait, how can a “cyber attack” cause physical damage? You mean like the computer got beaten up or something?
Ron: Here’s an example: remember the Stuxnet computer worm that was discovered in June 2010? It included a highly specialized malware payload that was designed to target only Siemens supervisory control and data acquisition (SCADA) systems that are configured to control and monitor specific industrial processes. News coverage said that the worm targeted and definitely damaged the Iranian nuclear program, which uses embargoed Siemens equipment procured clandestinely.
Mare: I’m sorry, I don’t follow. How did that cause “physical damage?”
Ron: Well, the worm was able to get the SCADA systems to adjust the speed of the motors being used on the centrifuges, which physically tore them apart.
Mare: Ah, I get it now.
Ron: Whether a cyber attack on your organization is isolated to the cyber world or made the leap to the physical world, it’s now time to deploy your business continuity plan to help prevent disruption to your business processes, including loss of revenue, profit, market share, and customers.
Mare: Okay, I get attacked; I deploy my business continuity plan. Piece of cake. So we’re done with this blog post already?
Ron: No, no, no, we’re not done, not by a long shot. While many companies have an up-to-date business continuity plan that may well keep them in business, I’m willing to bet that most of them don’t have any provisions for preserving the forensic information that is required to figure out how the attack occurred, who was behind it, and how to help prevent a similar attack from happening again.
Mare: “Forensic.” Like CSI? Like fingerprints and threads and DNA? Like Ted Danson? I love Ted Danson!
Ron: Whoa, Nelly. Slow down! In this case, the forensic evidence might consist of changes that were made to files on the network to perpetrate the attack. This means that you need to take the time to interview people, collect and review logs, run computer and network scans, and finally ensure that the information that you need for future analysis is collected and stored properly.
Mare: Hmm, sounds like this could take a while. I don’t mind, as long as I get to hang out with Ted Danson longer.
Ron: Yes, it can take quite a while, and depending on what industry you are in, law enforcement may even need to get involved as well.
Mare: Ooh, you mean like Ted Danson with a gun?
Ron: How and why are we still talking about Ted Danson?! In any case, if your cyber attack relates to national security interests, then the FBI can show up at your door to assist in the investigation–and a thorough investigation could take months. Which finally brings us to the heart of this blog entry: There are two competing priorities after a cyber attack. First, you need to get back up and running as soon as possible, but second, you also need to preserve the current state of your systems for forensic analysis.
Mare: So you need to recover your data to a known-good state to get back to work, while at the same time NOT recovering your data to a known-good state so that you can do forensic analysis? That’s quite a conundrum, Ron.
Ron: Indeed. And for most storage solutions on the market today, it is impossible. But NetApp customers already have the technology they need to get back to work while preserving forensic data, so they’re all set.
Mare: They are? How so?
Ron: Yep. Part of the magic enabled by the NetApp Write Anywhere File Layout system is NetApp Snapshot™ copies. These are extremely low-overhead, point-in-time images of your data volumes. Since they are designed for speedy backup and recovery, they can be used to get you back to a known good state quickly, while a new snapshot copy can freeze your storage in the state that it was when the attack was discovered.
Mare: Huh. I’ll bet many NetApp customers don’t even know they can do this.
Ron: You’re probably right. And NetApp doesn't wish a cyber attack on anyone, whether they’re a customer of ours or not. But if you’re a NetApp customer, this capability DOES give you the best of both worlds, allowing detailed forensic analysis to take place without interrupting your business. And not only that, but snapshot copies also can be used to “walk backwards” through the attack timeline to help piece together how the attack happened.
Mare: Hang on a second… I don’t know when I’m going to be cyber attacked, or if I’m going to be attacked at all. How do I know when to start taking snapshots?
Ron: NetApp Snapshot copies take only seconds to generate, use very little storage space, and you can store up to 255 of them before you need to back up the oldest one and delete it. If you take four snapshot copies a day, you can go back two months in seconds, and if you need more time than that, you can pull older snapshots from the archive.
Mare: So I just hand the Feds the Snapshot copies for whatever timeframe they specify, and retrieve my own Snapshot copy from my known-good state, and then keep on trucking. Is that it?
Ron: That’s it, Mare. Until next time, you can go back to your inner musings about Ted Danson.