Paul McCartney wrote “The Long and Winding Road” while the Beatles were in the throes of dissent and months away from breaking up. Listening now to the song’s yearning lyrics and plaintive melody, is it possible that Sir Paul actually anticipated the NIST Cybersecurity Framework’s Recover function, and was imagining the category titled Recovery Planning?


I’ve Seen This Road Before.

With this simple reflection, McCartney eludes to the fact that hackers will attempt either to retain or to regain persistent access. In the absence of effective ways to eradicate or contain the adversary prior to recovery, network defenders will travel down the same roads of Detect and Respond over and over again.

For this reason, NIST recommends that, prior to launching recovery efforts, companies identify the root cause of a cyber event, understand the adversary’s objectives, and evaluate the measures the company has taken to better detect and block the intruder in the future. NIST also highlights the importance of the recovery team coordinating with the incident response team, so that recovery efforts are not futile, do not alert the adversary, and do not destroy forensic evidence.


Anyway, You’ll Never Know the Many Ways I’ve Tried.

Clearly, this lyric is a cry for better metrics. In this regard, NIST suggests building measures around distinct areas of recovery, such as lowering the costs of an incident, improving risk assessments, and improving recovery activities. Metrics might include tracking lost sales due to business disruption, hours of employee downtime, the number and types of incidents that were not adequately anticipated in prior risk assessments, and the time taken to achieve restoration.

It also is important to recognize the value of preparation. Pre-existing documents often include Business Impact Analysis assessments and Business Continuity Plans, as well as a ready summary of corporate Service Level Agreements (and the consequences of not meeting them). In this way, mature information security programs are able to pre-identify those assets that are most critical to the organization’s mission, map out their dependencies, and determine their order of restoration in the event of disruption.

Before an incident, NIST also recommends that organizations conduct “what if” exercises that include scenarios gleaned from headline cyber events. Done well, tabletop sessions help organizations identify and resolve gaps prior to an incident and, in the words of NIST, “help to exercise both technical and non-technical aspects of recovery such as personnel considerations, legal concerns, and facility issues.”


Why Leave Me Standing Here, Let Me Know the Way.

Recovery plans should offer a sense of direction. They should define key milestones, to include the criteria for their completion. Doing so also should establish when the Recover function is complete, allowing team members to return to their normal jobs.

Finally, readers who are interested in learning more about this topic might check out NIST’s recently published Guide for Cybersecurity Event Recovery. It’s free, and best read on a wild and windy night.