Recovery and reconstitution refer to the capabilities needed in the wake of a cyber attack to restore the functionality and availability of networks, systems, and data. Recovery and reconstitution methods must be adequate to cope with the consequences of cyber attacks that are carried out quickly, cause extensive damage, and propagate in uncontrolled ways.
Recovery and reconstitution must be addressed and implemented in all aspects of a system – networks, operating systems, middleware, applications, and data. Capabilities for timely recovery and reconstitution are especially important in mission-critical systems, which must be able to degrade gracefully, meaning that they must be able to survive a cyber attack even if damaged and recover to an operable state that sustains mission-critical functions. Systems must be made self-healing and self-restoring to as great a degree as possible.
The recovery and reconstitution aspects of dynamic response depend on accurate, timely detection of cyber attacks. The spreading of malicious code across a network needs to be stopped, for example, and damaged nodes need to be recovered while residual malicious code is eradicated. This technical area is closely linked to large-scale cyber situational awareness, which provides the information required to perform recovery and reconstitution.
State of the art Edit
Current technologies for recovery and reconstitution are limited. The most common recovery and reconstitution techniques are redundant processing, physical backups, and the use of special service providers to implement recovery capabilities for organizations. These procedures focus on system faults, failures, and accidents, not purposeful, malicious cyber attack. Technologies in use today are able to return databases, applications, and data to an operational state after non-malicious faults or failures. Research in self-regenerating systems is investigating technologies to enable systems that have been exploited to restore themselves autonomously, but the techniques are still in their infancy.
Recovery techniques tend to be aimed at data recovery rather than at reconstituting large-scale systems or networks. To be effective, recovery and reconstitution must be rapid and must be guided by accurate and timely information. Damage-assessment technologies are needed that can quickly provide network defenders with an accurate snapshot of the overall enterprise, what has been attacked, where the damage is, what type of damage has been incurred (whether the attack is against the confidentiality, the integrity, or the availability of the system), and what parts of the system have been affected. Defenders also need robust decision-support systems that can rapidly present possible defensive courses of action. In some cases, autonomic (self-managing) system responses directed at recovery and reconstitution potentially could maintain a basic level of operation while further analysis of the cyber attack is being conducted.
While there might be enough network redundancy to allow continued communications, an attack might reach deep into a networked system. Techniques are needed to assess whether data are damaged and, if so, the extent and impact of that damage. Damaged data require recovery to an earlier undamaged state followed by reconstitution. Applications may need to be reloaded to ensure that malicious code has been eradicated. Remediation may also be needed to eliminate vulnerabilities that enabled the attack in the first place. Rapid post-attack reconstitution of IT systems requires the ability to create checkpoints that capture the state of a large-scale system and to not only retrieve undamaged data but also to roll back damaged systems to earlier functional (uncompromised) states. Such rapid reconstitution is an alternative to rebuilding the entire system from scratch and is vital for mission-critical systems.