Backup and Recovery

Make copies of key system software, configuration, and data to enable rapid system restoration.

Employ disk imaging, system backup, or file synchronization tools to create copies of key data on a protected backup repository. This is typically done to capture/restore an entire system or major subsystems.

Details
ID: DTE0005
Tactics:  Collect Test Disrupt

Opportunities

IDDescription
DOS0058 Although adversaries may attempt to delete or change important artifacts, there may be a window of time to retrieve them before that happens.
DOS0118 There is an opportunity to test what an adversary might do if destroyed data is selectively replaced by the defender.
DOS0122 There is an opportunity to test what an adversary might do if encrypted data is selectively replaced by the defender.
DOS0124 There is an opportunity to disrupt an adversary's defacement activity by quickly restoring altered content.

Use Cases

IDDescription
DUC0058 A defender can backup system information on a regular basis and send it to an alternate location for storage.
DUC0118 A defender can ensure data is backed up on a regular basis and backups are stored offline from the system. If an adversary is detected destroying or altering data, the defender could selectively restore data from backup to see how the adversary reacts.

Procedures

IDDescription
DPR0009 Backup data on public facing websites and retain the files offline. In the event of data damage or loss, restore the data from backup.
DPR0010 Backup data on an end-user system and store offline. If an adversary alters or deletes data on the system, restore the data using the backup copy.
DPR0063 In an adversary engagement situation, if an adversary deletes or alters files on a machine they are controlling, restore the data to it original state and location to see how the adversary reacts.

ATT&CK® Techniques

IDNameATT&CK Tactics
T1485 Data Destruction Impact
T1486 Data Encrypted for Impact Impact
T1491 Defacement Impact