Disaster Recovery Journal Summer 2025

any time with virtually zero warning. However, just as earthquakes are more common along the Ring of Fire, com panies that have taken a controversial public stance on a hot-button political issue are more likely to be targeted. Credential phishing can fall into the “earthquake” or “tornado” cat egory depending on how quickly the perpetrator attempts to monetize the stolen credentials. Giving up your bank account login details can lead to an empty account in seconds. Or the attacker may sell the credentials on the dark web, giving you time to change your password and enable multi-factor authentication (MFA) before any damage occurs. Ransomware attacks fall into the “hurricane” category because most take two months or longer from initial access until the ransomware is deployed. If you can detect the initial access and reconnaissance phases of the attack, you have the opportunity to avoid the encryption and data exfiltra tion phases entirely by eradicating the remote access trojan (RAT) early. Despite what a friendly cyberse curity sales executive may say, you cannot prevent cyberattacks any more than you can prevent natural disasters. Instead, focus on preparation strategies to reduce the harm when the inevitable happens. I live in Silicon Valley, just a few miles from the San Andreas Fault. The knickknacks on my mantle are secured. I keep a flashlight in my nightstand and a gas shut-off wrench at the ready because I know it’s only a matter of time before the next big one hits. The cybersecurity equivalent to those preparations would be a DDoS mitigation service. These sit in front of your web server and absorb malicious traffic while allowing legitimate traffic to flow. DDoS mitigation costs money, so the decision to implement one comes down to risk assessment. I have two brothers who live in a part of the

country where earthquakes are rare. They don’t secure their knickknacks, and I’d be surprised if they owned a gas shut-off wrench. If you transact millions monthly through your website and your CEO recently took a controversial stand, you’re in a high-risk situation that warrants a DDoS mitigation service. If you sell a few hundred dollars’ worth of cat-themed T-shirts and mugs each month, it’s prob ably not worth the cost. Credential phishing can impact anyone and strike at any time. The best preparation for this unnatural disaster is a multilayered approach. First, implement technical mitigations such as a spam filter and MFA—much like maintaining defen sible space around your home during wildfire season. Next, educate your users. Many companies offer phishing simula tion and training programs. This is like teaching your family about wildfire risks, having a go-bag ready, and planning alter nate evacuation routes. Finally, implement a “report phish” button. This allows employees to flag suspicious messages for analysis— whether in-house or via a third party. Two critical things must happen here: First, provide feedback to the reporting user to encourage future reports. Second, once a message is confirmed as malicious, use a claw-back mechanism to purge simi lar messages from all mailboxes. That second step is vital—phishing messages are rarely sent to just one recipient. Think of it like spotting a wildfire in your back yard—you wouldn’t just evacuate quietly. You’d alert the fire department and warn your neighbors. This brings me to ransomware—the cyber equivalent of a hurricane. Before satellites and computer models, hur ricanes struck with little warning and devastating impact. Many companies still face this problem today, discovering attacks only after receiving a ransom note and losing access to critical files. But we now have the cyber equivalent of weather satellites. Every ransomware attack starts with reconnaissance and initial access, followed by lateral movement and privi

lege escalation, long before encryption or exfiltration. By monitoring your network traffic with intrusion detection systems (IDS) and reviewing log files for anomalies, you can detect attacks early. You can do this in-house with a security informa tion and event management (SIEM) system or outsource it using endpoint detection and response (EDR), man aged detection and response (MDR), or extended detection and response (XDR) services. Suppose you have SIEM or XDR in place. You’re safe now, right? Not quite. At this point, you have the equiv alent of the Weather Channel warning you of an 80% chance of landfall. You still need to act. Should you evacuate? Board up windows? Stock up on sup plies? Similarly, you must act on the alerts from your SIEM or XDR solution to avoid the damage phase of a ransom ware attack. We’ve all participated in fire drills— mandatory in school and common in office buildings. The cyber equivalent is offensive security. Start with vulner ability scans on your internet-facing infrastructure, then move to penetration testing and red teaming as budget and risk profile allow. You cannot stop every cyberattack, just as you cannot stop natural disas ters. But you can prepare. It begins with understanding your risks and imple menting a holistic strategy to reduce the likelihood and impact of those risks. As Louis Pasteur said, “Chance favors the prepared mind.” v

John Wilson, senior fellow of threat research at Fortra, specializes in cyber crime investigations and threat intel ligence. Since 2006, he has led efforts to combat phishing, business email

compromise (BEC), and botnet activity. He contin ues to research emerging threats and conduct active defense experiments, including a 2023 collaboration with Microsoft to disrupt the illicit use of Cobalt Strike. Wilson holds a B.S. in computer science and engineer ing from MIT and has presented at RSA, FS-ISAC, Aviation ISAC, NCFTA Disruption, and the Microsoft Digital Crimes Consortium.

22 DISASTER RECOVERY JOURNAL | SUMMER 2025