It may seem strange to talk about observing cybercriminals at work, in order to beef up one’s own disaster recovery. DR planning and management in honest enterprises are often required as preparation and repair regarding malware attacks, illicit infiltration and control, data compromise, and other cyber nasties.

Yet criminals, so it seems, are learning about disaster recovery tactics too, in order to build resilience into their attack infrastructure and resources.

European and American police forces have been working to break criminals’ botnets, which are networks of machines such as PCs and servers belonging to others, but infected or controlled by attackers.

The botnets may be used to spread malware infections or to perpetrate denial of service attacks on yet other machines. Police teams now see a trend among criminals to create several smaller botnets, rather than one bigger one.

If one botnet is discovered and broken, the criminals can then rapidly shift operations to the others that are still running. In a day or so, the interrupted operations can be resumed, as before – a performance that many law-abiding organisations would be glad to achieve.

On the other hand, police tactics also continue to evolve. Big data analytics are becoming increasingly important to gain insights from the results of sinkholing, an approach in which law enforcement agencies redirect known infected and controlled machines to servers controlled by the authorities.

With botnets now numbering millions of computers, patterns may emerge to help police forces spot botnets more easily. In a somewhat back-to-front situation, success will be measured by how well criminal disaster recovery tactics can be thwarted.

On the way to the defeat (or to some approximation of it) of hackers and attackers, however, enterprises and organisations may pick up some useful tips on how to organise their own IT installations to recover as fast as possible from attempts to put them out of action.