Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceCybersecurity News

5 best tips for ransomware recovery

By Jorge de Almeida Pinto
disaster-recovery-fp1170x658v560.jpg

Image by Freepik

September 9, 2022

Active Directory is the beating heart of most modern networks. It’s the core system for managing identities, authentication, and authorization, both on-premises and in the cloud. However, it’s also a system built more than 20 years ago. And although in its early days, there was little need to think about disaster recovery or business continuity, today, Active Directory is a perfect target for threat actors. 

You’re likely already aware of this to some extent. The problem is that where Active Directory is concerned, disaster recovery is deceptively complex. Even though it might look simple on the surface, it verges on overwhelming in practice. 

How can you ensure that you have the necessary systems and processes to recover from ransomware and any disruptive incident that takes Active Directory offline? Here are five key tips and some thoughts on what constitutes a good Active Directory backup plan.

Tip 1: Be proactive

When things go wrong, it’s always better to be prepared.

Preparation begins with proactively searching for and fixing issues within your Active Directory deployment. For that, you need full visibility. There are many moving parts within Active Directory and many things that can go wrong. But you can’t resolve a problem you can’t identify. 

Start by looking for indicators of exposure: vulnerabilities a threat actor can exploit. Examples include poor account hygiene, misconfigured security settings, and invisible attack paths. Also, look for indicators of compromise, such as evidence of Kerberoasting, which might signify that you’ve already experienced an attack. 

This advice doesn’t just apply to your Active Directory. To devise an effective disaster recovery plan, you need comprehensive technical knowledge about your business. You need to understand how each system operates and how each component is connected to other components. 

My advice is to start with a comprehensive risk and security assessment, beginning with a focus on your most important forests and assets. This review enables you to map out your infrastructure at every level of your organization. More importantly, it helps you identify the disruptive events you’re likeliest to face and determine mitigating actions for each. 

Tip 2: Make communication part of disaster recovery 

Predefined mitigation and recovery actions are all well and good. But who decides when, where, and how to put such actions into practice? 

This is the area where I consistently see disaster recovery guidance fall woefully short. You can find plenty of information about the technical side of Active Directory disaster recovery. Yet even official Microsoft guidance mentions nothing about communication or a chain of command.

During a disruptive event, every second counts. You simply can’t afford to waste valuable time trying to figure out who should be doing what. You need a simple, step-by-step plan that’s easy to understand and execute for every member of your team. 

When devising this plan, be sure to account for these factors: 

● Does your organization comprise a single, contiguous entity or multiple independent business units? 

● Are you outsourcing the management of your Active Directory? 

● How are you going to communicate during an incident?

● With whom are you going to communicate? 

● Who is the final decision-maker where mitigation and recovery efforts are concerned? Note that this answer might vary depending on the scope of an event. 

● At what point do you notify C-level executives? What about external stakeholders? 

Tip 3: Planning costs less than facing an attack unprepared

A typical argument against maintaining a disaster recovery plan is that there’s no budget for it. 

Stop and think about how much of your infrastructure relies on Active Directory. Think about the impact of one or all of your forests being locked down by ransomware. If your organization is like most, the cost of such an outage could be crippling: lost revenue and customers, regulatory penalties, and reputational damage. 

The cost of creating and maintaining a business continuity plan is inevitably less than the cost of a ransomware attack—especially if you aren’t maintaining proper backups. Paying a ransom for your assets is no guarantee that you’ll get them back. Threat actors are under no obligation to decrypt your systems and data after you pay…and often don’t. 

Tip 4: Don’t try to do everything yourself

Automation can’t do everything. But where disaster recovery is concerned, it’s an enormous help. Not only can it save your team considerable time on the many tasks involved in backup and restoration, but it also considerably reduces instances of human error. 

More importantly, automation saves time without requiring your team to possess specific knowledge about the inner workings of Active Directory. In addition to tools that focus on backup and recovery, there are solutions designed to automate monitoring, detection, log correlation, and threat hunting. These, too, are invaluable as we reach the point at which the amount of threat data is simply too great for human actors to digest effectively. 

Unless your business has incredibly specific needs that you’re positive no vendor can fulfill, it’s almost always preferable to use a third-party tool in lieu of developing one internally. Most of the time, those development resources are best spent elsewhere. What’s more, tools like Bloodhound and Purple Knight are free to use. 

Tip 5: Avoid Putting all your eggs in the Active Directory basket

The technical components of your disaster recovery plan need to be completely divorced from your Active Directory. In an attack, you risk losing access to any system that’s domain joined to your Active Directory. There’s little point in backing up your domain controller if that backup goes down when the domain does. 

You’ll want to make sure you have independent instances of the following: 

● Server backups

● Data backups

● Password vaults

● Documentation

● Authentication mechanisms

● Code

Immutable, isolated, redundant: The characteristics of a good backup plan

Every disaster recovery plan must include a few crucial components.

First, you need the capacity to recover to an isolated environment. That way, you can ensure you’re spinning up a clean instance of Active Directory. This enables you to perform a service recovery while carrying out a health and security assessment — a partial restoration that enables at least some of your business to resume regular operations. 

Design recovery is your ultimate goal, fully restoring all compromised and destroyed systems. To facilitate this, I recommend maintaining multiple backups, all secured offsite and offline, until needed. These backups should be created within the applicable region and should be completely immutable once created. 

Where management of the backups themselves is concerned, you have two core metrics to consider. The recovery time objective determines how quickly you want to recover. The recovery point objective, meanwhile, specifies how far back in time you’re willing to go for recovery.

In some cases, you might want to maintain daily backups. In other scenarios, weekly or even monthly backups might be acceptable. 

Finally, your job is not finished with the creation of a disaster recovery plan. Completely test all plans, tools, scripts, and processes at least once a year. Make sure everything works as intended. 

During these evaluations, you should also take the time to consider things you might need in the future —investments that can save you time and money. 

No such thing as “one size fits all” 

Where Active Directory is concerned, nearly every organization’s deployment is unique. A disaster recovery plan that works for one business isn’t guaranteed to work for another. That’s one of the things that makes the process so challenging and complex. There really is no gold standard — only guidance and advice. 

I explored these questions in greater detail during a recent Hybrid Identity Protection Conference presentation: Resurrecting After a Ransomware Attack—Be Secure, And Prepared!. The presentation includes a more comprehensive, step-by-step breakdown of the process and a demo to give you an idea of how to implement disaster recovery within your organization. Take a look when you’re ready to dive more deeply into the topic of ransomware recovery.


This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.

KEYWORDS: cyber security information security ransomware risk management

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Jorge de Almeida Pinto is a Semperis Senior Solutions Architect/Product Manager.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

Half closed laptop

Sudo Vulnerability Discovered, May Exposes Linux Systems

Events

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • computer employee

    5 tips for SMBs to prevent ransomware attacks

    See More
  • team-building-freepik1170x658.jpg

    5 tips to develop a best-in-class cybersecurity function

    See More
  • Contracts and pens in hand

    Four tips for increasing your disaster recovery budget

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • 150 things.jpg

    The Handbook for School Safety and Security

  • Photonic-Sensing.gif

    Photonic Sensing: Principles and Applications for Safety and Security Monitoring

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!