How do you recover data after a cyber attack?

Data recovery after a cyber attack can be a challenging process, but with the right approach and tools, organizations can restore their systems and regain access to critical information.

Assess the Damage

The first step is to thoroughly investigate the attack’s impact. Determining the entry point, which systems and data were affected, and the extent of the breach allows you to focus recovery efforts.

Conducting a damage assessment involves:

  • Reviewing system and application logs for signs of compromise.
  • Analyzing file timestamps to identify altered or deleted data.
  • Checking for new user accounts or permission changes.
  • Examining network traffic for signs of data exfiltration.

Forensic tools and malware scanning software can help uncover evidence of intrusion and lateral movement within systems. Understanding how the attacker gained entry and pivoted internally is key to determining what data may have been compromised.

Disconnect Compromised Systems

Isolating affected systems from the network is an important damage control measure. This prevents malware from spreading further and lets you investigate systems without the risk of continued interference or exfiltration.

When disconnecting compromised systems:

  • Take systems offline, either physically or by firewall rules.
  • Block outbound internet access to stop communication with command-and-control servers.
  • Revoke compromised credentials that may have spread to other systems.
  • Scan other systems for related infections.

Containment limits the blast radius and lets you focus recovery efforts on known infected systems only.

Eliminate the Threat

With compromised systems isolated, the next step is removing malware and eliminating the attacker’s foothold. This involves:

  • Using antivirus scans to detect and quarantine malware.
  • Checking scheduled tasks and startup items for malicious programs.
  • Scanning memory and open processes for signs of malware.
  • Reviewing configuration files and registry entries for evidence of persistence mechanisms.
  • Changing account passwords to revoke the attacker’s access.
  • Resetting permissions on files and folders manipulated by the attacker.

Threat removal also provides an opportunity to improve defenses. Patching vulnerabilities, hardening configurations, and updating protections reduces the risk of follow-on attacks.

Determine Recovery Strategies

With the immediate threat addressed, the focus shifts to restoring systems and retrieving lost data. The optimal recovery strategy depends on the damage incurred and criticality of affected data. Options include:

  • Restore from backups – Rebuilding corrupted systems and restoring data from clean backups removes malware-infected files. This is the safest recovery method.
  • Selective restoration – For minor infections, restoring key executables and system files may be sufficient, without rebuilding entire systems.
  • In-place restoration – Removing malware in-place allows restoring files to pre-infection state. Riskier but faster if malware is fully removed.
  • Disk imaging – Taking a full forensic image of the compromised disk preserves evidence for later recovery attempts.

Organizations should test recovery on non-production systems first to validate process and results.

Restore Data from Backups

Restoring from recent, uninfected backups provides the cleanest recovery option. However, this requires validated backups that are isolated from the compromised systems. Considerations include:

  • Use offline, air-gapped backups when possible to prevent backup contamination.
  • Restore backups onto rebuilt systems to prevent reinfection.
  • Prioritize the most critical systems and data for recovery first.
  • Verify integrity of backups against backup logs to confirm usability.

In some cases, incremental backups may need to be rebuilt starting with the last clean full backup. Always re-establish defenses before restoring operational capability.

Challenges with Backups

While critical, some challenges can impact using backups for recovery:

  • Incomplete backups that lack key systems or data.
  • Infected backups that reintroduce malware during recovery.
  • Expired retention leaving gaps prior to the attack.
  • Lack of regular backup testing to validate usability.

Perform Selective File Restoration

When malware only affects certain systems or files, selective restoration may be a quicker recovery option. This focuses restoration efforts only on known infected areas. The process involves:

  • Identifying and restoring critical executables and system files to operational state.
  • Restoring user files and folders from clean backups as needed.
  • Repairing the operating system boot and configuration to stable state.
  • Reinstalling and patching affected applications and services.

The benefits include quicker recovery time and lower resource requirements compared to full rebuilds. However, diligence is required to ensure malware removal is comprehensive.

When to Avoid Selective Restoration

Selective restoration may not be advisable if:

  • Rootkits or malware have infected the operating system or master boot record.
  • There is insufficient time or resources to thoroughly check systems.
  • Malware has tampered with binaries, libraries, or settings files across the system.

In these cases, complete rebuilding from trusted media is a safer option to avoid reintroducing risks.

Attempt In-Place Restoration

In some scenarios, restoration may be attempted on infected systems without fully rebuilding them. This requires completely eliminating malware and then restoring damaged files in-place. Candidates include:

  • User documents and desktop files.
  • Databases, emails, and other data stores.
  • Web server content and databases.
  • Application configuration and settings folders.

An in-place restoration approach involves:

  • Conducting deep malware scans to verify threat removal.
  • Identifying deleted and altered files based on backup manifests.
  • Restoring damaged files from internal file backups or source repositories.
  • Restoring file permissions on recovered folders.
  • Testing restored applications and data integrity.

This focused approach saves time compared to full rebuilds but has higher risk if malware persists.

Warnings Around In-Place Restoration

In-place restoration should be avoided if:

  • Malware has infected core operating system or application files.
  • There is uncertainty around the ability to completely remove malware.
  • Backup integrity checks indicate files are corrupted.
  • Operating system or software configuration is extensively damaged.

In these higher risk scenarios, rebuilding systems from scratch is the safest option.

Capture Forensic Disk Images

Forensic disk imaging provides a fallback option if recovery efforts are unsuccessful. It involves making a complete copy of the compromised disk to preserve evidence for future analysis. Benefits include:

  • Preserving the disk state to extract files using forensic tools.
  • Creating a definitive record prior to any data recovery attempts.
  • Enabling deeper malware analysis on the full disk contents.
  • Providing a path to recover previously deleted files.

Images should be made using validated forensic software and stored securely to maintain evidence integrity.

When to Forensically Image Disks

Scenarios where forensic disk images help include:

  • When viable backups are not available for critical systems.
  • To collect and preserve malware artifacts for analysis.
  • If full disk encryption was enabled on compromised systems.
  • For an accurate snapshot of intrusion evidence if rebuilds are required.

Disk images provide insurance if other recovery options fail. They can be accessed as a last resort if needed.

Rebuild and Secure Systems

The final phase of recovery involves bringing systems back online safely. This requires rebuilds or restoration to occur on platforms secured against reinfection. Activities include:

  • Building systems from trusted base images and software installers.
  • Hardening configurations based on a secure baseline to close vulnerabilities.
  • Reinforcing defenses through updated firewall rules, endpoint controls, and monitoring.
  • User acceptance testing to confirm recovered systems operate normally.
  • Restarting production workload in phases while monitoring for anomalies.

Preventing repeat compromise is critical before restoring business capabilities. Security teams should be vigilant for new threats that may capitalize on vulnerabilities exposed by the attack.

Test Recovered Backups and Systems

Testing is an essential step before relying on recovered data in production. Rigorously validate that:

  • Backups fully restore and match expectations for contents and integrity.
  • Recovered files match hashes captured prior to infection.
  • Systems cleanly rebuild and correctly configure without errors.
  • Malware removal tools report a clean bill of health post-recovery.
  • Performance, availability, and functionality match baselines for applications.

Identifying issues during testing lets you remediate problems without business impact. Testing also verifies recovery processes for future execution if needed.

Restore in Phases for Large Incidents

For large-scale compromises across multiple systems, a phased restoration approach is advisable. This involves:

  • Prioritizing recovery of the most critical systems and data first.
  • Restarting workflows, applications, and services incrementally to monitor for anomalies.
  • Checking for signs of residue or reinfection after each restoration phase.
  • Tuning security controls and activity baselines between phases.

Gradual restoration is safer than surging back to full operations. It lets you confirm recovery effectiveness while adding back load in smaller increments.

Create Updated Recovery Documentation

Effective recovery also requires updating processes and documentation. Lessons learned during recovery should be incorporated to strengthen capabilities. Important activities include:

  • Documenting weaknesses that enabled the breach to drive improvements.
  • Updating incident response runbooks based on recent experience.
  • Expanding backups to cover previously missed systems and data.
  • Automating recovery procedures as much as possible.

Documenting institutional knowledge around effective techniques, tools, and integrations improves resilience. Recovery procedures should be regularly tested and updated to manage change.

Monitor for Post-Recovery Threats

Following recovery, ongoing vigilance is required to check for new threats. Attackers may attempt to re-compromise restored systems or launch new attacks based on reconnaissance gained during the breach. Monitoring should focus on:

  • Replay attacks attempting reused credentials or exploits.
  • Scanning activity probing restored systems and applications.
  • Malware samples customized based on insights from compromised data.
  • Suspicious insiders who may have aided the attackers.

Analytics and threat hunting capabilities should be heightened following major incidents. Preparation also involves having response playbooks ready for prompt containment if follow-on attacks occur.

Determine Root Causes and Improve Defenses

To enhance resilience, recovered environments should be examined to determine root causes behind the compromise. Thorough analysis provides insights to strengthen defenses, including:

  • Auditing configurations for vulnerabilities or misconfigurations that enabled the attack’s success.
  • Identifying unpatched software providing an avenue for exploits.
  • Reviewing privileged account management and segmentation controls.
  • Examining logging and monitoring gaps that slowed threat detection.

Understanding breakdowns that facilitated the breach guides enhancement of controls at all levels. This transforms recovery into an opportunity to bolster security and mitigate future risk.


Recovering from cyber attacks involves systematically eliminating threats, restoring systems to a secure state, and validating restoration effectiveness. The specific techniques depend on the nature and extent of the compromise.

Robust backup capabilities are essential but may not be enough. Response plans play a crucial role in driving organized assessment, containment, and restoration. Speed is important but careful execution is critical, especially when restoring business-critical systems and data. An untested, uncontrolled recovery may exacerbate damage and amplify risks.

While challenging, methodical recovery paired with diligent testing regains operational capability in a safe manner. Collecting lessons learned is also invaluable for maturing defenses and response plans. With rigorous preparation, organizations can confidently restore business functions without unwittingly welcoming attackers back in.