Restore Alone Is Never Enough – Avoid Common Pitfalls During Recovery

Questions to Peter Lofgren 

Based on your thousands of hours in incident response work, what would be a Red Flag for you? 

• There are so many things, but to name a few short one, VPN without MFA and misuse of domain admin privileges would be large red flags. 

Why could “just restore from backup” be a bad idea during an incident? 

• There are always many factors to an incident, everything come into play. How long has the threat actor been in the environment, what have they done during that time period, what has the business done during this period. All these questions whey in when talking about restores, when to restore, what to restore and most importantly will a restore be enough. When we talk about threat actors a common modus operandi is for them to install backdoors, call home features, and screen sharing software. If only a restore is done these tools will still be available to the threat actor at the time of restore and what ends up happening is the business can be attacked again without any form of protection. For these reasons it’s super important to do a forensic investigation and based on the findings from that ensure all servers are cleaned from any threat actor activities. 

Are there any exceptions to this Red Flag 

• Understanding the risk to doing a restore without cleanup can allow for exceptions to this. So as an example, due the critical nature of a system X a quick restore without cleanup but putting the system in a contained network without access to anything else can be an interim solution to help get the system and the customer back on track. The big challenge here is understanding system dependencies and if it uses data from other systems. How can the isolation be kept and still allow user access. This is usually a very fine and delicate line to walk.