Incident Response

Restore and Repair – Don’t Build New After an Incident 

Questions to Mikael Nyström 

Based on your thousands of hours in incident response work, what would be a Red Flag for you? 

  • One major red flag that immediately stands out to me—based on thousands of hours in incident response—is when someone says, “Let’s just throw everything away and start over from scratch.” While it might sound like a clean solution, it’s almost always a bad idea. In the middle of a crisis, this approach is rarely effective and can significantly delay recovery efforts. 

Why is “Building a new Infrastructure, like a new Active Directory”  a bad idea during an incident? 

  • Let’s take the example of rebuilding Active Directory from scratch. Technically, it’s possible—but in most cases, it’s a poor decision. Here’s why: 
  • Preserving Identity Data: After a ransomware attack, the standard approach is to build new Domain Controllers using the existing Active Directory database. This allows us to retain all user and computer identities, which is critical for continuity. We then perform a thorough cleanup—resetting all passwords, purging Kerberos tickets, and applying other hardening measures. 
  • Restoration Complexity: Starting fresh with a brand-new Active Directory breaks compatibility with many enterprise systems. Services like Exchange, SharePoint, System Center, and clustered environments often rely on the original AD structure. Rebuilding them from scratch is time-consuming and error prone. 
  • User Disruption: A new AD means every computer must be rejoined or reinstalled. Users will lose their profiles, desktops, and familiar settings. This leads to confusion, frustration, and a steep learning curve—right when the organization is already under stress. 
  • Time and Resource Drain: The time and effort required to rebuild everything from the ground up is massive. During an incident, time is your most valuable resource. Wasting it on unnecessary reinvention can severely impact business continuity. 
  • The same goes for ”Building a new Azure Tenant” , the amount of work is huge, compared to fixing the solution. The whole idea of throwing and rebuilding is mostly just wasting time and creating frustration, and in the worst case the same security flaws were reintroduced. 

Are there any exceptions to this Red Flag 

  • Yes, there are rare cases were starting over is the only viable option. For example, if there are no backups and the entire environment is irreparably compromised, rebuilding from scratch may be the only path forward. But these situations are the exception, not the rule.