Contact Us

Ransomware Preparedness

Ransomware Recovery - A Layered Recovery Response

Ransomware operators are shifting from moving laterally and relying solely on encryption to other forms of cyber extortion, including nonrecoverable data corruption, hardware corruption, data theft and data mining. Additionally, ransomware-as-a-service (RaaS) models continue to proliferate, enabling less technically skilled threat actors to launch ransomware attacks with greater ease and sophistication. It's important to stay updated on emerging trends and implement robust cybersecurity measures to mitigate the risk of ransomware attacks. 

"Even the most well-funded organizations cannot address all threats. Responding to the threat landscape is about prioritization. This means simultaneously prioritizing known threats and preparing for the uncertain threats."

  • Analysis-Effective ransomware recovery requires a layered approach to data protection
  • Make recovery of directory services paramount
  • Build an Architecture That Proactively Solves Business-Critical Recoverability
  • Prioritize and Recover Non-Business-Critical Datasets

There are four critical elements that need to be done successfully to recover from ransomware:

  • Identification of critical datasets
  • Protect directory services
  • Establish backup target hierarchy to optimize recovery
  • Align critical datasets to fast storage media

Recommendations:

  • Security and risk management leaders, including chief information security officers (CISOs), should:
  • Maintain effectiveness against top threats by monitoring microtrends — the smaller changes within a threat category — and measuring drifts in security control effectiveness.
  • Expand the current roadmap by planning future organizational security investments to prepare for the most likely high-momentum threats, where current posture lags behind attackers.
  • Determine the impact of the risks coming from uncertain threats lacking supporting facts and that are potentially overhyped. Do this by categorizing threats based on relevance, urgency, feasibility of attacks, maturity and measurability of remediation actions.
  • Account for nontechnology threats in your future modeling by incorporating potential threats originating from assets, events and behaviors that the organization has no direct control over.

Make Recovery of Directory Services Paramount

When your identity provider is impacted by ransomware, datasets and applications dependent on those accounts for permissions become inaccessible (even if they were not affected by the malware). Without a backup and the ability to recover, recreation of user accounts, service roles and federated networks would need to be done manually. Having a separate immutable and isolated backup of directory services will greatly improve response time required to provide access to the environment and begin to initiate recovery. To optimize speed of recovery, this dataset must be as close as possible to the production or the recovery environment, and best practice dictates these sets be exported to an off-premises isolated storage environment.

Build an Architecture That Proactively Solves Business-Critical Recoverability

Business-critical datasets identified within disaster recovery and business continuity plans must be adequately protected and stored in a storage target that will optimize recoverability. Critical applications such as ERP, email and CRM could be prioritized due to the impact an outage will have on operations and the business risk a prolonged outage represents. Consider the datasets that are constantly in use by the largest percentage of your user and client base, including configuration files/settings for your critical infrastructure (DNS, firewalls, routers, switches, etc.).

Prioritize and Recover Non-Business-Critical Datasets

MSEs should keep recovery tiers to an absolute minimum. In doing so, recovery of the remaining datasets will occur in the most operationally efficient manner possible, simplifying the process and restoration. These will range from user specific data to other unstructured datasets. Some examples are:

  • Individual user directories
  • Regulatory data hold
  • Historical projects
  • Archived reports, audits, etc.

Are you ready to build 7 step ransomware build, respond and recover capability enabling your business to be ransomware resilient

Talk to us 

Talk to Us

Ready to become cyber resilient

Meet with our security experts to discuss your use cases, technology and pain points and learn how O2 Cyber can help


    Trusted next generation cyber partner

    Instagram X-twitter Linkedin

    Expertise

    Quick Links

    Support

    Newsletter


      Copyright 2025. All rights reserved

      Scroll to Top

      Level 4: Cyber Security Incident Response Process (CSIRP)

      At the SOC’s most advanced level are managers and chief officers and they will be more engaged and execute this process. This group oversees all SOC team activities and is responsible for hiring and training, plus evaluating individual and overall performance. Level 4's step in during crises, and, specifically, serve as the liaison between the Security team and the rest of the organization. They are also responsible for ensuring compliance with organization, industry and government regulations.

      Level 3: Proactive security operations

      The security managers are informed and specialist crew are involved and begin moving from reactive to proactive security actions. Personnel are likely expert security analysts who are actively searching for vulnerabilities within the network and hunting for threats. They will use advanced threat detection tools to diagnose weaknesses and make recommendations for overall security improvement. Within this group, you might also find specialists, such as forensic investigators, compliance auditors or cybersecurity analysts. They will decide to escalate Level 4.

      Level 2: Cyber Incident Remediation

      These personnel can quickly get to the root of the problem and assess which part of your infrastructure is an issue or at risk. They will follow a well defined playbook process and makes decision to remediate the problem based on knowledge of the issue and environments. They will flag certain issues for additional investigation outside of the incident response protocol and when to escalate to Level 3.

      Level 1: First responders

      The first line of incident responders are group of security analysts who will be eyes on glass 24x7 and watch for alerts. They are primarily tasked to look at the urgency of an alert, can it be solved within their confines which is automated playbook / orchestration or follow up on established playbooks. Based on the above they play a role to escalate to Level 2. They are also responsible to run statistics and SOC reports for review. Behavioral analytics and AI based beta models are adopted for advanced needs to act as L1.