Phase 8 · Intelligence-led Recovery
Traditional disaster recovery planning asks: how fast can we restore, and how much data can we afford to lose? These are necessary questions. They are not sufficient. A DR plan that has never been tested against your actual adversary's destructive techniques — ransomware that targets backups first, wipers that propagate through recovery infrastructure, supply-chain implants that survive restoration — is a theory, not a plan.
Recovery planning built by IT infrastructure teams around RTO and RPO produces something that works in generic disaster scenarios: a power outage, a hardware failure, an accidental deletion. It does not produce something that works when the adversary has been inside your environment for weeks, has mapped your backup infrastructure, and has specifically targeted it before executing. Ransomware operators in particular go after backups first — because they know your recovery depends on them.
Intelligence-led recovery planning starts with the adversary, not with the infrastructure. What is your primary adversary's most likely destructive course of action? Ransomware? Wiper malware? Destruction of specific operational technology? Supply-chain-delivered implants? The answers to those questions drive every element of your recovery architecture — which assets are isolated, how backups are verified, what the restoration sequence looks like, and what verification steps confirm that the environment is actually clean before systems go back into production.
Not all systems are equal. Not all data is equally critical. Recovery prioritization built around technical categories — servers, databases, endpoints — rather than business impact produces a recovery sequence that restores what IT manages rather than what the organization cannot survive without. Crown jewel identification answers a different question: what are the systems, data sets, and capabilities that, if destroyed or encrypted, would be existentially damaging to this organization's ability to operate, compete, or fulfill its core function?
These are not necessarily the most expensive systems. They are not necessarily the most regulated. They are the assets whose loss creates consequences that cannot be absorbed — customer trust, operational capability, financial function, legal standing. Recovery prioritization is built around these assets first. Everything else is sequenced around them.
The initial access vector must be understood and closed before any restoration. Restoring into an environment where the adversary's foothold still exists means restoring into a compromised environment. The adversary will be back within hours.
Evidence that establishes scope of compromise — memory, disk, logs — is destroyed by restoration. Legal, regulatory, and insurance requirements all depend on what forensics can capture before restoration begins. This window does not reopen.
Backups that contain ransomware restore ransomware. Backups that contain supply-chain implants restore implants. Verify backup integrity against known clean baselines before restoring. Confirm the backup predates the initial access timestamp established by forensics.
Restore crown jewel systems first, in an isolated segment, with verification gates before connecting to broader infrastructure. Each restoration step is verified before the next begins. The sequence is intelligence-driven, not alphabetical.
All recovery coordination happens outside infrastructure the adversary may still have access to. A separate communication channel established before the incident and practiced in exercises — not improvised during recovery while the adversary may be watching.
If your backup infrastructure is connected to the same network as your primary environment, an adversary who compromises your primary environment can reach your backups. This is not a theoretical concern — ransomware operators specifically look for backup infrastructure as a primary target, because destroying it maximizes the leverage they hold. Air-gapped or immutable backups, where writes cannot be deleted or modified by a compromised account, are a security requirement for any organization that faces a ransomware threat actor — which is essentially every organization.
Supply chain compromise adds a dimension that most recovery plans do not address. If your backup contains a supply-chain-delivered implant — malicious code introduced through a trusted vendor or software update — restoring from that backup reintroduces the implant. Supply chain verification before restoration is part of an intelligence-led recovery process: what does your threat intelligence say about supply chain compromise in your adversary's documented techniques, and how does that affect which backup vintage is safe to restore from?
Testing against real scenarios — not generic disasters: A DR plan that has never been tested against a realistic ransomware scenario — where backups are targeted before execution, where specific crown jewel systems are the adversary's objective, where the restoration environment itself may be compromised — has not been tested against your actual risk. The exercise that reveals gaps in your recovery plan is vastly less expensive than the incident that reveals them under actual adversary pressure.
Every recovery exercise and every actual incident produces intelligence that improves the security program. The detection gaps that allowed the adversary to reach the point of destructive action become engineering priorities. The log sources that were critical for establishing the incident timeline but were insufficiently retained become log strategy requirements. The backup gaps discovered during recovery become architecture changes. And the adversary's destructive technique — now confirmed in your environment — becomes the highest-priority scenario for the next recovery exercise. Recovery is not the end of the program cycle. It is the beginning of the next one.
The principle that separates once from twice: Organizations that get breached once and recover well share one characteristic — they understood the scope of compromise before they restored. Organizations that get breached twice by the same adversary share a different characteristic — they restored before they understood. The pressure to restore quickly is real. The discipline to complete the investigation first is what determines which category your organization falls into.