The Issue

One of the most common misconceptions in ransomware and destructive cyberattack recovery is the belief that recovery is primarily an infrastructure problem, it isn’t.

In many modern attacks, the real issue is trust. More specifically, whether the organisation can still trust the systems responsible for identity, privilege and access across the environment.

Attackers understand this well, it is why identity systems are increasingly prioritised early in an attack lifecycle. If an attacker compromises identity, they no longer need to rely on malware or exploit chains to gain access and progress their attack. They can instead leverage legitimate accounts, trusted authentication pathways and administrative tooling to move through the environment while appearing operationally normal.

At that point, the organisation is no longer simply dealing with compromised systems, it is dealing with compromised trust.  This is why identity becomes the critical path in recovery.

Why This Matters at Board Level

Boards are ultimately accountable for the organisation’s ability to continue operating safely during and after a destructive cyber event.  The challenge is that most organisations still measure recovery through legacy technical milestones:

·      Systems restored

·      Applications online

·      Users able to authenticate

But these metrics say little about whether the environment can actually be trusted.

If identity systems remain compromised:

·      Attackers may regain access immediately after restoration

·      Privileged pathways may remain unsafe

·      Persistence mechanisms may survive the recovery process

·      Newly restored systems may reconnect to compromised trust infrastructure

In practice, this means an organisation can appear operationally recovered while still fundamentally insecure.

This is not purely a technical issue, it is a governance issue centred around:

·      Acceptable levels of assurance

·      Risk tolerance under uncertainty

·      Recovery decision-making under pressure

Where Organisations Commonly Fail

Across the real-world incidents I’m involved in, four recurring failure patterns related to identity emerge.

Restoring Identity Too Early

Operational pressure during a destructive cyberattack naturally drives organisations toward rapidly restoring authentication services and administrative capability.  Business leaders want systems available again, technical teams need access to recovery tooling and responders require administrative control to investigate and remediate the environment.

The problem is that, in many cases, identity infrastructure is restored before sufficient assurance exists that it is safe to do so.  This frequently results in:

·      Reinfection shortly after recovery

·      Continued attacker access through compromised accounts or persistence mechanisms

·      Restoration of administrative pathways the attacker already controls

A common contributing factor is that organisations are operationally dependent on production identity services in order to perform the recovery itself. Teams may need Active Directory, federation services or privileged authentication systems online simply to access:

·      Backup platforms

·      Recovery tooling

·      Investigation environments and security tooling

·      Containment systems

·      Administrative consoles

This creates dangerous pressure to restore identity prematurely in support of the response effort.

Mature resilience programmes avoid this dependency by establishing pre-defined “break-glass” access mechanisms that operate independently from standard production identity services. These isolated recovery credentials and administrative pathways allow investigation, containment, remediation and restoration activities to proceed without immediately reintroducing potentially compromised identity infrastructure back into the environment.

Only once a foundational level of trust has been re-established through these isolated mechanisms should production identity services be repatriated to support wider operational recovery.

Assuming “No Evidence” Means “No Compromise”

Modern identity attacks increasingly leverage legitimate pathways:

·      Token theft

·      Federation abuse

·      Kerberos attacks

·      Multi-Factor Authentication fatigue

·      Session hijacking

·      Abuse of privileged administration tooling

Many of these techniques leave limited obvious evidence, so organisations therefore fall into a dangerous assumption: “We have no evidence identity remains compromised, therefore it is safe.”   That assumption regularly proves incorrect.

Treating Identity as an IT Service Rather Than a Trust System

Identity is often operationally managed as infrastructure, but in reality, it is the foundation of trust for:

·      Cloud services

·      Backups

·      Security tooling

·      Remote access

·      Administrative control planes

·      Business applications

If identity trust remains degraded, the wider control environment remains degraded too.

Lack of Defined Recovery Conditions

Many organisations have restoration plans but lack clearly pre-defined criteria for:

·      What level of assurance is required

·      Who approves recovery decisions

·      What residual risk is acceptable

This results in inconsistent decision-making under pressure during incidents.

The Board’s Role

Boards should ensure that identity recovery is treated as a strategic resilience issue, not simply a technical restoration activity.  This includes ensuring that:

Recovery Planning Prioritises Identity Trust

Recovery plans should explicitly address:

·      Identity validation

·      Privileged access reconstruction

·      Trust re-establishment

Not just infrastructure restoration.

Recovery Credentials Are Isolated

Organisations should maintain:

·      Segregated administrative tiers

·      Break-glass accounts

·      Recovery credentials isolated from day-to-day operational identity systems

Exercises and Drills Reflect Realistic Identity Compromise

Most cyber resilience exercises still focus primarily on infrastructure failure and system restoration.  Far fewer realistically simulate the identity-centric conditions increasingly seen in modern destructive cyberattacks, such as:

·      Compromised domain administration

·      Federated identity abuse

·      Loss of trust in IAM platforms

·      Recovery under degraded authentication capability

·      Dependency on compromised privileged access pathways

These are no longer edge-case scenarios, they are increasingly central to how modern destructive cyberattacks unfold.

The danger is that organisations can become highly confident in recovery procedures that have only ever been tested under idealised conditions where identity systems remain trusted and operational. In reality, many recovery efforts fail precisely because the organisation discovers too late that foundational identity trust has been compromised.

Well-designed exercises force Security, IT Operations and infrastructure teams to collaboratively rebuild trust under pressure rather than simply restore technology. This not only develops operational muscle memory, but also exposes hidden dependencies on production identity services that may never have been identified in documentation, architecture diagrams or tabletop discussions.

In many organisations, these dependencies only become visible during a real incident: when operational pressure is highest and decision-making time is shortest.  That is exactly the wrong moment to discover them.

Decision Rights Are Defined in Advance

Boards should understand:

·      Who can authorise recovery under uncertainty

·      What evidence is required before trust is re-established

·      What level of residual risk is acceptable

Without this, organisations will improvise under pressure.

A Practical Analogy

During a destructive cyberattack, identity behaves more like the building’s master key system.  If an attacker has copied the master keys, repainting the walls and replacing damaged furniture does not make the building secure again.

You first need to establish:

·      Which keys remain valid

·      Who still has access

·      Whether trust in the locking system itself has been compromised

Until that happens, the building may be operational, but it is not truly secure.

Key Takeaways for the Board

·      Identity compromise is often the defining factor in whether recovery succeeds safely

·      Restoring systems without restoring trust creates systemic risk

·      Operational pressure can drive unsafe recovery decisions

·      Identity should be treated as a strategic recovery dependency, not merely an IT service

·      The critical question is not “Can users authenticate again?” but “Can the organisation trust the systems granting access?”

What to Ask Your Executive Team

·      How would we validate that our identity systems can be trusted after a destructive cyberattack?

·      What dependencies exist between identity recovery and wider business restoration?

·      Do we maintain isolated recovery credentials and privileged administrative pathways?

·      Have we exercised scenarios involving compromised identity infrastructure?

·      What level of assurance is required before identity systems are restored?

·      Who has authority to approve recovery decisions under uncertainty?

Closing Thought

In many modern cyberattacks, the attacker’s objective is not simply to compromise systems, it is to compromise trust itself.  If trust is not deliberately rebuilt during recovery, the organisation risks restoring the attacker alongside the business.

Next Briefing

The Illusion of Clean Backups: Why Historical Data Does Not Automatically Mean Trusted Recovery.