Cyber Incident Recovery Playbooks : Starting from Ground Zero

Written By Paul Tuck

Introduction

Many organisations feel reassured knowing they have a cyber incident recovery playbook in place and in many cases supported by a company wide Crisis Management Plan. These documents outline how to restore systems and services after an attack to meet business Recovery Time and Recovery Point objectives and they often meet the tick-box expectations of auditors, regulators, and even cyber insurers.

But here’s the problem: many of these playbooks make hidden assumptions. They assume that when disaster strikes, the foundations of your IT estate will still be there to support recovery. Systems like Active Directory or Azure Entra for authentication, VPNs or remote access tools for connectivity, hypervisors for server builds, and backup platforms to orchestrate restorations. 

The problem is that in reality, these assumptions may not hold. In the event of a ransomware attack, insider threat, or destructive malware, the very foundations you depend on may be the first (or very last) things taken out by the attackers before it becomes evident that a company has become a victim (yes - they are a victim!!!).

And therein is the challenge - if your recovery playbook doesn’t consider how to recover from absolute ground zero, you may find yourself paralysed in the middle of a crisis.

The False Comfort of Recovery Playbooks

Why do organisations fall into this trap? In part, because recovery planning has historically been shaped by compliance, rather than crisis reality. Tabletop exercises might simulate application outages, database corruption, or isolated ransomware events, but they rarely start with: “Assume you have no identity system, no hypervisors, and no backup control plane. What now?”

As a result, playbooks are typically written top-down: “restore critical apps, prioritise customer-facing services, ensure regulatory reporting.” That sounds good on paper. But in a severe event, these steps collapse when the bottom of the technology stack has been wiped away.

Core Foundations That May Be Unavailable After an Attack 

Identity Systems (Active Directory / Azure Entra) 

If your primary identity provider is compromised, who can log in to initiate recovery? Attackers know this and that is why identity systems are a prime target, not just for gaining access but also for preventing the recovery of the attacked systems. Without AD or Entra, even administrators can’t authenticate to critical systems.

Remote Access Technology 

In todays outsourced data centre, hybrid and remote operations and cloud first environments , recovery is often assumed to be performed remotely. But if your VPN concentrator or remote desktop gateway is down, or if it can’t be trusted because it’s been compromised, how do your teams gain access? In these circumstances the first step to recovery may be getting human boots on the ground in your primary data centres - is that time built into your recovery plans? 

Hypervisors / Virtualisation Platforms 

Ransomware and wiper malware increasingly target VMware ESXi, Hyper-V, and other virtualisation layers. If you can’t spin up virtual machines, your “recover applications” step is meaningless, or at least significantly delayed.

Backup Infrastructure 

Modern attackers don’t just encrypt production data, they deliberately target backup servers, catalogues, and orchestration platforms. If your backup software is down, how do you even initiate a restore, and in many cases attackers have compromised your backups well before they launch the destructive event increasing the challenges of recovering recent data.

Other Critical Foundations: DNS, PKI, Networking

It’s not just the “big four" above though.  DNS servers, certificate authorities, and core network infrastructure are all essential building blocks for recovery. Without them, nothing talks to anything and attackers know this. 

Why “Ground Zero” Thinking Matters

When dealing with severe cyber incidents, the mindset needs to shift from “business outage” to “total infrastructure loss.” It’s not just about restoring business applications, it’s about rebuilding trust chains, re-establishing control, and working upwards from the most basic digital components and foundations. 

Think of it like disaster recovery after a fire or flood: you wouldn’t assume your server racks or network gear survived intact. A cyber disaster deserves the same assumption of starting from scratch.

Re-Engineering Recovery Playbooks from the Bottom Up 

Step 1: Define Absolute Ground Zero Requirements

  • Known-good hardware or cloud resources.

  • Isolated “clean room” laptops for administrators.

  • Offline copies of recovery documentation.

  • “Break-glass” accounts not dependent on primary identity systems.

Step 2: Establish a Trusted Recovery Environment

  • Rebuild or provision a clean management environment separate from the compromised estate.

  • Use pre-staged golden images and secure, offline media.

  • Ensure you can authenticate at least a minimal set of administrators without AD/Entra.

Step 3: Restore Core Foundations

  • Rebuild identity, DNS, and network infrastructure first.

  • Stand up hypervisors or cloud tenancy layers.

  • Restore the backup control plane from isolated copies.

Step 4: Layer Application Recovery

  • Only once foundations are in place can you start restoring databases, applications, and business services.

  • Sequence restorations in line with business priorities and regulatory obligations. 

Testing and Exercising the Unthinkable

It’s easy to test a server restore or a failed database. It’s harder, but more valuable, to test a full identity provider wipe-out (e.g. your Entra ID environment being lost) or a backup service compromise.

Case studies like Maersk (which had to rebuild Active Directory from scratch worldwide in 2017) and Norsk Hydro (crippled by ransomware in 2019) show the scale of the challenge when foundations are gone.

To prepare, organisations should:

  • Run tabletop exercises assuming all core infrastructure is compromised.

  • Maintain offline, hard-copy recovery playbooks.

  • Practice re-establishing identity, networking, and backups before application recovery. 

Key Recommendations

  1. Inventory the hidden assumptions in your current playbooks.

  2. Prepare clean-room recovery environments,  both on-premises and cloud-based.

  3. Maintain offline golden images for hypervisors, backup controllers, and admin devices.

  4. Develop break-glass identity solutions that work without AD/Entra.

  5. Exercise “ground zero” recovery regularly to uncover gaps before a real incident.

Conclusion 

Cyber incident recovery is not just about getting business applications back online. It’s about having the ability to rebuild from nothing if your foundations are gone

If your recovery playbook assumes that any part of your identity, remote access, hypervisors or backup infrastructure is available , you’re playbook isn't complete.

The question for every organisation is simple: can you recover from absolute ground zero? If the answer is no, it’s time to revisit your playbooks before an attacker forces you to.

Paul Tuck
Next

Third-Party & Supply Chain Breach Reporting Obligations: The Next Hidden Layer