How is recovery different from eradication?

Eradication removes the adversary. Recovery restores the systems. Recovery without prior eradication leaves the adversary in place; eradication without recovery leaves operations down. The two are sequential and distinct.

What metrics measure recovery?

Recovery Time Objective (RTO) is the planned maximum downtime; MTTR (Mean Time to Recover) is the measured actual recovery time. Recovery Point Objective (RPO) is the maximum acceptable data loss; the actual data loss can be measured against the RPO target.

What is the biggest risk during recovery?

Restoring from backups created during the dwell window. The adversary may already be in those backups; restoring them re-installs the compromise. Backup integrity validation and known-good-image rebuilds are the standard mitigations.

When is recovery complete?

When each restored function meets pre-defined success criteria including operational availability, performance, security control state, validated backup integrity, completed credential rotation, and a defined monitoring window without adversary activity. Availability alone is not enough.

Recovery - NIST 800-61 Incident Response Phase

Q: What is the recovery phase in incident response?

Recovery is the NIST SP 800-61 phase in which systems are restored to normal operation with confidence that the adversary is no longer present and re-infection is prevented. It follows eradication and precedes post-incident activity.

Recovery is the NIST SP 800-61 incident response phase in which systems are restored to normal operation with confidence that the adversary is no longer present and re-infection is prevented. Recovery follows eradication and precedes post-incident activity. The recovery phase is the most visible to business stakeholders and is the most common source of post-incident dispute (insurance, regulators, customers).

Source: NIST SP 800-61 Rev. 3, ISO/IEC 27035-1:2023.

What Recovery Includes

Rebuild or restore affected systems from known-good images and backups
Re-integrate restored systems into production with appropriate monitoring
Restore data to the appropriate Recovery Point Objective (RPO)
Meet the Recovery Time Objective (RTO) for each restored function
Verify that all restored systems are operational and free of the adversary
Heightened monitoring of restored systems for residual indicators

Recovery Validation

Recovery is not complete until each restored function meets pre-defined success criteria. For ransomware incidents this typically includes validated backup integrity (restored backups themselves are not infected), credential rotation across all affected and dependent systems, and a defined monitoring window during which any residual adversary activity would be detected.

Common Recovery Mistakes

Restoring from backups created during the dwell window (which contain adversary persistence)
Skipping eradication validation before declaring recovery complete
Restoring connectivity before credential rotation is complete
Declaring recovery complete based on availability alone, not on absence of adversary
Insufficient heightened monitoring after recovery (the adversary often tests re-entry within days)

Run recovery with validated criteria

IR-OS supports recovery workflows, RTO and RPO tracking, and the validation checklist that proves operations are restored safely.

Start free

Recovery - NIST 800-61 Incident Response Phase

What Recovery Includes

Recovery Validation

Common Recovery Mistakes

Related Terms

Run recovery with validated criteria