The aftermath of a cyber incident is an intense combination of operational disruption, reputational risk, and financial exposure. Yet, one of the most overlooked elements of incident response (IR) is secure remediation.
Secure remediation is the structured, validated, and secure restoration of systems and services. Rushing to recovery without secure containment or relying on ineffective backup strategies can lead to reinfection, extended downtime, or irreversible data loss.
Containment first. Always
Secure remediation must begin with containment. Without it, recovery is futile. There’s no point in starting recovery if you haven’t fully contained the threat. You could end up back at square one.
Containment involves isolating affected systems, halting lateral movement, and verifying that no active command-and-control (C2) channels remain. It's not simply about installing agents or security tooling, it requires architectural isolation, forensic analysis, and assurance that attackers no longer have a foothold.
As seen in real-world breaches, improper containment can lead to attackers re-establishing control even after initial recovery steps, due to insecure remediation pathways.
Business-driven recovery strategy
Once containment is assured, the next critical step is to define what to recover and when, grounded in business impact and risk tolerance. This business-first approach ensures prioritisation of critical services, systems, and data over a technical checklist.
Key considerations include:
- dwell time of the attacker: if the threat actor had access for two weeks, system rebuilds should use backups older than that window
- split recovery strategies: operating systems may be restored from a pre-incident backup, while current data is layered in via clean recovery strategy to minimise risks
- threat hunting post-recovery: every restored system should be revalidated to ensure it's uncompromised.
If you don’t know when the threat actor got into the systems, our experience says to use a two-week rollback as a default before beginning recovery. This approach ensures a balance between minimising data loss and eliminating residual risk.
The rise of immutable backups
Backups are the bedrock of recovery, but not all backups are created equal.
Traditional backups, even those stored offsite, can often be deleted, encrypted, or altered by attackers who compromise admin credentials. Immutable backups, by contrast, can't be modified or deleted until pre-defined retention periods are met, regardless of attacker access or insider threat.
Rule of thumb is that if you can change the retention policy to one day and that deletes all backups, it’s not immutable. True immutability prevents this from happening.
Characteristics of immutable backups:
- Write-once, read-many (WORM) storage
- Access isolation from production networks (or protections that mitigate accidental deletion or modification)
- Inability to change retention policies retroactively
- Tested enforcement mechanisms to validate true immutability
Vendor comparison (based on practitioner tests):
- Some providers offer immutable virtual appliances; however, after testing, these can be compromised via hypervisor access
- Others provide a physically hardened appliance that is isolated and can't be encrypted or accessed via standard administrative routes – testing against these devices showed acceptable levels of immutability
The gap in cyber insurance requirements
Cyber insurers increasingly require organisations to demonstrate preparedness, but current underwriting standards remain basic.
Insurers just ask the basics in whether you have backups. They rarely ask whether those backups are immutable or resilient to attacks.
As threat actors target backup systems directly as seen in ransomware variants like LockBit, Akira, Conti, and BlackCat, the limitations of this approach are clear. Future insurance assessments will likely evolve to include deeper technical reviews of backup resilience and immutability testing.
Why this matters: secure remediation v market norms
Many incident response providers focus heavily on detection and forensics but fall short in delivering a secure, complete recovery process. This market gap leaves clients vulnerable to reinfection or prolonged operational downtime.
Our Cyber Defence Centre, and other leaders in secure IR services, are setting a new standard by integrating:
- business-aligned containment and recovery planning
- thorough backup, immutability assessments, and testing
- verified clean builds and threat hunting during restoration
- cross-team coordination across IR, IT, and business continuity.
This joined-up approach to incident response and recovery not only ensures greater resilience but also accelerates return to normal operations, minimising business and reputational harm.
In the evolving landscape of cyber threats, secure remediation must be seen as a core competency of incident response, not an afterthought. Backups alone aren’t enough unless they're immutable, validated, and accessible through a clean, trusted recovery environment.
Organisations that adopt a business-driven, security-assured remediation approach and demand the same from their IR providers will be best-positioned to recover from attacks safely, swiftly, and with confidence.
To find out how we can support your organisation with building cyber resilience, contact Hitesh Mistry.
