Most disaster recovery sites are an attacker's playground. The DR network typically has weaker segmentation, looser change control, and stale credentials — which is exactly why ransomware operators target it.
Why DR networks become weak
DR is treated as an operations concern, not a security concern. The team that designs the DR network is rarely the team responsible for hardening it.
Replication paths bypass production firewalls. The shortcut to make replication work also creates the path that lets malware traverse.
DR credentials are long-lived and shared. Annual DR drills are not enough to expose how broken the credential model is.
The hardening playbook
Treat the DR site as a separate trust zone. Replication links must traverse defined security inspection points.
Privileged access to DR resources should be just-in-time and audited.
Segmentation in DR must mirror — or exceed — segmentation in production.
Backups must be immutable. Air-gapped where possible, immutable always.
Testing what matters
Annual DR tests typically validate recovery, not security. Add adversary scenarios to the test plan: ransomware in production, lateral movement to DR, attempted data exfiltration during failover.
Tabletop the credential rotation procedure. If your DR runbook contains hard-coded credentials, you have a different problem.
This piece is part of the Cylentrix Research Office series. For the deeper reference architecture and engagement model behind it, request a confidential briefing.