Imagine learning that there’s no disaster recovery plan for one of the most foundational systems at the company. If it goes down, no one has a clue how to fix it. Now, imagine learning that there’s no plan, but there are also no back-ups.
This isn’t just a scary story to keep CSOs up at night. It’s reality for more than half the companies in North America. The foundational system in question? Active Directory.
So, it’s a nightmare scenario. Cyberattacks are at an all-time high, the majority of threat actors use Active Directory as an attack path, and no one has any idea how or where to start planning. What should security teams do?
In a recent podcast, I spoke with Semperis Chief Technologist Guido Grillenmeier and Semperis Chief Architect Gil Kirkpatrick. Together, they’re colloquially known as the “Masters of Disaster.”
Here are their top five tips for proactive Active Directory disaster recovery:
- Recognize that the threat landscape has changed.
Kirkpatrick says that in the past, there was essentially no need to recover Active Directory from scratch because its design is highly fault-tolerant. However, he says in the last three to five years, with the prevalence of ransomware attacks and threat actors, the risk of someone wiping out Active Directory entirely has become significant. While before it was almost unheard of, now it happens almost every few days.
If the business expects to recover from such an attack, it needs to prepare ahead of time. That means maintaining known good, isolated backups of the Active Directory environment. More importantly, it means factoring Active Directory into the company’s overall business continuity strategy.
- Understand that Active Directory disaster recovery is complex.
Active Directory has always been complex to manage. In some ways, disaster recovery has become less complicated than in the past. In large part, it’s because security teams can offload many of the more complex aspects to third-party security and recovery solutions. That isn’t to say the process doesn’t come with challenges.
“In 2004, Guido and I hosted a class where we gave everyone four domain controllers and an Active Directory Forest with two domains,” recalls Kirkpatrick. “We told everyone to recover their environment from backup, which was an incredibly complicated process — somewhere in the area of 60 or 70 steps. What we found was that only around 30% of people could do it.”
Provided the organization uses the proper tools, the main challenge today lies in evaluating various recovery scenarios. If, for instance, the company’s system has been targeted with malicious software, the team can’t simply recover potentially compromised systems. Bare-metal or system state recovery could reintroduce malware.
“I think the key thing that people need to think about is that you can’t approach Active Directory backups and recovery in a traditional manner,” adds Grillenmeier. “You need to use other backups for base recovery, then follow a different process for forest recovery. The path we advise is to work with clean OS reinstalls, then bring the Active Directory data onto those.”
- Know why threat actors love AD – and how they exploit it.
I was recently on a call with threat hunters from a large consulting firm. They informed me that of the 100 or so incidents they remediated, 99 involved Active Directory. There’s a good reason for this. Several, in fact.
When an intruder first gets into the network, they typically don’t have high privileges in that environment, says Grillenmeier. They’ve often just compromised a single device, likely through phishing or a bad link. As far as the network is concerned, they’re just a normal user, without the permissions to cause lasting damage.
“That’s where intruders begin to use Active Directory,” Grillenmeier continues. “Every simple domain user has a ton of read permissions by default, including on the configuration side. A threat actor can use this to elevate their privileges and find the path toward domain dominance, granting them access to anything in the environment.”
- Take steps to accelerate recovery time.
When Active Directory goes down, everything else goes down with it. No one can log in, no one can work, no one can communicate. And everyone runs around with their hair on fire.
To avoid this, Kirkpatrick and Grillenmeier say it’s critical to develop a recovery plan ahead of time. If the company tries to figure it out on the day of a disruption, it won’t work. It’s not possible to figure out how to recover Active Directory then; it’s something the companies need to plan and practice for.
- Automate as much as possible.
Accept the many complexities of Active Directory when it comes to disaster recovery. There are so many different moving parts, steps, and settings that it’s incredibly easy to get something wrong. That’s where automation comes in.
Instead of having to do everything manually, companies can automate many of the steps for tasks such as metadata cleanup, says Grillenmeier.
Kirkpatrick adds that the technical challenges of recovering Active Directory from backup are bad enough, but there are also all sorts of organizational processes security teams need to go through both during and after the recovery. By automating as much of the recovery as possible, the organization frees itself up to focus on these processes.
So moving forward, companies can’t safely ignore Active Directory disaster recovery anymore. The company risks losing its infrastructure, and the risk matrix points to needing some sort of recovery plan. Security and recovery don’t start with the company becoming fully-compromised. They start with planning for disaster tomorrow by taking security seriously today – because tomorrow it may be too late.
For more information, check out Grillenmeier and Kirkpatrick’s recently published white paper.
Sean Deuby, director of services, Semperis