Words by Sean Deuby, Director of Services, Semperis
Imagine learning that one of your most foundational systems has no disaster recovery plan. If it goes down, no one has the faintest clue how to restore it. Now, imagine learning that not only is there no plan, but there are also no backups.
This isn’t just a scary story to keep CSOs up at night – it’s a reality for many. The foundational system in question? Active Directory.
So, you’re facing a nightmare scenario. Cyberattacks are at an all-time high, the majority of threat actors use Active Directory as an attack path, and no one has any idea how or where to start planning. What do you do in this scenario?
What can you do?
In a recent episode of the Hybrid Identity Protection podcast, I spoke with Semperis Chief Technologist Grillenmeier and Semperis Chief Architect Gil Kirkpatrick. Together, they’re colloquially known as the Masters of Disaster. Here are their top five tips for proactive Active Directory disaster recovery.
Recognize that the threat landscape has changed
“In the past, there was essentially no notion of recovering Active Directory from scratch,” Kirkpatrick recalls. “In the last three to five years, however, with the prevalence of ransomware attacks and threat actors, the risk of someone wiping out your Active Directory entirely is actually significant. Whereas before it was almost unheard of, now you hear about it almost every few days.”
If your business is to recover from such an attack, it needs to be prepared ahead of time. That means maintaining known good, isolated backups of your Active Directory environment. More importantly, it means factoring Active Directory into your overall business continuity strategy.
Understand that Active Directory disaster recovery is complex
Active Directory complexity is neither a new or recent development. If you can believe it, disaster recovery is for the most part less complicated than it used to be. In large part, this is because many of the more complex aspects can now be offloaded to third-party security and recovery solutions.
That isn’t to say the process is absent of challenges.
“In 2004, and I hosted a class where we gave everyone four domain controllers and an Active Directory Forest with two domains,” recalls Kirkpatrick. “We told everyone to recover their environment from backup, which was an incredibly complicated process — somewhere in the area of sixty or seventy steps. What we found was that only around twenty or thirty percent of people could do it.”
Provided your organization uses the proper tools, the main challenge today lies in evaluating various recovery scenarios. If, for instance, your system has been targeted with malicious software, you can’t simply recover potentially compromised systems. Bare-metal or system state recovery could reintroduce malware.
“I think the key thing that people need to think about is that you can’t approach Active Directory backups and recovery in a traditional manner,” adds Grillenmeier. “You need to use other backups for base recovery, then follow a different process for forest recovery. The path we advise is to work with clean OS reinstalls, then bring the Active Directory data onto those.”
Know why threat actors love AD–and how they use it
I was recently on a call with threat hunters from a large consulting firm. They informed me that of the 100 or so incidents they were involved in remediating, 99 involved Active Directory. There is, it turns out, a good reason for this.
Several, in fact.
“When an intruder first gets into the network, they typically don’t have high privileges in that environment,” explains Grillenmeier. “They’ve often just compromised a single device, likely through phishing or a bad link. As far as the network is concerned, they’re just a normal user, without the permissions to cause lasting damage.
“That’s where intruders begin to use Active Directory,” he continues. “Every simple domain user has a ton of read permissions by default, including on the configuration side. A threat actor can use this to elevate their privileges and find the path toward main dominance, granting them access to anything in the environment.”
Take steps to accelerate recovery time
When Active Directory is down, everything else goes down with it. No one can log in, no one can work, no one can communicate. And everyone is running around with their hair on fire.
To avoid this, Kirkpatrick and Grillenmeier advise a proactive approach.
“It’s critical to develop a recovery plan ahead of time,” says Kirkpatrick. “If you try to figure it out on the day of a disruption, you’ll be lost. You’re not going to figure out how to recover your Active Directory then; it’s something you need to have planned and practiced for.”
Automate, automate, automate
It’s hardly a secret that Active Directory can be incredibly complex, especially where disaster recovery is concerned. There are so many different moving parts, steps, and settings that it’s incredibly easy to get something wrong. That’s where automation comes in.
“Instead of having to do everything manually, you can actually automate many of the steps involved in tasks like metadata cleanup,” says Grillenmeier. “And you should — the likelihood of making a mistake when everything is falling apart is extremely high.”
“There’s another aspect of that, too,” adds Kirkpatrick. “The technical challenges of recovering Active Directory from backup are bad enough, but there are also all sorts of organizational processes you need to go through both during and after the recovery. By automating as much of the recovery as possible, you free yourself up to focus on these processes.”