With mass digitisation and the rising prevalence of global, highly distributed enterprise, cybersecurity leaders must ensure they can combat Active Directory (AD) attacks.
Enterprises rely on their AD installations to manage identities, a critical business activity rising in complexity due to digital transformation, and to operate key systems. It is far more than just the corporate address book.
AD is an attractive target for cyber attacks. If an attacker disables it, the business will face a real challenge to continue their operations, while being more vulnerable to extortion and ransomware attacks.
Industry data suggests that 69% of businesses have been impacted by ransomware, with 25bn attacks on Azure AD infrastructure.[1]
But without AD, recovering from a breach takes organisations longer and costs more — if it is even possible at all. In a typical enterprise, AD is the main tool for authenticating users and controlling access to applications and data.
AD also holds the contacts and identities the business needs to operate their cyber response and disaster recovery plans.
Yet enterprises all too often overlook the need to protect their AD systems and fail to consider how to recover Active Directory infrastructure after an attack, and the knock-on effect that can have on the rest of their incident response. Meanwhile, millions can be lost per hour due to business downtime.
The Active Directory “blind spot”
Why, then, is Active Directory infrastructure overlooked in incident response planning?
Often, AD administrators sit in infrastructure groups, not information security. These silos cause critical systems, including AD, to fall between the gaps. But clearly, enterprises need to ensure that AD is protected from cyber attack.
This “hardening” of AD includes data encryption, ensuring secure authentication, through Kerberos, using Single Sign On and vitally, secure backups of AD data, kept separate from production systems.
And organisations need to ensure they can recover from those backups, if an attack does happen.
Recovering Active Directory
Fortunately, there are effective and efficient ways to back up – and recover — AD. As well as secure, air gapped storage for AD backups and live malware protection, CSOs should look for the ability to restore not just a bare metal server but to a clean operating system, or an Azure cloud instance.
Microsoft’s own guidance for recovering AD is comprehensive, but complicated, with over 40 steps. These need to be followed exactly. This is hard to do under pressure — especially for administrators unfamiliar with the process. Even if all goes well, recovery takes time.
The alternative is a tool such as Quest’s Recovery Manager for Active Directory Disaster Recovery Edition.
This combines protection measures, including secure storage, with automation.
Such tools reduce AD restore times from several days or weeks, to a window of one to four hours.[2]
Modern tools cut the risk of human error and give administrators more control over how they recover their AD ‘forest’ (ie a group of AD domains/domain controllers).
This includes being able to restore domain controllers (DC) to a clean OS, and support for a phased approach, bringing the most critical back online first. This more granular approach to recovery also allows more minor outages to be fixed in minutes, rather than hours or days.
All this gives enterprises the assurance that should an attack target their AD system, they can recover it quickly and effectively.
Find out more about Quest’s AD capabilities.
[2] Quest Blog: New Forrester Consulting study: $19.7M in potential customer savings with Quest RMAD DRE
