With Ransomware on the Rise, Your Active Directory Requires Special Attention
This guest blog was contributed by Mickey Bresman, CEO and Co-founder of Semperis.
Microsoft Active Directory (AD) was built before cloud computing, nation-state cyber warfare, ransomware, and other modern threats that organizations are grappling with right now. Simply put, AD was built for a different era, and it isn't equipped to handle today's challenges. Yet, AD is still a foundational piece of infrastructure for 90% of organizations, and it's not going anywhere. And when AD is compromised, you must assume that all resources that depend on it have also been compromised.
Forward-leaning organizations understand that prevention techniques alone will not fend off today’s sophisticated adversaries. Defenders must always operate under the assumption that intruders will or have already gained access to critical systems with breach campaigns that usually involve the abuse of credentials and privileges. AD is a prime target for attackers attempting to steal data and deploy ransomware across the network. And if AD is taken out in a cyberattack, then all of the AD-dependent applications and services go down with it, and operations screech to a halt. Because AD is so heavily exploited and, at the same time, the backbone of the organization, it requires extra attention.
Simply put, if AD isn't secure, nothing is. But securing Active Directory is difficult given its constant flux, the sheer number of settings, and the increasingly sophisticated threat landscape. The hard truth is that AD is a soft target for attackers because its default configuration is easy to exploit, and the system is rarely properly secured. So, it's critical that defenders anticipate the adversaries' advances and be able to thwart off directory attacks at every stage of the cyber kill chain. To be clear, this goes beyond the traditional monitoring tools, as they often lack the AD-centric security that's required to catch more sophisticated identity attacks. By modifying AD, attackers can get access to anything in the network. Therefore, specific security provisions must be in place to monitor for and prevent unsanctioned changes within AD itself, as well the ability to return to a known secure state, should a change find its way past prevention efforts.
For cybersecurity programs focused on improving resiliency, here’s a question to ask: if or when ransomware strikes and infects your AD domain controllers, can you recover quickly and cleanly, without re-introducing the malware in the process? Most organizations have never tested their AD cyber disaster recovery process or do not have a plan in place at all. This is alarming given the rise of fast-moving ransomware attacks, the widespread impact of an AD outage, and the complexity of pulling off a safe recovery. It’s clear that although AD is foundational to the IT infrastructure, many organizations are a step behind in securely managing it, particularly as the Covid-19 pandemic accelerates the adoption of remote workers, cloud services, and devices.
Surprisingly or not, AD is still at the center of most IT operations. But it's not an uncommon scenario to see organizations prepare for ransomware recovery and totally miss the fact that they can't access any of their network resources without AD. So, if your organizational recovery plan starts with logging in to the recovery server and AD is unavailable, this plan will not work. Always remember, if AD is down, business stops. Period. It’s imperative that every organization take the time now to assess their AD protection and recovery strategy and make the necessary improvements.
About the author:
Mickey Bresman is a co-founder of Semperis and leads the company’s overall strategic vision and implementation. A long-time enterprise software expert, Mickey began his technical career in the Navy computing technical unit over a decade ago. Prior to co-founding Semperis, Mickey was the CTO of a Microsoft gold partner integration company, YouCC Technologies, successfully growing the company’s overall performance year over year. Mickey holds a BA in Technical Management and a Minor in Electronic Engineering.