3 Key Takeaways About Attacking and Defending Active Directory
- Active Directory is the cornerstone of most businesses today: an identification system within the enterprise allowing you to access all your services and resources.
- Over the last five years, more threat actors have targeted Active Directory because, when it’s down, businesses can’t use any of their connected applications.
- Planning, preparing, and practicing for attacks on Active Directory are now more important than ever to reduce the opportunity for and mitigate the damage from ransomware attacks.
NetDiligence® President Mark Greisiger and Quest Product Manager Michael Keenan discuss attacking and defending Active Directory, and why ransomware incidence response plans are critical for a timely recovery.
Read a synopsis of their conversation below, and watch the video above for the full interview, part of our continuing series of educational discussions with cyber risk experts.
Why Safeguarding Your Active Directory Must Be a Priority
MG: Active Directory is a cornerstone of most businesses these days, but it’s often impacted and targeted by ransomware and threat actors. Quest has been developing backup and recovery solutions for Active Directory for close to 22 years, since its creation.
Michael, can you talk to us about Active Directory and why the need to restore it is different from other enterprise applications?
MK: Active Directory (AD) is the identity management system in the enterprise that allows you to access all your services and resources, such as emails, unified communication solutions, databases, and shared files. Active Directory, in essence, is the “key to the kingdom” allowing you to get into all the things that let you do your job.
We’ve all heard about ransomware, like the Colonial Pipeline attack, and we’ve seen an increase in the frequency and ferocity of it in the marketplace over the last five years. So although we’ve been building solutions to backup and restore AD for the better part of 20 years, attack frequency is driving a lot of our activity and thought processes today to protect this critical application.
While each application is unique in and of itself, Active Directory is the cornerstone letting you access and use all those others. You can recover all those other platforms or applications in the event of a disaster, but if you don’t recover AD, it doesn’t matter. Nobody can use the other applications. That’s what makes Active Directory really unique.
MG: Malware and bad actors are massive problems these days for the cyber insurance companies and underwriter community we both support, and for the Risk Manager CFOs who are concerned about the bottom line.
We talk to a lot of experts both pre- and post-breach, and the topic is often AD getting corrupted and destroyed. This “scorched-earth” scenario is happening more and more. Can you tell us how to protect against it?
MK: It’s important to have the right pre-planning, and really good security hygiene and practices around your whole environment.
On the cyber side, you want to cut down or reduce the number of vectors bad actors can access, so if they get into your network, you can lock down all your control mechanisms. Malware is trying to look for the keys to the kingdom, which is AD. So the first thing you want to do is make sure you’re deploying with the right applications and the right processes, and you’re auditing those things all the time, so you don’t get into a scorched-earth scenario where you’re having to recover.
It could be a bad actor who got into a bank. They stole money—a couple of pennies from each account. They don’t want to be discovered, so they burn everything down on the way out, including the data, so you can’t access or look at different systems or controls.
Or there are others, mostly state-sponsored, who are just trying to disrupt your environment and economics to ask for ransom. They’ll promise to recover everything. But most of the time, when a company pays, they don’t get a recovery, because it’s too hard to recover.
As you would if you wanted to play a sport, you’ve got to practice to be proficient. That’s the pre-event. The same is true for the post-event, where you have to stop a bad actor everywhere. They only have to get through one small vector to spread.
It’s more and more likely most companies are going to get hit with some type of cyber incident needing recovery. That’s what we do at Quest: help customers recover their Active Directory.
MG: Incident response planning is crucial, but we all know, even if you practice, things will still go wrong. Losing one’s corporate network enterprise applications affects everyone in the organization. Some of those effects can be measurable as far as the financial loss. Others are not as measurable, like reputation loss.
MK: Yes. The non-measurables are the impacts on your stakeholders, such as your board if you’re a public company, or your owners for a private company. And don’t forget the impacts on your customers who can’t transact with you, or your employees who don’t feel protected, or partners or contractors you’re working with on a project.
If you’re down and you’re not protected, and it doesn’t look like you practiced and you’re incapable of recovering in a reasonable amount of time, [the impacts are] around the brand. Your brand can be hit, and this is the unmeasurable thing. It takes decades to build a really strong brand. It could take you a week to lose that brand, based on not being prepared and the market, or your stakeholder knowing maybe you weren’t prepared.
We all really need to be more vigilant and understand what could happen in some type of Scorched Earth scenario, and prepare for it and do the best we can.
Watch the video above for Mark and Michael’s full discussion about attacking and defending Active Directory.
If you have further questions for Michael, you can reach out to him here, or explore additional information on Quest’s Active Directory Management. For further information on Active Directory, check out Quest’s “What Is Active Directory” educational page.
If you have any questions for Mark, reach out to him here.
Lastly, if you’re looking for a turnkey solution to help guide and coordinate your organization’s response to a cyber incident, we encourage you to click here for more information about Breach Plan Connect® from NetDiligence.