12 Important Considerations for Active Directory Recovery Following a Ransomware Attack

The image shows the consequence of not having an Active Directory Recovery Plan

Cyberattacks on organizations have skyrocketed in recent years, and the threat of a ransomware attack on Active Directory has become increasingly real and imminent. Most organizations have detailed plans in place to help them recover in the event of a cyberattack or other disaster, but the intricacies and complexities of Active Directory recovery are often overlooked.

Active Directory is the key to managing and securing access and identity-related services across organizations. Active Directory needs to be running all the time because if it is down, nothing else fully functions. Getting it back quickly and cleanly is essential.

Active Directory Ransomware Recovery Following a Ransomware Attack

Here are 12 important considerations when planning your Active Directory recovery:

1. AD Tampered Backups. Bad actors are increasingly tampering with backups prior to a ransomware attack being launched; this is to increase the chances of the ransom being paid. It is vital that backups are adequately protected to maintain integrity. One way to do this is by using immutable storage, so when you backup AD, it is stored in a WORM (Write Once, Read Many) state. While in a WORM state, the backup data cannot be modified or deleted for the period defined in the policy, keeping the backups protected.

2. Active Directory Disaster Recovery Testing. The goal of a recovery test is to go through the process to make sure restoration from the backup works and that the AD restore process is accurate. It also helps build knowledge and skills. If recovery tests are not scheduled regularly, then there is an increased risk of the restore not working and/or the speed of recovery being hampered by people who are not familiar with the process. Environmental changes can often mean changes in configuration or process, and these need to be tested and documented.

3. Active Directory Is Multi-Master. Unlike some other services that require a single server restoration, Active Directory is Multi-Master, meaning there are multiple servers that contain the same database and the updates are replicated between them. All members are responsive to client data queries, and having domain controllers agree on the version of data is vital for the health of the service. Simply trying to restore one domain controller does not automatically restore the service for other domain controllers too. You need to have a coordinated effort across every domain controller in the forest for it to be successful. There are also unique forest and domain roles (Flexible Single Master Operation) that need careful consideration as part of the recovery. There needs to be a clear understanding in advance of how the recovery should be executed and the process that should be followed.

4. AD Domain Controller Reinfection. Restoration of Active Directory should be done in a way that prevents ransomware or rootkits from being restored back onto the operating system of the domain controller. There are tools and processes to keep this from happening. If you are backing up and restoring the domain controller in its entirety, there is a good chance you could end up restoring the problem.

5. Size of Backup. The smaller the backup file, the less time it takes to restore. Backing up Active Directory only will result in significantly smaller backups than a System State backup or a bare metal backup. Every minute counts in an Active Directory forest recovery, so only back up and restore what is required. Use a backup tool that has the functionality to backup and restore Active Directory only; this will make the recovery faster.

6. Hardware Agnostic. Removing dependence on domain controller source hardware means that recovery can happen anywhere, which provides more flexibility to the recovery process. It means you do not need to restore Active Directory to the same hardware or location where the backup was taken from. Use a backup solution that allows for this.

7. RPO and RTO. If the Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are not agreed upon by the business in advance, then it is likely business expectations will not be met during a recovery. It is important to agree upon the RPO and RTO and build a backup/recovery solution that meets these requirements. Agreeing upon the RPO and RTO with the business also can help with funding for the right solution.

8. AD Technical Resource Availability. Recovering Active Directory following a ransomware attack requires the right team of resources with the right level of experience and technical expertise. These resources need to be readily available regardless of when the incident occurs, and they need to be familiar with the recovery process and be clear on the roles and responsibilities and key points of contact within your organization. Ideally, your resources should have field experience in recovering Active Directory after a ransomware attack. Our Active Directory experts are here to help.

9. Active Directory Backup Integrity Check. If the backups are not being monitored or integrity is not being checked, then there is a risk that the backup will not be usable when it’s needed. Backups do from time to time have problems with corruption or jobs not running at the scheduled times. These types of issues are important to detect and resolve quickly in order to increase the chances of there being good backups readily available.

10. Tier 0 Application. Active Directory is classified as a Tier 0 application, which means when it is down, access to critical applications and systems are directly impacted. Active Directory and the recovery process need to be given the right level of investment and focus to ensure that the backup and recovery solution is robust.

11. Active Directory Automation and Recovery Workflow. Automate your recovery and help reduce the complexity and time it takes to restore Active Directory. It will bring the benefits of consistency and predictability to the recovery process. Combine this with an Active Directory recovery workflow that is defined and agreed upon before a ransomware attack occurs, which will help ensure that everyone clearly understands their role and what needs to be done and who needs to be involved. It will also help reduce problems when people need to hand over the recovery to others on the team, for example at the end of a shift.

12. Isolated Environment. Having a pre-staged isolated environment from which to recover Active Directory allows for recovery to be done in a controlled, faster way. The recovery can quickly be carried out to a core location first to ensure that users are back up and running quickly. The recovered Active Directory is first restored to this environment before being assessed and opened up to the rest of the organization.

Active Directory Recovery Planning

If there is one key point to take away from this article, it should be that Active Directory needs to be treated differently when planning and implementing your backup and disaster recovery solution. It requires a coordinated effort across every domain controller in the forest to be successful, and testing is critical. Having a strong AD disaster recovery plan could prevent you from losing millions of dollars in damages to your business. If you would like to discuss any of the content in this article or would like to know more about Itergy’s Active Directory Recovery Solution, please get in touch.

About Itergy

Itergy has been monitoring, managing, and monitoring Active Directory in 65 countries, 24/7 on behalf of its customers for over 20 years. Some of our Active Directory services and AD managed services include health checks, strategic consulting, migrations, consolidations, M&A and divestitures, Active Directory Security, and Active Directory disaster recovery (AD backup and AD recovery).

We make Active Directory the agile, secure, mature business application it was intended to be—the one your enterprise needs to succeed throughout all your business operations.




    Contact an expert