Remember the early days of Active Directory (AD), when no one connected it to the Internet? When antivirus software on your computers and servers was enough to protect the company? When your worst exposure to something going wrong in AD was a rogue admin deleting something or someone with too many permissions accidentally changing a configuration? Remember when we slept well at night?
About eight months ago, I was awakened in the middle of the night by a former client who had moved to a new employer. “Don,” he said, “our AD has been encrypted by ransomware. They’ve deleted all our backups and encrypted our domain controllers. What should we do?”
Unfortunately, this wasn‘t the first (or the last) call like this we’d received as Active Directory ransomware attacks have skyrocketed in recent year. As experts running AD 24×7 for global companies, we’ve seen our share of instances of Active Directory falling over, and we‘ve been called on many times to get them back. But we’ve always had access to an AD backup. We’ve been able to get on the network and work on domain controllers to bring them back to a working state. Ransomware has changed the rules of the game.
The Rules Are Different
Hackers spend far more time inside a network now than they used to. The average number of days is close to 50. “What are they doing?,” you might ask? They are finding your important data and pulling it out of your network a little bit at a time, so you don’t know they’re doing it. They’re prepping to encrypt your servers. They’re modifying or deleting your backups. They’re building backdoors into your systems, especially AD. They are infecting your domain controllers with their toolsets.
This fundamentally changes how you must approach Active Directory recovery.
Why Does It Change Our Approach?
You may have a better understanding of AD than most, but I’ll try and keep it simple for the rest: restoring AD when you can’t log on to your computer is difficult. Restoring AD when there is malware installed in the backed-up OS is futile. Restoring an old version of AD is explosive. Restoring AD when your backups have been deleted is impossible. So, you need a different approach to backing up and restoring your AD.
We speak with many people at companies that have solid backup and disaster recovery solutions. They replicate (in real time or within a few minutes) their servers and data (including AD) and are able to roll back to a previous version of their servers and data quickly. Are those backups protected? Can they be deleted or tampered with? Can you access the restore console if AD is unavailable? Have you practiced a scorched-earth scenario with AD to make sure you can restore it quickly? If you can answer yes to all of these questions, you already have a specific recovery and protection plan for AD. Congratulations! If you can’t, then here are some suggestions.
Where to Start with Active Directory Disaster Recovery
There are three relatively simple-sounding things you can do:
- Protect your AD backups.
- Design an AD restoration process, and test it.
- Define a temporary way to enable the ability to log on while you restore AD.
You will need several elements to do these things (Check out our blog: 12 Important Considerations for Active Directory Recovery Following a Ransomware Attack). Firstly some AD-specific backup software that will not back up the ransomware infection present in the OS and some very AD-smart people that know how to backup Active Directory securily. Then, you will need an air-gapped restoration environment in which you can temporarily restore AD and the related services and keep them running. In the meantime, you will have to bring the rest of your infrastructure and applications back online and restore your production domain controllers. You will then need to protect your air-gapped environment, making sure no one deletes or tampers with the Active Directory backups. Then you will need to practice restoration scenarios a few times a year to make sure your team knows how to restore Active Directory successfully during an attack and is ready at any time. Simple, right?
That’s Not All
Of course, recovery from a ransomware attack is tremendously more complex than just restoring AD, but if your people can log in to their computers and access their applications (e.g., Microsoft 365, Exchange Online, Teams, SharePoint), they can get some work done, and you can focus on restoring critical business applications. An AD-specific recovery plan is only one component of a much larger plan, but it plays a key role in your company’s recovery. If people can log in and get some work done, that alleviates a lot of pressure on IT and lets you focus on recovering other critical systems. But if your people can’t log in, even if the critical business systems are running, they can’t be accessed and people can’t work. Food for thought.
Please share your thoughts below on what you’ve done to protect your AD, or reach out and we would be glad to help. There are fast and cost-effective ways to get a plan and a setup in place. Take a look at our our AD Recovery Solution | Itergy | or contact us to find out more how we can help you.
We’re Active Directory experts. We’ve been monitoring and managing Active Directory in 65 countries, 24/7 on behalf of its customers for over 20 years. Some of our Active Directory services and AD managed services include health checks, strategic consulting, migrations, consolidations, M&A and divestitures, Active Directory Security, and Active Directory disaster recovery (AD backup solution and AD recovery).
We make Active Directory the agile, secure, mature business application it was intended to be—the one your enterprise needs to succeed throughout all your business operations.