Over 90 percent of companies use Active Directory (AD); however, most don’t have a tested AD disaster recovery plan in place to recover it after a cyberattack.
Active Directory is used to manage access to network resources. Basically, it holds the keys to the kingdom so AD needs to be running all the time. why it’s a prime target for cybercriminals. Once they get a foot in the door, they look for ways to gain access to your most valuable assets.
When AD is encrypted, you’re locked out of your own system. Business stops.
The risk is growing as the number of cyberattacks continues to increase. “The pandemic has shifted Canada’s cybersecurity landscape,” says a report by the Canadian Internet Registration Authority (CIRA). According to its 2021 Cybersecurity Survey, 36 percent of Canadian organizations faced more attacks during the pandemic.
Now an army of hackers is getting in on the act because the professionals are selling their platforms on the open market.
What does this mean in terms of the threat to Active Directory?
A U.S. research report found that half of the organizations surveyed experienced an attack on AD in the past two years. Over 40 percent of them say the attack was successful.
This means that it’s essential to have a plan in place to recover AD if and when it’s attacked. It’s the first thing you’ll need in order to get business up and running.
Why Traditional Backups Aren’t Enough For AD Disaster Recovery
You might be thinking that this isn’t a concern because you backup Active Directory.
Unfortunately, it’s not that simple. There are several reasons for this.
Usually, the hackers spend some time, perhaps even months, on your network. They will find and delete your backups. This makes it more difficult for you to recover and more likely that you’ll pay them to get your system back.
“No problem,” you might say. “My Active Directory is backed up in the cloud.” The truth is that it may not be safe in the cloud either. AD access will most likely provide the credentials for the criminals to access the cloud as well.
Even if you can recover the backup, it’s a slow and painful process. According to the U.S. Chamber of Commerce, the average downtime for these types of attacks is 21 days.
It’s not that hard to recover the backup for an individual domain controller. But that’s not the same thing as restoring the entire AD forest. The forest is the top tier of the AD ecosphere that contains domains, users, computers, and group policies. Forest recovery is a complicated and manual process.
I recall being asked to join a conference call with more than 30 people who were trying to figure out how to recover Active Directory after an attack, which is not the time to be talking about what to do. You want to have a predefined AD backup and disaster recovery solution in place.
Nonetheless, these situations happen too often. You might not always hear this level of detail, but Active Directory has been in play in many of the cyberattacks in the news. In the U.S., Semperis recently reported that AD was “instrumental” in the Solar Winds attack that affected thousands of companies and government agencies. In this case, the hackers gained access to cloud resources after breaching the Active Directory on premises. No one wants to be headline news for this reason.
What Your AD Disaster Recovery Plan Should Include
The development of an AD restore plan is often overlooked. According to a poll by the SANS Institute, “only one in five organizations have a tested plan in place for recovering AD after a cyberattack.”
It’s not a surprise. Active Directory is like plumbing. Many people don’t think about it because it’s just there and it works.
What should you be thinking about when you plan for AD disaster recovery?
- Your organization should have a solution that treats AD backups separately from other systems so they can’t be accessed from your current environment.
- Automation is essential so you can spin up the Active Directory backup from a particular point in time in a matter of hours, not days.
- Finally, and I can’t emphasize this enough, your AD disaster recovery must be tested at least every three months. These tests should be verified at the management level.
It’s become a fact of life that attacks will happen. At the end of the day, the most important thing is that you know how to get your business up and running as quickly as possible. Read our blog, 12 Important Considerations for Active Directory Recovery Following a Ransomware Attack for more details on planning for AD ransomware recovery.
Get in contact with us to discuss how you can guarantee a quick recovery of AD if victim of a cyberattack.
Martin Fitzsimons is the Vice President of Enterprise Services at Itergy.
About Itergy
We’re Active Directory experts. We’ve been monitoring, managing, and recovering Active Directory in 65 countries, 24/7 on behalf of our customers for over 20 years. Some of our Active Directory services and AD managed services include health checks, strategic consulting, migrations, consolidations, M&A and divestitures, Active Directory Security, and Active Directory disaster recovery (AD backup solution and AD recovery).
We make Active Directory the agile, secure, mature business application it was intended to be—the one your enterprise needs to succeed throughout all your business operations.