Are You Overlooking This Critical Element in Your Cybersecurity Strategy?

Employee logs in from a backup Active Directory

Over 90 percent of companies use Active Directory (AD); however, most don’t have a tested plan in place to recover it after a cyberattack.

Active Directory is used to manage access to network resources. Basically, it holds the keys to the kingdom. That’s why it’s a prime target for cybercriminals. Once they get a foot in the door, they look for ways to gain access to your most valuable assets.

When AD is encrypted, you’re locked out of your own system. Business stops.

The risk is growing as the number of cyberattacks continues to increase. “The pandemic has shifted Canada’s cybersecurity landscape,” says a report by the Canadian Internet Registration Authority (CIRA). According to its 2021 Cybersecurity Survey, 36 percent of Canadian organizations faced more attacks during the pandemic.

Now an army of hackers is getting in on the act because the professionals are selling their platforms on the open market.

What does this mean in terms of the threat to Active Directory?

A U.S. research report found that half of the organizations surveyed experienced an attack on AD in the past two years. Over 40 percent of them say the attack was successful.

This means that it’s essential to have a plan in place to recover AD if and when it’s attacked. It’s the first thing you’ll need in order to get business up and running.

Why Traditional Backups Aren’t Enough

You might be thinking that this isn’t a concern because you have backups of your Active Directory.

Unfortunately, it’s not that simple. There are several reasons for this.

Usually, the hackers spend some time, perhaps even months, on your network. They will find and delete your backups. This makes it more difficult for you to recover and more likely that you’ll pay them to get your system back.

“No problem,” you might say. “My Active Directory is backed up in the cloud.” The truth is that it may not be safe in the cloud either. AD access will most likely provide the credentials for the criminals to access the cloud as well.

Even if you can recover the backup, it’s a slow and painful process. According to the U.S. Chamber of Commerce, the average downtime for these types of attacks is 21 days.

It’s not that hard to recover the backup for an individual domain controller. But that’s not the same thing as restoring the entire AD forest. The forest is the top tier of the AD ecosphere that contains domains, users, computers, and group policies. Forest recovery is a complicated and manual process.

I recall being asked to join a conference call with more than 30 people who were trying to figure out how to recover Active Directory after an attack, which is not the time to be talking about what to do. You want to have a predefined plan in place.

Nonetheless, these situations happen too often. You might not always hear this level of detail, but Active Directory has been in play in many of the cyberattacks in the news. In the U.S., Semperis recently reported that AD was “instrumental” in the Solar Winds attack that affected thousands of companies and government agencies. In this case, the hackers gained access to cloud resources after breaching the Active Directory on premises. No one wants to be headline news for this reason.

What Your Active Directory Recovery Plan Should Include

The development of an Active Directory recovery plan is often overlooked. According to a poll by the SANS Institute, “only one in five organizations have a tested plan in place for recovering AD after a cyberattack.”

It’s not a surprise. Active Directory is like plumbing. Many people don’t think about it because it’s just there and it works.

What should you be thinking about?

Your organization should have a solution that treats AD backups separately from other systems so they can’t be accessed from your current environment. Automation is essential so you can spin up the backup from a particular point in time in a matter of hours, not days.

Finally, and I can’t emphasize this enough, your backup recovery must be tested at least every three months. These tests should be verified at the management level.

It’s become a fact of life that attacks will happen. At the end of the day, the most important thing is that you know how to get your business up and running as quickly as possible.

Get in contact with us to discuss how you can guarantee a quick recovery of AD if victim of a cyberattack.

Learn more about our Proactive Active Directory Backup and Recovery Solution.

Martin Fitzsimons is the Vice President of Enterprise Services at Itergy.


TAGS:


    Contact an expert