We’re barely a month into the new year, but wiperware is back in the news. DevPro Journal notes a “drastic increase” starting last year, likely driven by geopolitical conflict. What is wiperware—and how can you protect your organization?
What is wiperware?
Wiperware is often used as part of an advanced persistent threat (APT) attack against critical infrastructure. Unlike attacks intended for financial gain through extortion or data theft, wiperware’s purpose is purely to destroy or cause havoc. This tactic is popular with nation-state actors or terrorists, so such attacks typically increase during periods of geopolitical conflict.
How can you fight back against wiperware?
Think of good Identity Threat Detection and Response (ITDR) like an onion, providing multiple layers of protection. Outer layers include strategies such as training users to spot phishing emails and deploying endpoint detection and response (EDR).
But cyberattackers are becoming increasingly adept at finding ways past those outer layers. And when attackers make it into your network, their next target is typically the identity infrastructure. For 90% of organizations today, that means Active Directory (AD) and Azure AD.
Access to your hybrid identity infrastructure can enable threat actors to take over even more critical assets in your environment. That’s why identity infrastructure security should be the core of your cyber-resilience strategy.
With that concept in mind, here are three things you can do today to strengthen identity-first security and fend off wiperware—and other forms of cyberattack.
Step 1: Implement a layered defense
Identity systems are prime targets for threat actors, and credential misuse is the most popular path to security breaches. Gartner notes the need for “defense in depth,” with a focus on identity.
EDR is an important security tool, but it simply cannot be used as your only defense. The best defense is a layered defense.
As attractive as vendor consolidation might sound, putting all your eggs in one security basket has significant drawbacks. Cyber resilience requires a certain level of redundancy to avoid a single point of failure, especially when it comes to ITDR.
Gartner notes: “A layered approach involving ITDR is the best way to enhance preparedness for cyberattacks…. Fill gaps in ITDR by assessing the full range of attack vectors and telemetry covered. Plan to use a mosaic of tools that complement each other, and may overlap, to meet the requirements for a comprehensive ITDR initiative.”
The best way to protect the identity system? Look for an ITDR solution that focuses specifically on protecting the identity system. For 90% of enterprise organizations, that means Active Directory (AD) and Azure AD.
Step 2. Monitor your hybrid AD
When it comes to monitoring your on-prem or hybrid identity infrastructure, regular monitoring of the identity attack surface is vital. Monitoring can help you identity potential vulnerabilities before attackers do.
An effective monitoring strategy needs to be specific to AD. Attackers are becoming increasingly adept at finding ways past multifactor authentication (MFA), EDR, and even security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solutions. Therefore, identity-first security requires a monitoring solution that provides real-time insight and actionable guidance.
An easy way to start is by exploring free community tools, such as Purple Knight and Forest Druid. Purple Knight looks at security indicators—both indicators of compromise (IOCs) and indicators of exposure (IOEs). Forest Druid provides Tier 0 attack path mapping and management. Paid solutions like Semperis Directory Services Protector (DSP) offers IOC and IOE monitoring plus automated rollback of suspicious changes and extended incident response.
Step 3. Get ready to recover
Being targeted by cyberattacks is no longer a matter of “if” but of “when.” Tested, malware-free backups of your core identity systems are a must. Unfortunately, our recent survey of 50+ organizations shows that 77% of respondents would experience a severe or catastrophic impact in the event of a cyberattack that takes down AD.
How can you improve your chances of successfully recovering from such an attack?
- Implement an AD-centric backup. System-state and bare-metal recovery (BMR) backups aren’t enough to defend AD. An AD-specific backup enables a faster recovery of your environment and has a smaller backup footprint. For example, Semperis Active Directory Forest Recovery (ADFR) protects against the reintroduction of malware and can be automated to avoid human error and reduce downtime from hours, days, or weeks to just minutes.
- Include specific steps for implementing and testing AD backups, recovery, and critical maintenance in your disaster recovery plan.
- Test your backups and practice AD forest recovery processes regularly so that you’ll be fully prepared should you need to restore AD.
Wipe out wiperware threats
A cybersecurity strategy that protects both endpoints and your core identity foundation while avoiding single points of failure is your best defense against whatever cyberattackers throw at you, including wiperware. Put identity-first security on your 2023 priority list, and you’ll have one less thing to worry about.
