Semperis Team

Any ransomware recovery plan needs to include regular file backups and encrypted data with offline copies, as the Cybersecurity and Infrastructure Security Agency (CISA) recently reminded as part of the organization’s campaign to drive awareness of its ransomware guidance and resources. The guidance includes best practices and checklists to help companies formulate their cyberattack response plans.

And while backups are fundamental to any recovery plan, those backups won’t save an organization if the malicious attack compromises Active Directory (AD), the identity management service that 90% of businesses use. As Semperis CEO Mickey Bresman pointed out in “Rethinking Active Directory security,” once an attacker gains access to Active Directory, resources anywhere within the logical environment are vulnerable. If the attack infects a company’s domain controllers (DCs), then additional measures are needed to bring Active Directory back online without reintroducing the malware.

As Semperis Chief Architect Gil Kirkpatrick discusses in “The Dos and Don’ts of AD Recovery,” the proliferation of ransomware attacks increases the likelihood that IT teams will need to conduct a full Active Directory forest recovery, which can be a challenging scenario. A successful recovery depends on the team understanding all the systems and services that use AD in their environment.

Keeping some backups offline is part of that equation: In the Maersk NotPetya attack, recovery was possible only because a power outage happened to take a domain controller offline during the attack, leaving one untainted starting point from which to begin rebuilding. To ensure you have backups to save the day in the event of a ransomware attack, Kilpatrick advises saving backups on a non-domain joined server or copying backup images to Azure or AWS blob storage.

Resources to harden your Active Directory recovery plan

Not sure whether your ransomware recovery plan is bulletproof yet? In addition to following the CISA guidance, investigate these resources to ensure your company can recover from an attack that uses AD as an entry point—an all-too-frequent scenario:

  • Webinar: The Dos and Don’ts of Recovering Active Directory from a Scorched Earth Disaster, presented by Gil Kirkpatrick (Semperis Chief Architect) and Guido Grillenmeier (Semperis Chief Technologist)
  • Report: Recovering Active Directory from Cyber Disasters
  • Webinar: A Cyber-First Approach to Disaster Recovery, presented by Darren Mar-Elia (Semperis VP of Product) and John Pescatore (Director, Emerging Security Trends, SANS Institute)