Thomas Leduc

When a storm hits, the one who is most prepared is the one who will weather it best. For IT, this storm is digital, a flurry of cyberattacks that routinely touches down on the shores of Microsoft Active Directory (AD). 

AD is a juicy target, and we all know why. It’s the key to an attacker elevating privileges, and the impact of an outage can be catastrophic. In years past, the greatest threat to AD might have been a natural disaster or operational mistake. Today, it’s the increasing number of fast-moving cyberattacks, which presents a critical question: how prepared are organizations to recover if their domain controllers are infected by ransomware or wiped out completely? 

To find out, we surveyed over 350 IT security professionals, IAM leaders, and C-level executives. In our 2020 study “Recovering Active Directory from Cyber Disasters,” we discovered that while businesses are aware of the risks, their recovery processes lag behind them. Even though 97% of organizations surveyed said that AD is mission-critical, more than half never actually tested their AD cyber disaster recovery process or did not have a plan in place at all. 

Here are our top findings:  

  • Companies are aware an AD outage would have a significant impact on operations. Almost every respondent (97%) said that AD is mission-critical to the business, and 84% said that an AD outage would be significant, severe, or catastrophic. 
  • Many organizations aren’t confident in their ability to recover AD quickly. Most respondents (71%) were only somewhat confident, not confident, or unsure about their ability to recover AD to new servers in a timely fashion. Only a tiny portion (3%) said they were “extremely confident.” 
  • Most organizations haven’t tested their AD recovery plan. Respondents expressed many concerns about AD recovery, with the lack of testing being the number one concern. This includes organizations that have not tested AD recovery at all and those who have tried but failed. 

Survey respondents rank Lack of Testing as top concern followed by Lack of Recovery Plan 

As critical as Active Directory is to businesses, enterprises struggle to manage it securely while embracing cloud computing and remote workforces. The growing complexity of IT environments has increased the complexity of AD management, and the ripple effect of this reality directly impacts incident response. Just 34% of those surveyed said their organization understands the complexity of forest recovery. While this stat is low, it is also not surprising. In a lengthy technical guide, Microsoft lists the 28-step multi-threaded manual process required to perform a forest recovery, and the process is mostly manual. Worse yet, there’s no way to tell if a mistake has been made until the end—and then you have to start over. 

Testing is naturally a vital part of avoiding mistakes. However, organizations are failing in this regard too. According to the survey, 33%—the largest group—said they have an AD cyber disaster recovery plan but have never tested it. Twenty-one percent have no plan, and only 15% said they have a plan and have tested it in the last six months. Without regular assessment, recovery processes may have out-of-date information about AD topology, which can hamper recovery times in the event of an incident. 

It is easy to understand why these plans go untested. AD Recovery is generally not a simple exercise, and a lack of automation can make the process cumbersome and errorprone. In addition, historically, having to recover an AD deployment from scratch was unlikely. However, considering that cyberattacks inflict more damage and strike more frequently than natural disasters, it’s time to think “cyber-first.” Does your disaster recovery playbook address this reality?

Focus on AD security and recovery strategy 

The good news is that most respondents realize how significant Active Directory is to their business. Eighty-four percent of those surveyed said they would experience a significant, severe, or catastrophic impact if an Active Directory outage occurred. The first priority then must be to make AD a harder target. Shrink the attack surface by following best practices such as implementing continuous monitoring, leveraging an administrative tier model, and promptly applying patches.  

When it comes to preparing for a scenario involving the recovery of a partition or forest, plans should be extremely detailed, all the way down to what individual commands will be run on a particular machine. The stress of dealing with an attack is bad enough. In our survey, the vast majority of respondents (69%) said they were increasingly concerned about the impact a cyberattack could have on their career. Having detailed plans will make the aftermath of an attack less stressful by eliminating uncertainty and reducing the need to think on the fly. 

In the same way, getting accustomed to the recovery plan through practice makes a huge difference as well. Organizations should create a test environment on virtual hosts and attempt to recover AD forests from backups. Increasing the comfort level with the recovery plan increases the chance it will go smoothly if it ever has to be used, and we’ll all sleep better at night.  

Ready or not, the threat landscape for AD is evolving quickly. The focus on protecting AD and recovering from cyberattacks needs to evolve with it. To get a full look at the survey results, download the report here