Cyberattacks are rapidly evolving in sophistication and scale. The line between the digital and the physical realm has become more blurred. Foreign cyberattackers have used destructive malware to erase data from hard drives and made moves to infiltrate industrial systems. They could make equally damaging moves in the future, given recent political events and verbal threats.
Anyone in charge of organizational cyber readiness is in an important place right now. The adage “the best defense is a good offense” doesn’t apply here. In this case, the best defense is a good defense.
Practically, you need to have both an incident response (IR) plan and a business continuity plan (BCP) ready and tested. You need to go beyond identifying risks — trying to protect against them with methods like multifactor authentication and detect them with virus scanners and SIEM systems — and respond to them. You need to follow all the way through and think ahead of time about how you are going to recover.
Identity services are at the crux of most advanced persistent threat (APT) targets. Knowing this, it’s smart to test your active directory (AD) BCP and disaster recovery plan (DRP) every 13 months, at minimum. The reason more people don’t do this is that it’s mundane, and it’s difficult to do correctly. Performing a restoration test on the production environment is not an option, and testing a vanilla environment is only partially helpful. Taking a backup of the production environment and restoring it to an isolated lab is the most effective approach.
We tell our customers the best way to test your BCP and DRP plans is to map critical organizational processes to the applications that support them and, ultimately, to the infrastructure supporting those applications. No two organizations are exactly alike, and for some, restoring the headquarters (HQ) might be the highest priority, with the branches to follow (a common scenario for financial institutions), while for others it might be the other way around (a common scenario for manufacturing companies).
Deciding to have the same service-level agreement (SLA) for all your infrastructure is the easiest decision to make, but in most cases will mean that the critical applications will be in the same queue as the noncritical ones. In most enterprises, this means all roads lead to AD. Despite this, we’ve seen that AD recovery planning is often overlooked, even though it is one of the most critical components of any kind of cyber-first approach to DR.
AD DR is an arduous process. It took Danish company Maersk nine days to recover its AD from the 2017 NotPetya malware attack. Roughly 55,000 devices on Maersk’s worldwide network were fully infected in seven minutes, according to Andy Powell, Maersk’s CISO.
In a cyber disaster, AD is mission-critical because it’s foundational to recovering everything else on the network. Until you’ve successfully recovered your AD, there’s not a lot more you can do. Just shutting down systems once an attack begins doesn’t work. You need to understand the likely attack vectors and potential weak points and assume even your backup AD servers could be compromised.
The best-practice advice from Andy Powell is to make sure you can recover AD in less than 24 hours. So, that begs the question: When was the last time you tested your AD recovery plan? Just as important, has your AD recovery plan been updated to include cyber scenarios such as a ransomware or wiper attack?
In closing, sometimes it takes an imminent threat for companies to get more serious about their fundamental threat detection and response plans. Now is a good time to try to get ahead by working to close gaps in your BCP and DRP plans by looking for the weakest links, starting with your AD infrastructure and apps that rely on it.
AD security professionals, this is your time to shine. AD is not just equally critical to the other layers in any security strategy — these days, we’d argue it’s even more so. And it’s your challenge and responsibility to convince the rest of your team that AD needs to be at the center of your defense plan.