Your Active Directory was compromised, is it all lost?
Following a 10-year stint in virtualization technologies, I joined Semperis and dove into the world of Active Directory. Over the last three years, which included some of the most vicious malware attacks ever documented, I think I have finally come up to speed on this part of the IAM world.
Here are a couple of conclusions I have come to. First, security attacks are not a matter of if, but rather when. If you want to dispute that, check your newsfeed. The second conclusion is that in almost every attack, Active Directory is either manipulated, encrypted, or destroyed. It doesn’t matter if you’re a small county government, a mid-size hospital, or a large enterprise, once the attacker is in, this is where they want to go. Considering the treasure trove of “owning” the security backbone of the organization, how could any bad guy resist.
I said earlier that I am up to speed, which I must admit might not be entirely true. The biggest unsolved mystery for me is what happens to a company when their Active Directory is compromised? Let me be clear on what I mean by compromised. I mean someone has gotten hold of domain admin rights. They can see everything in the forest, they can go anywhere, they can hide anywhere, they can become anyone and do just about anything else.
Following dozens of conversations with lots of experts, there has been only one conclusive answer – “Go Nuclear!” – meaning wiping out your entire Active Directory and rebuilding it from scratch. This is the point when we’re in these discussions where everyone jokes about this being a “resume-changing event”.
Now I will be the first to tell you that I cannot speak to the amount of work involved in rebuilding your AD, but the word “prohibitive” is often used when I’ve inquired. I do know that without Semperis’ technology, just manually restoring an Active Directory forest from a backup is anywhere from several days to a few weeks depending on complexity, bandwidth, etc. So, what is rebuilding – Months? Years? Can an organization survive this?
One possible answer is that it’s rare for an attacker to achieve domain dominance and most hacks occur at a much lower portion of the security stack. (Cue the Family Feud buzzer.) I’m not buying that. Following this year’s Hybrid Identity Protection Conference, last year’s HIP Conference, and all the other conferences on this subject that I’ve attended, it’s just too damn easy.
My take is if they have gotten your company’s financial data, customer list, or anything else of value, then they might also have the “crown jewels”. Can you live with that possibility?
So, let me recap and paint an unfortunately common picture. You’re a manufacturer with 20,000 employees. Your Active Directory controls the robots in your factories, all of IT, VoIP phones, and ID badges. Unbeknownst to you, someone has penetrated your network and has been moving laterally (and slowly up) for eight months. They now have permission to do anything and have mapped out everything – they press THE button, and everything is encrypted.
What do you do?
I am going to end part 1 here 😊. I would love your comments/feedback. Either here or via PM.
For the techies out there, I will add a twist and tell you to assume there is a rootkit embedded in your domain controllers. So, BMR or system state restore won’t help as they will reintroduce the attacker 😊.