Die betriebliche Kontinuität hängt von der Cyber-Resilienz ab. Die Aufrechterhaltung dieser Widerstandsfähigkeit kann schwierig sein, wenn die Ressourcen knapp sind. Angreifer wissen das und sind geschickt darin, Personalwechsel und technologische Lücken zu ihrem Vorteil zu nutzen.
Das bevorzugte Mittel von Angreifern zur Verbreitung von Malware, zur Eskalation von Privilegien und zum Aufbau von Ausdauer ist die Identitätsinfrastruktur - typischerweise Microsoft Active Directory (AD), oft in Kombination mit Microsoft Entra ID oder Okta. Da diese Dienste den Zugang zu fast allen Systemen und Ressourcen in Ihrem Unternehmen kontrollieren, sind sie ein beliebtes Ziel für Cyberangriffe.
Wie können Behörden Lücken bei incident response der Notfallwiederherstellung schließen? Durch Automatisierung! In dieser Sitzung stellt Gil Kirkpatrick (Chefarchitekt bei Semperis) fünf wichtige Sicherheitsmaßnahmen vor, mit denen Bundes-, Landes- und Kommunalbehörden (sowie jede andere Organisation) ihre Cyber-Resilienz automatisieren können, um die Sicherheit der Identitätsinfrastruktur zu stärken und ihre Reaktionsfähigkeit sowie die Wiederherstellung nach Cyberangriffen zu beschleunigen.
Das Wichtigste in Kürze:
- Warum und wie Cyberattacken auf Active Directory und Entra ID abzielen
- Wie Sie die Angriffsfläche für Ihre Identität reduzieren können
- Wege zur schnelleren Erkennung von Angriffen
- Die Vorteile einer automatischen Reaktion auf riskante Veränderungen
- So nutzen Sie die Vorteile automatischer Alarme und Benachrichtigungen
- Warum automatische AD-Wiederherstellungsfunktionen ein Muss sind
Event entitled Closing the Gap for Government Agencies: 5 Ways to Automate Cyber Resilience sponsored by Semperis. Before we begin, I just wanna cover a few housekeeping details. If you have any questions throughout the presentation, please make sure to type those into the q and a box, and we’ll make sure to get those answered for you. Semperis has provided some resources, which correspond with today’s event, so please take a moment to check those out. They are located to the right of your audience console. Today’s webcast is also being recorded, so keep an eye out for a link in your email to rewatch the presentation or to share with a colleague. And now I’m thrilled to announce our speaker for today. We have the pleasure of hearing from a member of the Semperis team. Today with us, we have Gil Kirkpatrick, Chief Architect at Semperis. So we are in for a great event. And with that, I’ll pass the time over to Gil to get us started. Great. Thanks, Allison. I appreciate it. Like Allison said, my name is Gil Kirkpatrick. I am the Chief Architect at Semperis. I’ve been a Microsoft MVP, for identity and security for nineteen years, and I’ve been building identity management and security products for almost thirty years across several different platforms. At Semperis, we build products, to help organizations improve their resilience to cyber attacks primarily by focusing on protecting and recovering the identity system, which in most cases is Active Directory. Alright. Let’s go to the first slide here. That all seems to work. So attacks against critical infrastructure, which are usually under some sort of federal state or local those attacks have increased substantially over the last several years. I’d like to take a look at some statistics that we’ve collected through several surveys, and just to set the stage for the rest of this talk. So we recently did a survey, across critical infrastructure providers, in the US and the UK primarily. And they were, water and electrical grid operators for the most part. And their responses were telling. One was that sixty four percent of them reported that they had been attacked within the past year. And of those eighty four percent reported that they had been attacked multiple times. Those numbers are noticeably lower than what we see in the commercial sector but in general they they kind of line up. But here’s an interesting number and and you can consider what this really means, I guess. Thirty six percent of them reported not being targeted at all in the last year. And that on the surface, that sounds like, well, that’s pretty good, you know. Thirty six percent weren’t attacked. That’s, that must mean that the, the attackers are just not trying to break into these particular critical infrastructure providers. You can compare that to the commercial sector where more than ninety percent of organizations report suffering one or more attacks in the past year. But I think for myself and I think most experts in in the space agree that what is more likely going on here is that most of those that had reported that they had not been attacked in the last year, in fact, had been compromised, and they just weren’t aware of the attacker’s presence on their network. And I guess that’s in some ways, that’s even more concerning if that’s in fact actually the case. So if we’re not having a lot of success in keeping the threat actors out, what should we be doing? There’s there’s been a shift in the industry away. I wouldn’t say away from prevention, but, not considering prevention as the primary approach to reducing cyber attacks. The the the shift has been really from prevention to resilience. And the idea with resilience here is that, we’re going to suffer attacks. There’s probably not a lot we can do to prevent them entirely. But being resilient means that we need to detect those attacks when they occur, respond to them effectively and then recover from whatever damage, the attackers have created, recover quickly and with little disruption. That’s what resilience is about. And I think that’s, that is where the industry is moving to in terms of, ways of dealing with the constant threat of cyber attack. And that’s certainly how we’re approaching the problem as well at at Semperis. So I’d like to take a look at at what some of these attacks look like and who is actually performing them. So we asked the question, what are the primary security threats to critical infrastructure? And we got a real mixed bag of results, which I guess is not surprising, for a question that’s asking for an opinion. But we can look at these numbers and and maybe get some information out out of them, especially if we compare them to, compare these sort of opinion or responses to actual statistics that we’ve collected. For instance, thirty five percent of respondents considered that nation state actors are a primary threat. And, that’s certainly true, especially for government agencies. But for more than sixty percent of the attacks against critical infrastructure, are actually attributed to nation state actors. So we’ve got thirty percent of the respondents thinking that nation state actors are a problem, yet sixty percent of the attacks, are actually attributed to nation state actors. So that gives you a sense that maybe the perspective on who is actually performing these attacks on government agencies and critical infrastructure, are maybe a little off. Another one that was very telling is that thirty three percent of the respondents considered that the compromise of an identity system was a primary threat. So that’s only only a third. But if you look at the actual statistics, more than seventy percent and depending on the sample set you look at, even as much as ninety percent of cyberattacks go through the identity system in some way or another, either through compromised credentials, credential spoofing, reconnaissance, elevation of privilege, insertions of backdoor accounts and even denial of service by by, taking out Active Directory entirely. So that doesn’t quite line up with thirty three percent only thirty three percent thinking that the compromise of an identity system was an issue. I think what this shows us is that, even with the amount of data that’s available, about cyber attacks that are occurring, there seems to be a lack of understanding as to maybe where the real threat lies. So let me wrap up this section of the presentation and say basically that the scale and volume of cyber attacks against critical infrastructure and government agencies is, I guess you would call it pretty impressive. It seems to be almost continuous and the results can be pretty awful. The net of it all is is that you’ve likely been compromised whether you know it or not. Hopefully you do know it. And if you haven’t been you probably will be pretty soon. It’s sort of following the same trend in the commercial in government agencies is following the same trend in commercial organizations. The potential for disruption and permanent data loss is is substantial. We’ve worked on lots of, attacks and recovery scenarios where, the organizations have been disrupted for a long period of time and some of some of the data loss was complete and unrecoverable. But maybe the most important thing to take away from this is that the identity system is a common factor in nearly all of these attacks. And when I’m talking about identity system, I’m really talking about Active Directory. So if our best option is to improve our resilience rather than trying to entirely prevent attacks and and the identity system is the common vector, let’s see what we can do about making the identity systems, more resilience excuse me, more resilient. So, again, I wanna reinforce the point here that the identity system is is a key key component in the way cyber attacks materialized. At least seventy percent of cyber attacks involve some sort of compromise of the identity system. And one of my favorite quotes, which oddly is not showing up here. I’m not quite sure why that happened, but, that’s too bad because this is a good one. It says attackers don’t break in, they log in. And that sort of reinforces ah, there we go. That sort of reinforces the idea that that the identity system is the entry point for almost all cyber attacks. And it doesn’t just stop there with the initial compromise of the environment. Once an attacker gets into your identity system, again, primarily Active Directory, they will use an Active Directory for, reconnaissance in the, on your network. So the first step is, I’m on somebody’s machine. I’ve, you know, gone through some sort of, spear phishing attack. I’ve landed on a machine. It’s a member of a domain. I can now access Active Directory. I can read out essentially the entire directory and find out where all the interesting resources are on the network, so I know how to target my attack. The identity system is so important that Gartner, I think a couple of years ago, developed a new component of cybersecurity called identity threat detection and response or ITDR. And they labeled that as a a top trend, in cybersecurity. It’s, essentially calls out the fact that that one cyber attacks almost inevitable inevitably go through the identity platform in some way or another during the attack evolution, and that your identity systems are special. You have to protect them, using def different tools and techniques than just protecting endpoints like servers and, PCs. So the the whole notion of ITDR really underscores the fact that the identity system is a critical aspect of your cybersecurity activities and deserves special attention. For roughly ninety percent of enterprises, Active Directory is the primary component of the whole identity infrastructure. It’s typically the main authentication service for most organizations. Even when they’ve moved a lot of their IT to cloud based systems like Azure or AWS. Typically people in the office still log in through AD and then through, federated authentication get access to cloud resources. But AD was designed thirty years ago, which is actually frightening since I was involved with AD actually before it shipped. It’s frightening to think that that was actually thirty years ago. But back then the the landscape was entirely different. The main security concern was somebody running a backhoe over the fiber going to your data center or maybe a rogue admin unhappy with his lack of a pay raise to leading a critical database or something like that. But the threat environment was entirely different when AD was designed and first implemented. Internet in some sense. And, but unfortunately all, you know, all the domain joined machines that we have and all the applications that are tied to AD in the same way they were in two thousand, they are also all tied to the weaknesses that come with a thirty year old identity platform. The net of all of that is that if AD is compromised, so are your applications. If users can’t log in on their machine, if their machines can’t authenticate to AD, the users can’t access their applications as a rule. So what happens when your, Active Directory is actually attacked or is part of an attack? Attackers don’t always aim to disable your active directory, although that does happen, you know, using ransomware. It’s pretty common for attackers to encrypt the domain controllers as well, but not always. Sometimes it’ll just use, Active Directory for reconnaissance or for inserting backdoor accounts, so they can come back later after you think you’ve managed to evict them. Or they also use Active Directory for distributing ransomware quickly across the enterprise using, SysVol and and, and and, SysVol replication. But even if if the attackers don’t encrypt your domain controllers, you can’t really trust active directory after you’ve experienced a cyber attack that has, completed some sort of compromise of your Active Directory. And what that means is you either need to be able to completely mitigate the changes that the attackers have made or you need to recover your AD from backup. And you can’t restore AD from backup the same way you might ignore a a normal Windows Server. First off, if you’re doing something like system state backups, you don’t want to generally, recover a system state backup to say a virtual machine if you’re recovering in the cloud. But also the the system state image or even Forest a complete backup image will include, backdoors, that have been inserted in AD by itself and any malware that was, inserted in say the Windows or System32 directory. All of that means is that, you’ll have to look back further in your backups to try and identify a time when the compromise hadn’t occurred. But the way Active Directory changes occur, usually if you go back more than a couple of weeks, you’re you’re going to be causing yourself as many problems as you’re solving, dealing with, you know, new and deleted users and computers and group membership changes and that sort of thing. So at the end of it, recovering AD from backup is going to be a project. It’s gonna take a while. And while that’s going on, you can’t really recover your other applications and your users are gonna be dead in the water until you get it all completed. There was a really interesting, white paper that came out of the five eyes. The Five Eyes is a collaboration between the intelligence agencies, of the US, UK, Canada, Australia, and New Zealand. And they published this white paper called Detecting and Mitigating Active Directory Compromises. It is really, really good. In the overview, they sort of describe how AD works and and how it’s critical to the enterprise. And the rest of the document is essentially a laundry list of popular ways that attackers can compromise your AD. It includes things like group policy settings to help prevent attacks. And it talks about specific event log entries that you can monitor for evidence of attacks or or evidence of compromise. And, the paper covers things like Kerberoasting, golden and silver ticket attacks, Kerberos attacks, DC sync attacks that actually inject changes into the replication stream, dumping the DIT and extracting credentials. And they even talk about attacks on federation endpoints like Golden SAML and, sync processes like, enter, connect, you know, cloud connector, what is cloud sync or cloud connect? It’s a real gold mine of, information on current attacks on AD and if you have anything at all to do with Active Directory, security, you should definitely download it and take a look. It’s, where do I have the title here? Yes. It’s called Detecting and Mitigating Active Directory Compromises. You can Forest, search for that on the web and and download it. So I’ve talked about how and why AD is key to your efforts to achieve cyber resilience. Now what I wanna do is cover some of the problems you’re going to run into in the process. So one of the things, that I’ve touched on is that you may have to during your incident response, you’re going to have to live without Active Directory for a while. And it’s a real question as to how long, you can tolerate not having your Active Directory available. There’s a good chance that you’re gonna have to turn off Active Directory at some point during an incident response. This might be because the the attackers have compromised a privileged account like domain admin, or they’re creating backdoor accounts or they’re modifying security policies, or as I mentioned, even using SysVol to distribute malware. In all of those cases, you’ll want to consider, turning off your domain controllers. And when you do that, of course, that means that nobody can log in, none of their applications are available and your IT org that is tied to active directory is basically gonna come to a standstill. And the first step you have to go through is to recover your AD from backup. And if you don’t have some sort of specialized AD recovery tool, like at Semperis, we have Active Directory Forest Recovery, but there are, you know, competitors in the market that also have similar products. You’re gonna have to recover. If you don’t have one of those tools, tools, you’re gonna have to recover using the Microsoft guidance. And, if I recall correctly, that works out to be about a hundred and fifty pages of documentation with, like Forest pages of planning documentation and recovery processes and cross references to a bunch of different other articles. It’s, a very complex and time consuming process to manually recover your active directory from backup. In fact, the whole the whole documentation set on recovering your AD is sufficiently complicated that we, at Semperis, we produced something called the guide to the guide to Active Directory recovery, which is basically a guide to help you navigate all of Microsoft documentation for recovering your Active Directory. And, there were, you know, years ago, I used to run an Active Directory recovery workshop where we would actually go through the whole process of recovering AD from backup. And even with explicit step by step instructions, in a four VM environment, so two domains, four domain controllers, the success rate after four hours Forest in that small virtualized environment was about thirty percent. Most people were not never able to recover their that small Active Directory environment from backup and get it working again. And, in real life, the survey information that we’ve collected indicates that just recovering AD to some level some minimum level of functionality like people can log in usually takes on the order of a week. And according to Forrester, the average time to recover AD from backup to complete functionality, can be about twenty one days. So while that’s going on, generally speaking, your users can’t log in and they can’t get access to their things. So you have to think about how long that recovery process takes overall and what does that do to your business if your users can’t access their applications for an extended period of time. So minimizing the recovery time of AD is a critical, thing to consider developing your incident response plans. And speaking of incident response plans, we recently did a survey called the, state of enterprise cyber crisis readiness. And we interviewed, a thousand organizations in the US, UK, Europe, and APAC, so pretty globally. And it showed that at least in the government sector, most organizations had developed some sort of an incident response plan. But only sixty five percent of them had actually practiced that plan at some point either through tabletops or other simulations. And only about half of them had ever gone back to their plan and updated it. And I can promise you that, any IR plan that you develop is going to need to be revisited, at least quarterly and updated more often than once a year certainly. And even with with the fact that more than half of the respondents had developed a plan and had, practiced it, still twenty percent of those organizations had experienced multiple cyber incidents that, completely stopped their business for a period of time. So we, at Semperis, we’ve been involved in incident response for several years. Mostly, we’ve been helping organizations, assess and recover their Active Directory during and after a cyber attack. And, so we’ve had quite a bit of exposure to the whole, incident response process. And last week, we announced at RSA, a new product called Ready1, which can help you organize and orchestrate your incident response activity. So it’s not just for Active Directory, but your overall incident response. And it, you you know, helps take some of the chaos out of responding to a a live cyber incident. So check out our website. I don’t know if we’ve got a specific resource listed for Ready1, but go to the website and check out Ready1 and take a look to see if that might help you with your incident response activities. So we asked another, sort of opinion question of our, thousand customers here. It’s What’s standing in the way of cyber resilience? And we got, another sort of mixed bag of responses and there was no single issue that stood out here. You know, you can see here lack of support from, executive leadership, lack of overall cybersecurity planning, overall budget constraints. You know, they’re all sort of in the thirty percent response range. So nothing really stood out as a a significant blocker. When I look at this, my my first thought is, you know, it probably all comes down to a lack of, supportive leadership from from the executive team. Maybe even just at the point of putting the right kind of organization structures in place to to build a cyber, cyber recovery, a cyber resilience structure. I’ve been mostly talking about, the effort required to recover your identity system such as Active Directory, but in a real life cyber attack, obviously you’re more cons you’re concerned with getting the entire system back up and running. Active Directory is just a part of it. It’s a critical part of it because generally, you can’t you know, once once you have your network and DNS functioning, you have to get your identity system up and running before you can really do anything with the applications and users that depend on, on, on that system. Just getting Active Directory back can take several days. And then after that, you can actually start recovering all of your other systems. And in practice that can actually take several weeks. And, I’ve run into, victims who even after a year have not fully recovered all of their IT capabilities, you know, their backups were erased and, all of their data was erased and they’re just trying to recover from any anything that they have including scraps of paper. So the recovery timeline can be pretty brutal, even if you get your identity system up and running in a few days. Trying to get the entire thing recovered can be, can certainly take days and weeks beyond that. So, what I’d like to do now is sort of get to the the meat of the presentation is is talk about the different ways you can use automation to improve your cyber resilience. And I’m gonna focus primarily on the identity system because that is, I think, where you can get the most bang for your buck. It’s one of those, key systems that almost everything else is dependent on. And if you’re running Active Directory, which I’m going to assume that most of you are, it’s going to be, that’s going to be the gatekeeper to your overall recovery process. If you don’t get your Active Directory up back up and running properly, you’re gonna have a really hard time getting anything else up and running. And that’s where our products can actually help. So, let me provide a little context here, using the NIST cybersecurity framework. If you’re not familiar with CSF, it’s a really good way to organize your thinking about, cyber attacks and how you respond to them or how you deal with them. It’s essentially divides the, cyber attack timeline into five phases. The first phase is identify where you identify all of the aspects of your environment that you need to deal with and understand the dependencies between the resources. The next phase is protect. So what do you do to actually configure those systems in a way that makes them difficult to attack, and removes vulnerabilities and and, ways that attackers might be able to get in. The third phase is detect, which is, putting things in place that will help you detect when an attack actually occurs. The fourth fourth phase is respond, which is how do you respond to an actual attack in progress. And finally, the fifth phase is recover, which is you’ve managed to evict the attackers. You understand what they’ve done, and now you have to recover your systems back to a working state. That’s a really good way to organize your thinking around, dealing with cyber attacks. And it actually is sort of the approach that we’ve taken with our products as well. We often talk about it, in, three components really. You know, things you do before an attack, things you do during an attack, and things that you can do after an attack. And, like I said earlier, we tend to focus on the identity system, for our products. But the overall idea here is is the same. These you need to identify all the resources, that you’re trying to protect. You need to configure them in a way that makes them resistant to attack. You need to be able to detect attacks when they occur. You need to have some sort of response in place either automated or through a manual incident response plan. And then finally, you need to be able to recover. So in the, pre attack phase, one of the most important things you can do is, put some tools in place to help automate your, response planning. So you need to understand the dependencies between all the different services. For instance, how everything depends on AD. You also need to develop and store away your incident response plan. So typically, incident response plans have an overall, overarching structure, but then there are components that are are specific to individual applications or maybe individual departments in your organization. Like if you’re in a hospital, the nursing station will have an IR plan that says how do they work when the computer system is not available. And you need to be able to both create those plans, keep them updated, and you have to store them someplace secure. And and let me just say upfront, storing them in SharePoint or in a file server is not the place to store them because the first thing that’s going to go during a a a ransomware attack or any other kind of cyber attack is is your ability to authenticate to AD, which controls your ability to get access to things like SharePoint and file servers. So a lot of organizations will have, some external repository for that sort of thing like, you know, Dropbox or Box or some, some outside file storage scheme. We in Ready1, our our incident response product, we’ve built, a document storage facility. So you can keep that those, critical planning documents, IR plans, securely stored and accessible even when your Active Directory has gone down. In addition to developing all your plans, you need to, figure out who your IR teams are going to be. That’s usually some combination of management and technical experts, who, know how to assess and recover, individual systems and also external contacts might be part of your team as well. So, generally speaking, in any kind of a cyber incident, you’re gonna need to get in touch with your legal team. You will need to get in touch with your cyber insurance provider assuming that you have one, because they wanna make sure that you’re responding in a way that’s consistent, with what their expectations are. And your legal team obviously is there to make sure that you don’t do something that puts the puts your organization in some sort of legal jeopardy. So once you figured out your teams and you’ve got your plans in place, you need to periodically run tabletop exercises or some other kind of simulation. Because just because you’ve written the plan down doesn’t mean, that it works and also doesn’t mean that if it worked once, it’s gonna work the next time. It’s one of those things that you have to continually, exercise. At least go through some sort of exercise once a quarter. At a minimum, I would say once every six months, where you do a full on, tabletop simulation. Part part of that includes maintaining, contact lists and contracts with your service providers so you can get in touch with them to figure out how they can help you in the, response process. And you need to, obtain and define the communications platforms that you’re going to use. Just as I mentioned that, you know, things like SharePoint and file servers aren’t going to be accessible during an incident, that you’re responding to. You also can’t count on Teams or anything like that, that might be tied to your Active Directory, for communications. So at a minimum, you need everybody’s cell phone number, but much better is to have some sort of external communications platform that is not tied to your Active Directory that people can access securely. In our Ready1 product, we have the ability to define, video conference call bridges during an incident that’s completely segregated from your your, normal IT environment. So it’s always available, even during an incident response. Next thing you can automate is, the detection of indicators of exposure or IOEs. This is especially relevant to Active Directory because AD, is incredibly complex when it comes to configuration. There are so many knobs and dials in AD. It’s really, really easy to to get things wrong or even just in the normal course of, day to day administration like adding new users or putting users in groups or creating new groups or changing, GPOs, it’s very easy to move your AD configuration from something that’s relatively secure to something that’s much less secure without even knowing it. I mean, just adding a group to another group because it seems like the right thing to do can open up vulnerabilities, that you really have no notion of at the time because you don’t understand where all of those groups are used and what users are in all of those groups and what sort of rights those groups might convey to all of those users. We have, actually two free products in this area that you might wanna look at to help you, assess your indicators of exposure in AD. One of them is called Purple Knight, which has been tremendously popular. You can download that from the Semperis website, for free. And then there’s another product called Forest Druid, which can, help you understand where all of the potential attack paths in, your Active Directory environment are, which gives you an idea of, when somebody makes a change either to say an access control list or to a delegation or to, group memberships, how that affects, the security posture of your Active Directory. So, you can download those two, tools for free. There’s another thing, that you might want to look at depending on the nature of your Active Directory environment. It’s not uncommon for organizations to have sort of acquired, multiple Active Directories over time either because they built them for specific purposes or more likely because they acquired some organization that had an ADE and instead of going through the effort of, somehow merging those two forests, they just run them in parallel. I’ve worked with customers who have as many as fifty different Active Directory forests and they somehow have to manage all of them and maintain the security posture of all of those, consistently. That’s really, really hard. And a lot of times, if there isn’t a good reason to have multiple AD Forest, consolidating those forests into a single forest or consolidating multiple domains where you really don’t need them, is a great way to reduce the, potential surface area in AD where that attackers might be able to take advantage of. So if you’ve got a very complex Forest and domain organization, you might wanna look at restructuring your Active Directory. We have a product called, Migrator which can help with that as well. So after automating, indicators of detection of indicators of exposure and and maybe restructuring your AD to be more secure and easier to manage, you wanna look at automating, the detection of indicators of compromise and indicators of attack. It’s probably one of the most important things you can do is to put something in place to help help you know when an attacker has actually managed to compromise your Active Directory. And, you can use event logs and a and a SIEM product. I mean, that’s that’s the approach a lot of organizations use. That works but it has some potential liabilities I would say. One is, there’s often a significant delay between an event occurring in Active Directory and that event being propagated and analyzed, in a scene. But even more important, one of the first things that attackers will go after is is the event log system in Windows and essentially turn off the event logs so that once they’ve established themselves especially if they’ve managed to to reach a domain controller, you lose visibility into whatever activity they’re going through in your Active Directory environment. So this is where a product that’s specifically designed for active directory can help because it can generally get you better, more accurate and, more timely results. So, Semperis has a product called Directory Service Protector, DSP. So one of the things it does is it runs a continuous evaluation of indicators of exposure, which I talked about earlier, but it also has the ability to detect attacks on on your AD in real time. So it it tracks, things like authentication activity and replication activity and can detect attacks like password spray attacks or brute force attacks or other authentication anomalies. And as well as changes being made to your Active Directory that might not show up in the event logs at all, using, using attack tools that that inject changes into the replication stream. So automating your your IOC and IOA detection is a really important aspect of protecting and improving the resilience of your Active Directory. After you’ve detected some sort of an attack, having the ability to automate a response is a really good idea. And there are two two aspects to this. There’s the, automating, a sort of a technical response. So for instance, if you detect that, the domain admins group has been changed in some way and that’s not a change that, you want to happen, Automating the reversion of that change, so reverting that, group membership back to what it was before and doing that in an automated timely fashion is really critical because, you want to reduce the exposure or the amount of time that the attackers have, domain admin credentials. And that’s not something you can do manually. You can’t respond to an alert that is maybe several minutes late, and then go go check the group membership and and fix the group membership by hand. So that’s something that you want to deal with, in an automated fashion, by detecting the change and automatically changing it back, which is another feature of Directory Service Protector. But there’s also beyond the the sort of technical response like that, there’s actual automating the incident response activity as an organizational activity. And that’s something again where Ready1 can help. You want to be able to notify the correct team the correct IR team, quickly. You want to get them started with the right event information so they know what kind of incident they’re responding to. They need to have access to all the incident response documentation so that they can perform their jobs quickly and they need some, uncompromised way of communicating with each other, so that they know, what everybody’s doing and they can coordinate their incident response activities. And maybe the most important thing, and this is another thing that Ready1 provides to IR professionals is a log of everything that the IR team is doing. This is critical for generating an after action report, which is something that you normally have to do if you have any, regulatory compliance, issues. But even your cyber insurance provider is going to ask for some sort of an, after action report that describes in detail what all of the IR team did during the incident response. And that’s something that Ready1 automates for you, rather than trying to keep track of everything in Word docs or Excel spreadsheets and somehow merging them together at the end of the day. Ready1 will keep that log, automated log, up to date as the incident response is ongoing. And at the end of it, you can essentially just print it out and have your your, scribe log, your incident response log ready to go to, regulatory agencies or your legal team or or your insurance provider. And finally, and this is one of my favorite topics, is automating, the recovery process. And, primarily, I’m talking about automating recovery of AD, but I’m also talking about automating recovery of data in in, Intra as well. As I mentioned earlier, recovering Active Directory from backup is incredibly hard to do manually, and you need to put some sort of a tool in place. This is both for, timeliness so that you can actually recover your AD quickly, in a way that recover that you can recover your AD maybe in a few hours rather than in a few days. And also so that you can do it successfully because the success rate of trying to recover your AD from backup manually is really, really low. I would venture to guess that if you haven’t practiced an AD recovery, in the last, say a year that you’ve got and you’re trying to do it manually using the Microsoft tools and documentation, you’ve got about zero chance of being successful at it. So AD Forest Recovery is our product that automates the, Active Directory recovery process from backup. And it takes what usually takes days or even weeks. It reduces it to six clicks and maybe an hour or two or for really large environments, maybe a a full day depending on how big your, you know, your Active Directory is. And we have similar kinds of capability for, Entra. So you might think that, well, you know, Entra is a cloud based service. Microsoft manages that for me. Why am I concerned about, recovering Intra? Well, you don’t have to worry so much about recovering Intra as a service. There’s nothing really that you could do about that anyway. But once the attackers have compromised your Active Directory, that means that they have access to your Intra tenant as well through, federated, authentication. And they can start reconfiguring security policies, deleting, user accounts, changing group memberships, and essentially corrupting your intra tenant, to the point where it’s not usable either. So our disaster recovery for Entra tenant is another product that can help you automate the recovery of the data that in your Entra tenant that’s been compromised by attack. So that’s it. That’s the those are the five, areas that you can automate to make your, identity system more resilient That, we talked about, automating the creation of your IR plans, supporting the IR team as they develop that. Automating IOE detection, so periodically evaluating your active directory, or intra, to make sure that the configuration is secure and identifying areas where you can improve the security of your AD. You can do that using free tools that we provide on our website, Purple Knight and Forest Druid. I also talked about automating IOC and IOA detection, so indicators of compromise and indicators of attack. That’s something that you can do with your SIEM. If you take a look at the, that Five Eyes white paper that I mentioned earlier, that would give you a lot of data to, put SIEM rules and queries in place that can help you identify attacks that are in progress. And that’s also something that our Directory Services Protector, product helps with. And then I also talked briefly about automated responses, particularly help providing automation support for the IR team, as they go through the effort of identifying the attackers and evicting them and, identifying what’s been compromised and what needs to be recovered. And finally, we talked about automating the recovery process of AD and, Entra so that if you are faced with the prospect of recovering your AD from backup, which there is a good chance of that happening after a ransomware or other cyber attack, using a tool like, ADFR to automate that can reduce the overall recovery time from, you know, days and weeks to a few hours and maybe overall the whole thing in a few days. So that is those are the five ways to, automate your, automate your help automate your the resilience of your identity platform. I mentioned the two free products that you can get from our website, Purple Knight and Forest Druid. They’re on the slide here. Also, we’ll mention the Hybrid Identity Protection Conference. This is a conference we’ve been hosting for, I think, pre pre COVID. So whatever that is, probably five years now, six years, something. It is a vendor neutral, non non advertising, non commercial conference focused on, how do you protect and recover your hybrid identity environment? Hybrid identity being your on prem AD tied to your, say your Entra ID or or, Okta or something like that. It’s, very technical. It’s very focused on practical, techniques and tools and tips and information. And I’d strongly encourage you to take a look at, attending HIP when you get a chance. The last one we did, I think we probably had about five hundred people in it in, New Orleans for two and a half days. It was a really, really good, or for two days, excuse me. So really, really good conference. And we’ve just announced the next one, which will be in Charleston, South Carolina. And I’ve forgotten the dates now, but it’s towards the end of the year. But check that out on our website as well or also at hipconf dot com. And with that, I’ve got some time, I think, to, take some questions. Yes. Thank you so much, Gil, for that wonderful presentation. We do have some questions in from the audience, but at this time, I do wanna remind y’all, if you have any questions at all, please feel free to type them in, and we’ll get them answered for you by our expert, Gil. Our first question that has come in from Ash is when you talk about tailoring your cyber crisis response plan, what do you mean? Well, that’s a whole presentation in and of itself. But the basic point is everybody’s IT organization is different and the IT resources that you have are different from, everybody else’s. So your cyber response plan needs to be tailored to what your infrastructure looks like and to the, people and skill sets that you have available and the vendors that you have relationships with that you can help, that can help you with the the response process. So, every response plan needs to be developed specifically for that organization and for that, for for your organization and for the, IT infrastructure that you, have to protect. Thank you so much. We also have another question in from John. John would like to know, we have a SIEM solution and monitor event logs. So why would we need to specifically look for attacks against AD? Sure. So the so having a SIEM system and and monitoring event logs for your domain controllers is critical. You need to do that. The problem with, relying solely on monitoring event logs is that, one is that the the event logs on domain controllers often have a fairly significant amount of lag to them. So the, the threat actors may be changing group memberships, but you won’t, that won’t show up in the log until, you know, several, you know, tens of seconds, minutes later, which may not be timely enough for a an appropriate response. But but probably the worst aspect of it is is that, attackers will often disable the logging system or your scene collector, once they’ve managed to land on the domain controller. So at that point you’re effectively blind if that’s all, if those are the only signals that you’re getting. So that’s why something specific to AD that, for instance, can monitor the, replication traffic between, domain controllers or can intercept, network traffic coming in from, outside of the domain controller. Having something like that in place, to help you see what the attackers are doing to your identity system in real time. That’s that’s why event logs aren’t, aren’t by themselves really sufficient. Thank you so much. That makes complete sense. Gil, it looks like that’s about all the time we have. Before we wrap up, is there anything else you wanna mention to the audience? We’ve got some resource links, in the resource tab in that you should be able to see in the one twenty four platform. Definitely check those out. And, I think that is about it. Alrighty. Thank you so much. It looks like that’s all the time we have for today. If we didn’t get to your questions or if you still have one, please put it into the console now, and we’ll get it over to the Semperis team to answer after the webcast. Thank you so much, Gil, for being on with us today, and thank you to the audience for attending. No problem. And, of course, a special thanks to Semperis for sponsoring today’s event presented by Redmond Mag. Thank you again for attending, and have a wonderful rest of your day, everyone.
