Alcanzar la resiliencia: Fortalecer la empresa mediante la preparación ante ciberincidentes

Welcome, everyone. The event is now live. John, please take it away. Thank you, Allison. Hi, everyone. Welcome to today’s live tech talk, Achieving Resilience, Strengthening Business Through Cyber Incident Preparedness. This event was organized by the hardworking folks at Redmond Magazine, and it’s sponsored by Semperis, a leader in AI powered identity security and cyber resilience for hybrid environments. I’m John K Waters, Editor in Chief of the Converge three sixty group of eleven o five media, and I am joined today by cybersecurity expert and former ransomware negotiator, Jeff Wichman. Hi, Jeff. Hey, John. Pleasure. Glad to have you here, man. I’ll tell the folks a little bit about you. Jeff has more than twenty years of experience in information security, primarily focused on the digital forensics and incident response life cycle as, Breach Preparedness and Response Director at Semperis, he has worked hundreds of incident responses, response investigations from relatively small business email compromises to large scale ransomware incidents. I am really looking forward to this conversation. But before we get going, I need to do just a bit of housekeeping. This tech talk is being recorded for later access. Keep an eye out, for an email with a link to that recording. It’ll be coming your way in the next few days. Our sponsors provided some extra resources you won’t wanna miss. They’re available now on your console. And at the end of, our conversation, we’ll have a five to ten minute q and a. Please feel free to type your questions into the q and a box as they occur to you throughout the talk. We’ll do our very, very best to get to all of them. Now I’m gonna take just one more second, one couple minutes maybe here to, sort of set the stage for what we’re gonna be talking about. In today’s threat landscape, attackers prioritize identity and access management systems like Microsoft’s Active Directory, because they hold the keys to the kingdom in most enterprises. In other words, compromise AD, and you control the organization. That’s why modern cyber resilience strategies must focus on AD hardening, monitoring, and recovery planning. I’m gonna be talking with Jeff about those strategies, how organizations can better prepare, respond, and recover when disaster strikes. I’ll be asking him about the real world challenges and consequences of AD compromise and hopefully, he’ll offer some actionable guidance for building operational resilience. Okay, my man. My first question for you is why is Active Directory such a high value target for attackers? How has that changed over the years? You said it right in the beginning. It’s the keys to the kingdom. As organizations, you know, put in their levels of controls, their layers of controls, typically, you’ve got your domain admins, and they have access to everything. If an attacker can elevate from a simple let’s use a phishing attack. If I can get simple creds, I am gonna go after Active Directory for gaining domain admin, schema admin, enterprise admin, whatever, you know, whatever privileged access I can get so that I can get to more places within the environment. If I come in as an attacker from you know, as a let’s use a secretary example or help desk. I’m going to you know, there are a couple of things in this going back into the ransom negotiations phase. There is a couple of things that the attackers are gonna look for. They’re gonna look at, you know, what’s the IP? What’s the real critical data that this customer or this client or this company can’t live without? And then what’s their financial information look like? So the two areas I’m gonna go after are usually, like, if it’s well, depending by the company. IT assets, you know, the technology dumps, or if, any other any other company, really, they’re gonna go after financial information. I can’t tell you how it was actually interesting how dramatic the shift was. In when I started doing ransom negotiations, the attackers, they just they snowballed. They hundred thousand dollar ransom, and it’s a multimillion dollar company. They did very little research. When I was done, they had I swear, people who really looked at the financial statements of the companies, they understood what the revenues truly were and what their profits really were. In the beginning, I could use I could or, actually, in the middle, I could use, you know, oh, you don’t know how to read our, financial statement. That just says our revenue. That doesn’t tell us really what we make. And, you know, towards the end, I mean, they even figured that out. This is always a game of cat mouse, but Active Directory, like you said, keys to the kingdom. So what would you say in your experience is the most common point of, entry attackers use to compromise, AD systems? So, typically, it’s I wouldn’t say it’s a point of entry. I would usually, they’ve got a landing target. If it was, you know, accessing credentials, they’re they’re gonna go after phishing. That’s pretty typical. After that, then there’s, you know, there’s plenty of ways. Escalation privileges, typically is gonna be the, you know, the obvious one that they’re gonna look at, and then they’re gonna look at attack paths from that perspective on how can they get to domain admin. You know, if you don’t have your environment structured correctly or, tiered correctly, and a domain admin is logging in as themselves with domain admin credentials. You’re caching your credentials. You’re leaving little tidbits behind that the attacker can use to escalate their privileges. It’s a, you know, it’s a it’s a pretty simple game once they once they see that an admin has logged into a certain system. And if that admin account is across all systems, it’s pretty easy work for these guys and gals, attackers, to make their way through the systems. What, I’m wondering about some, like, early warning signs, that AD has been compromised, that organizations often miss. The big one that I typically see is it’s in the logs. Someone got added to the domain admin group, even if it’s for a very short period of time. I did a case, years ago, where the attacker unfortunately, by the time they realized that they had been in for six or seven years, the attacker just at night, they would add themselves to the domain admin group, do their work, take themselves out. Something as simple as logging would have caught that and, you know, raised the alarm. Granted, logging is, you know, it’s some more of a passive, whereas if you have the right tools and technology in place, you can get alerted really when it’s happening. So someone gets added to the domain admin group. There’s a, you know, a rule or an alert that shot off to, you know, the security team saying that an account was, you know, added to the domain admin group. And then if you get really funky, you can have that, you know, change reversed. It’s not instantaneously, I don’t think, in in a majority of cases, but you’re saving yourself, you could be saving yourself millions of dollars by having that user removed from AD, in the event that it’s a malicious attacker. You don’t wanna give them too much time because they’re, like I said, they’re very quick. Okay. So what role does, privilege escalation play in AD related breaches, and how can companies detect it early? That one’s that one’s, like, somewhat of a complex. Privilege escalation, it’s always out there. You know, locking down your credential. We know what that is. Right? Do we have to define that privilege escalation? So privilege escalation, is I, as a general user, am looking for a way to escalate my privileges to, like I said, domain admin, scheme admin, whatever. If you don’t have your Active Directory cordoned off, sectioned off, or tiered off, and as an admin, I can log in to any system. It just like I said, it makes it easier for the attackers. To do it right is a there’s a lot of work behind it, but the value behind that work pays for itself in the end. If you have your tier zero assets, your most critical systems locked down, and only systems within tier zero can access tier zero systems, it makes it much harder for an attacker to get in. Granted, your IT admins now have to have a system specifically set for them in tier zero that they can log into, rather than having, you know, my general workstation being able to reach into tier zero. Because if I can if I can do it from my system and reach into tier zero, it means an attacker can as well. So if you tier off your systems and build the correct structure around, typically, what we see is three different tiers, tier zero, most critical, tier one, critical, and then tier two is, you know, basically everything else. It’s the crown jewels example. Mhmm. You protect those crown jewels as best as you can, and isolate anything trying to get to them and if you do it right and you see something else trying to get into tier zero, you automatically have an alert that something is wrong. If a domain admin is only supposed to access the system to manage, let’s say, AD or touch a domain controller from a system other than their, you know, their tier zero asset, it’s an alarm. You’ve got something going on in the environment that needs to be looked at. So when we were talking before, you mentioned, the resilience mindset. What does that look like in practice for modern enterprise? Assuming breach. Assuming breach. So be yeah. You have to operate, at least in my mindset is you have to operate in a, the the mindset of you’ve been breached. How do you protect and cordon everything off? Being resilient from that perspective is by having that tiering model, correctly deployed. Everybody using it, especially, you know, the critical people really are the ones who are gonna be impacted. Having them buy in and only using it this specific way. And then the other part, you know, it kinda goes back to weird I was doing I had a discussion with a vendor that does, basically greenfields. They they help clients recover from, incidents, and they rebuild everything from scratch. Why do they rebuild everything from scratch? Because ninety percent of the backups fail. Oh, jeez. If you are not testing your backups and truly testing them from it’s on tape, we’ve restored it, we’ve been able to access it, you’re not going to make it. Yeah. And then even you know, a lot of times, I see organizations having very detailed disaster recovery plans for, financial systems. If, you know, if we don’t have this financial system online in x number of hours, we’re doomed. But rarely do I ever see someone saying, if we don’t have Active Directory back online, which typically you need Active Directory to get into that financial system. Active Directory, it’s the keys to the kingdom. It’s literally the first thing that needs to be protected and the first thing that needs to be restored. So the the quicker you can bring back Active Directory to the latest specific backup of Active Directory, the better off you’re gonna fare. One, you’re going less going back in time for, you know, changes that have happened. If you are backing up a full domain controller, putting that server operating system back into the doing a recovery takes a lot longer than taking a backup. So if you are restoring from tape, disk, whatever, back to disk, it’s gonna take you some time. But if you are if you have the ability such as with, ADFR, Active Directory Forest Recovery, we’re only backing up Active Directory itself, the critical components of Active Directory. So while you’re going through your disaster, you could deploy a new server and then restore that Active Directory component back onto that server, and your Active Directory is back in place. Obviously, you wanna do some cleanup in there, because that’s important. If the attacker has been in there, you don’t wanna put it back. I’ve seen that go sideways too many times, where an organization risk covers back to a what they believe is a good set. Attackers are crafty. They’ve got something hidden back there, and you wanna try to lock it down as best as you can, not just kicking them out from an access that you know they’ve had. You wanna try to identify other access they might have had. You know, I guess it almost sort of goes without saying that and and I don’t wanna put words in your mouth, but you would you would, you know, encourage people to be proactive rather than reactive when it comes to, you know, AD security. But how does an organization make that shift? Testing, training, and assessing. There’s a fine line. So from a from an assessment perspective, you know, get a review of what Active Directory looks like, figure out where your weaknesses are, and I can guarantee you you have weaknesses whether you realize it or not. And ninety I would say and this is kind of my head saying it. Ninety percent of the time, your IT team either knows about a risk but has overlooked it just because they are so used to seeing it and so used to believing that the business will say, we need that functionality. Having an outside party come in and look at something and saying, this is while you might think this is really necessary, this is super risky. Sometimes that’s all it sometimes that’s all it help. That’s all it takes to, you know, get the momentum moving in the right direction. And then testing and updating, you know, if you do if you do disaster recovery exercises, and validate that you can restore a server in a x amount of time, you know, how often are you doing it? Are you documenting that you’re doing it? Are you identifying the the nuances that need to be updated in your plan? Does your plan contain everything that it needs to for, like I said earlier, you know, you’ve got your financial what the financial team needs for their specific systems, but do you have the details for Active Directory? Right. And then most importantly, how can you start moving into, a tiered model where your organization has more protection? If you look at, an organization that is correctly tiered and admins only use tier zero assets to access tier zero assets, the if an attacker gets in, what are they gonna do? They’re gonna damage the endpoints. Yes. That will slow you down, but it won’t put you out of business. I’ve seen too many too many companies literally go out of business because they lost access to their information. Okay. So these practices you’re talking about, well, I would say it’s fair to say reflect a mature, organization, when it comes to, cyber incident preparedness. Is there anything else that would characterize a mature organization? Oh, that’s a tough one. I’ve seen what I had assumed were very mature organizations that have something that is overlooked. Sure. Sure. Look at, look at, oh, yeah. It’s on the screen now. I thought I saw it. CISA. CISA, they were the they were the what I call the golden you know, they made the rules of what it is to protect data. They got compromised. If an attacker has the will, they will get in. How much damage they do, that’s up to you. I think CISA was pretty mature, and hopefully, you know, knock on wood, had, everything locked down in pretty quick order. But there’s there’s nothing there’s nothing to say that you are a hundred percent guaranteed that you will not get attacked. It’s gonna happen. It’s just a matter of when. So that brings me what would you say are the biggest misconceptions companies have about their ability to recover from a breach? Backups work. And, you know, it’s not a bash to and it’s not a bash on the on the backups. But you think if we’ve been doing backups for how long we’ve been doing backups in IT, that it would be we would have a hundred percent win rate, but that’s not the case. Attackers know where backups are. If you do have good backups, they are going to destroy them. And then if you have off-site backups, you need to wait for those backups to get back. You’re already you know, the clock’s ticking against you. You can’t do that in in the health industry. You can’t rely on data, you know, tape backups be, you know, shipped back to you, so that you can recover your operations. It just it wouldn’t work in health care. Yeah. It’s that it’s a tough one. There yeah. There’s no there’s no guarantees. Yeah. So which tools or platforms, do you recommend for real time monitoring and anomaly detection in AD environment? So specifically revolving around AD, any type of SIM, you can, you know, I mean, you can take Microsoft logs and pump them to, Syslog, any any system. Building the correlation, making sure that it’s always working, that’s the big piece or, you know, that’s a big piece. The real time monitoring and I’ll call it counteractions, something like Directory Services Protector where it’s monitoring the changes that are being made within Active Directory, and it’s not doing it based off of logs. It’s doing it based off of the replication stream. So if an attacker you know, if thought process being, you know, background and forensics, if I gain access into something, the first thing I’m gonna do is destroy the tracks that show that I got it. So I’m gonna go into the log system. I’m going to destroy the logs. If I can do that before the logs make it to the syslog server, I’m effectively still in the dark doing what I wanna do. That’s where pulling it from the replication stream with DSP, attacker can go and destroy it and the logs all they want. We’ve already got a copy of it. And then having that ability to, you know, restore that or, you know, restrict that access, take that access away from an attacker, That’s the other big piece. Honestly, at this day and age, anybody who has disk space is cheap. So cheap. You should be able to send your AD logs. Even if it’s just your AD logs, and have auditing turned on and set correctly, you should be able to catch the anomalies. Someone logging in from if I log in from Tokyo and then fifteen minutes later, I’m logging in from New York, There’s something’s amiss. Something’s not right. That’s right. It’s the impossible I think we used to call it the impossible travel syndrome. Oh. You can’t travel that far that fast. There’s no reason you should be logging into it. Granted, if you have some VPN service that you’re using, might bounce you around like that. Mhmm. But at the same time, if I’m logging into my corporate system, I should be using the corporate VPN, not another VPN. So it should be always or not always, but for the most part, pretty static of where I’m coming from unless I travel a lot, but then it’s the impossible travel. Right. I love that phrase. So how important is segmentation within AD structures to mitigate, blast radius in an attack? It means everything. If I can’t if I can’t get to crown if I can’t get to the crown zero or tier zero, the crown jewels, I can’t do damage to it. I can take out your, you know, I can take out your help desk. I can take out your users who access the data, which is I mean, that’s somewhat impacted by the blast radius. But if the data is intact and the attacker didn’t, a, exfiltrate it or, b, encrypt it or, c, destroy it, you still have a leg in the game. You still can recover quicker. You know, even if even, from a perspective, if an attacker encrypts everything around it, if AD is still there, you still can get some of the information back or let me let me phrase this differently. If I, as an attacker, destroy your environment via encryption event, I still have organizational backups that I can recover to granted, it’s still gonna be a little bit slower. I can bring those files back. I as an organization I keep using I as every person in here, so I’m attacking myself. But if the organization has the ability to do, what we call greenfield, that is build everything new. Everything starts from scratch. I rebuild all my servers. I rebuild all my users. You know, all my new groups. Now I have to go and manually figure out what the permissions are on all of those folders, all of those settings, and I have to, you know, put them back in. And it’s not a one to one because if I build a new environment, I get a new SID. Everything starts from scratch. All the ACLs are different. However, if we do brownfield where we bring back Active Directory, we clean Active Directory. All the users are still there. All the groups are still there. All the permissions or well, the permissions are on the files, but the the SIDs have not changed. So now we put that AD back in place, and all of your files are accessible with the same user accounts, same group memberships. You’ve taken, weeks and months worth of work for Greenfield down into days possibly of, Brownfield. And that’s where we where I see the biggest bang. Honestly, that’s what brought me here to Semperis. Really? Yeah. One of the last cases I did, from a digital forensics perspective, the client decided they were going to, greenfield everything. And they were down for, I wanna say, about six months. Oh god. Yeah. Yeah. And it was a critical industry. It wasn’t something that, you know, is easily manageable via paper. They may do somehow. I still haven’t figured out how. But if they would have been able to recover Active Directory and put the controls back in place on all the files, because they had all the files. Yeah. They they did it by choice of we wanna rebuild everything. I think a big piece behind it was also the admin was, the admin left in the midstream of the incident. Got it. Which is you know, I mean, that’s the unforeseen and always it was my that was that’s always my worst case scenario in the middle of an incident is your, you know, your your critical person who knows everything about your environment decides I’ve had it. I don’t wanna do it. And they walk away. There’s nothing you can do to bring them back. Yeah. You you just you you basically choke yourself out. Yeah. And when I got to Semperis, one of our first IR cases or, identity forensics, we were working in conjunction with an IR firm. The IR firm was working on containing and deploying their tools to the endpoints. We got contacted on a Friday night. We were engaged. We got a backup of Active Directory. They had one domain controller that was still functional. By Saturday evening, we were ready to roll that back into production, that Active Directory in a more secure state. And the IR provider was like, we’re not ready yet. We we haven’t got containment on our side completely. So you’re looking at you know, we were ready to roll this customer back, and they had about five thousand users, so which is pretty typical case. We were ready to roll them back into production in about twenty four hours. I think, ultimately, it was Sunday night. We rolled them back with the, obviously, working in conjunction with the IR vendor. And, you know, I sit back and I kinda thought about it like, you know, this is granted, there were two very different industries, but the user makeup was about the same. And one took six months and one took a weekend. Okay. Yeah. I mean, you you do the math on how long do you wanna be down. Right. Right. Okay. So what’s your perspective on automated response systems for ID based threats? Is the tech mature enough? Yes. I think the tech is. Obviously, you have to do some very fine tuning. You gotta make sure that you have, you know, a way out. Typically, what typically, what you wanna do in those cases, though, is you’re looking at you’re not fully automating IR or, yeah, identity remediation, I’ll say. Right. You are building a baseline just like trying to think what, user anomaly behavior back back in the day. You had to build a baseline before you could put it into production, same as an IPS. You gotta build a baseline of what you’re doing. So if you bring in, you know, automated detection and remediation from an AD perspective, you gotta give it a little time to learn what’s right and wrong. You also have to have your, you know, your critical admins that you know they have access. You know they they are part of that group. That’s a pretty easy one, though, is the, you know, the domain admins. You you know who that’s that group is, and, you know, that’s a pretty easy one to shift into place of, like, this is the group. Leave this group alone. Don’t let anyone get added to it. If someone does get added and removed, they’re gonna know real quick. And they know, you know, typically, the identity team’s gonna know right away, like, oh, yeah. We need to add that person manually to the remediation system so that they don’t get taken out of the group right away. But, yeah, I think they are I I think the identity automation is in a good spot, at least from the remediation perspective. Obviously, there’s always gonna be something out there that can catch you, so you have to have a you have to have to get what I call the get out of jail free card. You have to know something’s gonna go wrong. And then, you know, what I would say the most critical is if you do have automation remediation, don’t join it to the domain. Because if it’s aggregates all of it and they put in rules to remove everybody from a domain admin group, you’re using your tools against yourself. Right. So sometimes and, you know, unfortunately, we’ve run into these cases where, a customer has this great idea on putting this x y z in place. And then, unfortunately, they don’t think about the repercussions of what an attacker will do with it if the attacker gets access into it. Right. So, we’ve talked a little bit about this, but I just wanna double check on this. What are your thoughts on backup and restore strategies specifically for AD? I’m thinking, you know, what works, what doesn’t. Backing up the bare minimum of Active Directory is what’s important. You wanna detach it from the operating system. If I get the entire operating system, you’re talking gigs upon gigs of data that I have to back up. And, ultimately, if there’s an incident, I have to restore that. Whereas if I have Active Directory critical components, GPOs, you know, those critical assets, I can take that and put it down on a new server in isolation and, you know, do the cleanup, fix vulnerabilities that might exist within Active Directory, I can get there a lot faster. I still think backups are very important, of general operating systems and, you know, the data behind it. I don’t know if the operating systems are as critical anymore. I think the more critical of a backup is just the data. But that’s just me. I can lay down a I can do an install of a server faster than I can do a restore of a server? So I look at it from a perspective of I only wanna capture the very critical data, and I wanna be able to put that down on whatever I want. So if I wanna move if I wanna go from a, I don’t know, a two thousand eight r two server and I wanna go to, I don’t know, twenty twenty four, whatever the latest and greatest is, I should have that option without having to worry as much about, oh, well, if I do this, I’m gonna run into this issue that’s gotta you know, because if it takes manual, I have to get involved and make manual tweaks and manual settings, then what’s the point? It should be agnostic to what I’m putting it back on. So you worked as a ransomware negotiator, and I’m just wondering what’s the most surprising thing you’ve learned from those experiences? Attackers are evil. They don’t care. You know, and and I I chuckle a little bit when I say it. The the attackers are vicious. They know what they’re doing. They and they don’t mess around. Some of them are downright I won’t say it. They’re they’re just evil people. If, you know, I look at it from a perspective of if I was a malicious person, would I willingly attack a children’s hospital knowing that I could kill someone. Right. And not care too you know, not care about it? I’ve had so many cases where it’s been, you know, in the health care industry, hospital, children’s hospital, whatever. And, you know, talking to the attackers, they’re like, we don’t care. Give us money. And it to me, it’s just like I that just doesn’t compute in my head. It it’s like they don’t have the morals, and they don’t have they don’t have a heart. Because I can’t maybe it’s because I have kids, but I can’t imagine attacking something and demanding money and extorting money out of something where kids are, you know, kids are at risk. It’s just it just doesn’t compute in my head. But attackers, they they don’t care. Yeah. It’s a special kind of bad. Mhmm. Hundred percent. So I’m wondering, how do attackers typically move laterally once, they’re inside an organization’s identity infrastructure? Yeah. So, typically, what you’re gonna be looking at from that perspective is an attacker is going to do some kind of reconnaissance in the environment, figure out who the domain admins are, who the, you know, critical people are, who’s got access, and they’re gonna go after those accounts. There are a number of tools out in the industry that can highlight that type of information. Forest Druid from Semperis is one of those. We look at it from a defender view. And, basically, what you do is you run it against Active Directory, and it tells you all of the little paths that you could take to get from, you know, general user or general system into a tier zero asset, a domain admin, or high value target as we call it. What we typically see the most is your help desk. Your help desk is your is one of the you know, it’s the Achilles heel. I, as a help desk individual, have to be able to reset passwords for, you know, anybody who calls me. Well, if I’m a domain admin, should a help desk person be able to reset a domain admin’s password? Help desk is generally a regular, you know, elevated permissions user. But should they have the ability to change domain admin password? There should be some type of separation there where the help desk is now considered, you know, tier one, tier zero, where they have a secondary system that can only identify with the, identity management system for resetting passwords and building in that layer. This is probably one of the most common things I see in our reports, is the help desk attack. So I’m wondering how I mean, this comes up in a bunch of different context, but how critical is cross team collaboration? I’m thinking between IT, security, and leadership, during a cyber incident. It means everything. Yeah. I’ve been in situations where IT was running the show, and if they’re not updating the leadership team in a timely manner, you know, the the the leadership team would come to the IR group and ask what’s going on, why aren’t they getting updates. If there is not communication across all of the spectrums that are would be required when I say that, I think of risk compliance, executive leadership, sometimes finance, even HR, and IT, of course, because IT is doing the legwork. If there’s not, a cross team collaboration with that group, typically, it’s a lot harder to work with, more prone to failure. And my biggest worry is always, is the IT team truly telling executives what is going on, or are they trying to save face? Almost every case that I’ve walked into from an IR perspective, it takes a lot of effort to tell the IT team that we are here to help. We’re not here to point fingers and point blame. We’re here to help you fix and recover. But sometimes that message never made it to the leadership team. And, you know, unfortunately, those were the ones where things weren’t fixed. Things weren’t corrected. They weren’t given the budgetary that they needed to make things truly right, and, you know, they would call us back in a couple of months. So what kind of training should companies provide, to help their employees recognize and respond to ID related threats? There has to be some type of security awareness training, obviously, in just about every organization by this point. And if there’s not, please get some in place. You know, from the user perspective, yes. It’s boring. Yes. It’s, you know, it’s a pain to go through on a yearly basis and recertify that you know what to look for. Employees should be tested from, phishing exercises, as well as even from an internal perspective of organizations doing attacks against themselves. You know, bringing in a red team, having the red team start with an asset internally and see what they can do. If you don’t assess and you don’t train, you are bound to, you know, get the worst experience in the IR world. So we were talking about AI before we, logged on. And, I mean, of course, everybody’s talking about AI. How do you see the role of AI evolving in the context of ID, threat detection and response? It’s critical. AI can act a lot faster than I can. Right. I’m not saying it’s gonna replace people. I think it’s going to be a and I like I mentioned when when we were chatting, it’s my assistant. I use it from a perspective of helping me do my job better. If we can take AI and look for the common scenarios and attack scenarios, it’s just gonna make us a lot stronger and a lot better at protecting our assets. However, at the same time, attackers are gonna be using AI to beat us. Right. My perspective is we’re gonna win or we’re gonna lose, is what’s gonna matter the most is who’s using it first and figuring out the right way. Mhmm. And time will tell. Okay. Maybe the last question I think I have for you is, Yeah. I often ask this. What piece of advice would you give to companies just starting to take cyber resilience seriously, particularly around AD? Do your diligence. You know, don’t just talk to, you know, a single company about what it means. And then I would say the the second piece is, you know, talk to organizations that have the tools available for download that you can test out and you can kick the tires on. I mentioned Forest Druid. Forest Druid, freely available on on the Semperis website as well as Purple Knight. Purple Knight is a tool that any organization running Active Directory can download. It does not phone home. The most we’re asking for is your email address as we know you downloaded it. Run it against your environment. You will get some surprising results of where your weaknesses are. That’s the first step. Identifying your weaknesses and acknowledging that they’re out there, and not turning a blind eye to what’s out there. You have to start taking action, even the minimal stuff. And then, of course, if anyone wants to reach out to me, I am more than happy to, you know, jump on a five, ten minute call and see what I can help with. And then, of course, if I would say and this goes all the way back through all my IR days. Do not please do not wait until Friday to call your IR provider. If it happens on Monday, don’t fight. Don’t, you know, don’t assume that you’re gonna be able to do it. Get your IR provider involved early, and typically, you’re gonna get a lot better result. That’s great advice. Okay. Well, that’s all the questions I have for you. Let’s get to some questions from our attendees. I want to remind everyone that you can type your questions into the q and a box at any time. We’ll do our best to get to all of them. We got a gosh. We got kind of a bunch here. Let’s start with this one from Al who’s wondering what is the what is IFIR and how does it differ from DFIR? Yeah. So that’s a that’s a great one. Identity Forensics Incident Response. So, you know, into in deeper digital forensics incident response, that is a very big gamut of what an, IR firm is looking at. They’re looking at Windows systems, Linux systems, Mac systems. They’re looking at artifacts on the endpoints. They’re looking at, you know, server logs, network logs, firewall logs. They have a very big space that they’re working in. Typically, they had, specialties. You know, before doing, IR or doing ransomware negotiations, I was in Windows, Windows forensics, a little bit of Linux, and then log analysis. Those were what I would call somewhat specialties. This is just I wouldn’t even call it a new branch. This is we are very focused on protecting the identity and figuring out what the attacker might have done from the identity perspective so that you can recover your identity stores in a faster, safer, more secure environment. Okay. Here’s one from Jake who’s wondering, what if hackers get, get the weak spot before I do? Yeah. That’s that’s always a tough one. If the attackers get there before you do, it’s, you know, it’s unfortunately, it’s it’s part of the game. And I and I don’t mean game in a, you know, in a in a negative connotation. It’s part of businesses the way I look at it. Organizations are going to find their weak spots and correct them, or the attackers are gonna find the x you know, the the weak spots and, attack them. If an attacker gets there and attacks it before you do, it’s, you know, it’s nice to have a backup so that you can recover and clean and fix. Whereas if you don’t have anything in place, you know, attacker can there’s, you know, a couple of options. The attackers are gonna look at ransoming your environment, stealing your information, or shutting you down. Those that’s really what it is. Oh, well, I guess there’s the alternative, which I don’t think I’ve ever seen is the attacker leaves you alone. If the attacker leaves you alone, that would be that would be odd. That would be really odd. But in the grand scheme of things, you have to do something and try to get ahead of the attackers. Not saying anyone’s ever gonna get all the way ahead, but steps have to take be taken in. It has to be a process. It’s not something that’s one and done. You do an the way I look at it is if we do an assessment against the company’s AD and they take action and fix everything that we told them, in six months, something is gonna happen within that environment that either makes a new vulnerability pop up or something else. You know, a new domain admin gets brought in and they change a setting that, you know, makes it risky again. It has to be iterative. It has to be continually looked at. And who knows? Maybe even making a change to secure something opens up a new weakness just on its own. So it’s you have to keep looking. Makes sense. Okay. Willow was wondering, pointing, directly to the title of our talk today, how can small business strengthen business through, cyber oops. Somebody yanked it away for through cyber incident preparedness. Yeah. So line this up to small business, I guess. Yeah. From from a small business perspective, you know, if you if you have so small business, you’re either running an on prem AD or you’re using Entra and you have it set up there, you know, the the tools I mentioned, Purple Knight, Forest Druid, these are tools that are out there that are available. You download them and run them, see what it tells you. If you you need help with, Forest Druid, I’ll give the caveat of Forest Druid is a, steep learning curve. It will take some time to understand and and view the data. But any organization has the ability to download these tools and look at them. You know, if you don’t have IT staff and you don’t have people who know, you know, sometimes then it’s best to work with a, like, how do I wanna call it a managed service provider, but a, a firm that handles these things for you. One thing, you know, one piece that comes to my mind is Active Directory in AWS market space. You can pay for Amazon to manage your AD. You know, typically, they’re gonna take care of the vulnerabilities and look at your weaknesses. I would imagine Microsoft has something similar, but there are plenty of opportunities out there that, you know, if you do a little bit of work on trying to identify what’s out there for the small business, it can take you a long way. And, again, Willow, if you’re out there and listening, feel free to email me, Jeff W @ Semperis dot com. If you can’t find anything, I will see what I can do, and I’ll help you. Thank you. So speaking of advice, Cora is wondering what advice, can you give to someone who is just going into cybersecurity? Yeah. It’s a that’s a good one, Cora. Prepare. And I know it sounds generic. There are so many different avenues that you can take on a journey into cybersecurity. You know, you’ve got red teams, vulnerability. You got research. You’ve got, digital forensics. You got incident response. You got Linux. You got Windows. I would say find what, you know, truly, you know, a call pulls at the heartstrings. What what you really get enjoyment from, and I really mean that from, what you get enjoyment from. If you if you look I looked at logs, and, originally, I love digging into logs and figuring out what the logs were telling me. Fast forward, you know, ten years into my career, if I had to look at a log file, did not like it anymore. Find what your passion is and go after it. And there are there are plenty of resources out there for and anyone to get an understanding and a I’ll call it a basic level understanding of cybersecurity. Breaking into cybersecurity job market, sometimes a little bit more daunting. Of course, same goes out to you. If you have problems or if you need any, you know, specific insight, or you want some specific help, please reach out. I’m more than happy to, you know, even jump on a call and talk to you. You’re a generous man, my friend. Okay. We’ve got a, you know, kind of back to the grind here question from, Perry. He was wondering, Jeff, what are the biggest challenges of recovery AD to a secure state? Biggest challenge I would say is, and I’m gonna I’m gonna put this on a spin a little bit. The biggest challenge that I think exists is organizations will bring back AD on a live system. They won’t isolate it. They won’t bring it back into a virtual lab that has no connection to the outside world and then do their cleanup. They bring it straight into, you know, a production environment. You know? You think about it. I’ve went through this so many times, and it was unfortunate, where organizations would just recover to the same system. We’re gonna blow this one away, and we’re gonna use that same disk LUN. We’re gonna restore that server to that disk. And they would just start, you know, putting the putting the OS and everything back down on it. And lo and behold, you know, the attacker’s still in the environment or, you know, I go back way back into the Nimda days and code red of, you you know, the worm is just continually spreading. So the minute that system comes back online, if it’s not patched and not secure, boom, attackers are already on it. You know, bringing it back into isolation, running Purple Knight on that, isolated instance of Active Directory and getting an idea where your vulnerabilities are and starting to take corrections, that goes a long way. And then I think the biggest fear and it’s more of a fear on recovering Active Directory is what breaks if we make a change in isolation. You know, I look at Active Directory experience in the world. I think we have the most MVPs from Microsoft on Active Directory alone from a research or security, you know, whatever it might be. Find your experts, and they can give you a lot of guidance. The Hybrid Identity, Protection Conference and podcast series that’s on this page here as well. Great resource for understanding other aspects behind AD and recovery. But, yeah, I’d have to leave it at, you know, organization not understanding how to bring Active Directory back in a safe and secure manner as well as having the tools for doing the assessment. Well, my friend, that’s all the time we have for this, episode of, of our tech talk, Achieving Resilience, Strengthening Business Through Cyber Incident Preparedness. I wanna thank Jeff Wichman for an informative conversation and many, many thanks to the folks at Semperis for making this conversation possible. Jeff, this was fascinating. Thank you so much. Loved it. Thanks for having me. And thanks everyone for attending, and have a great day. Cheers.