Creación de una defensa de identidad por capas

Hi, everyone. My name is Annie with Redmond Mag, and I’d like to thank you all for joining us. The topic of today’s webcast is Building a Layered Identity Defense sponsored by Semperis. Before we begin, I’d like to cover a few housekeeping details. We will have a Q and A session at the end of the event, so please ask any questions you may have in the Q and A box on your console and we will answer them as we see fit. And Semperis has provided some resources which corresponds with today’s event, so please take a moment to check those out as well. And today’s webcast is being recorded, so keep an eye out for a link in your email to rewatch the presentation or share with a colleague. And now I’d like to introduce you to our speaker. Today, we have the pleasure of hearing from Alexandra Weaver, Solutions Architect at Semperis. So we are in for a great event. And with that, I’ll pass the time over to Alexandra to get us started. Great. Thank you, Annie. So as Annie said, my name is Alexandra Weaver. I am a Senior Solutions Architect with Semperis, and I have about twenty years experience in Active Directory. I started in the federal government space as a contractor, then worked at Intel and Nike. And now I’m at Semperis, and I have been here about four years. So today, I’m gonna talk about a layer of defense in cybersecurity. And we do have a q and a session at the end, but feel free to pop any questions you might have in there as well. So the agenda for today is the evolution of layered defense. We’re also gonna talk about why ITDR, Identity Threat Detection and Response, is vital today to a layer defense. We’re also gonna talk about the components of an ITDR solution. And, really, the missing r in both Active Directory and Entra is recovery. So my new terminology I wanna start to, put out there in the world is ITDR squared. I want it to be response and recovery for ITDR solutions. So the evolution of layered defense. We started out with XDR. Right? And we all know that’s extended detection and response. And then this has evolved into ITDR, the Identity Threat Detection and Response. We’re gonna talk about what that looks like and how that has evolved over time. And if you think about it, it really does make sense because our identity store, Active Directory, is, what, twenty years old, and it’s gone from purely on prem to now in the cloud. And if you think about it, when Active Directory started out back in the day, it was purely on prem, and there wasn’t even the cloud to consider. So now we have a myriad of things. Not only do we have Active Directory in the cloud, we have applications in the cloud, and everything ultimately relies on Active Directory. And that’s why we’re talking about a layered defense or a layered security strategy in protecting our identity store, which is Active Directory. So there’s the three pronged approach in this layered defense. The original concept was really the defense in-depth. Right? And that encompasses the physical defense. And that’s what controls or physically limits access to your system. So your data center, you have, you know, badges and security. Right? Then you have your technical defense. That’s your software, controls that are in place. And then the administrative defense, that’s your processes, your procedures, your policies. Again, that’s all encompassed in the DID, the defense in-depth. Then we have the technology layers, and we have the EDR. So we have the endpoint detection response. And that’s protecting endpoints, like your workstations, your servers, your mobile phones. And that’s really protecting against malware, fileless attacks, that’s a hard one to say, and advanced persistent threats, APTs. Those are important. And then you have the XDR, your extended detection and response. And that’s integrating data from all over a myriad of different layers and giving you a unified view of your threats. Right? Now then you have ITDR, your Identity Threat Detection and Response, and that is focusing on the identity. And that’s critical because that’s at the heart of your organization. The identity is what attackers are after. The identity is the foundation for zero trust. The identities are also if you think about what attackers are after is that identity because that’s the foothold into your environment that they need. Right? So most compromises, I think it’s, like, ninety percent start with the identity. So we know what they’re targeting. And now we, as security and AD administrators and network administrators, have to work like heck to protect our identities. So we have the layered identity defense. We have the defense, the detection, the response, and the recovery. And what we’ve done a really good job at historically, well, I would say a decent job, is defending. Right? Because we have different solutions in place. Right? And, hopefully, they are able to detect. That detection gives us the time to respond. But what we might not have in place is the recovery and, really, the fluidity between all of these solutions working in conjunction to not only protect your environment, but protect it at all phases of an attack. And I’m gonna talk about that a little bit later. So in this slide, we’re talking about EDR to XDR. And that’s a hard one to say. That endpoint detection and response, the migration moving towards that extended detection and response. We know that endpoint detection and response monitors and responds to threats on individual devices, you know, mobile, laptops, etcetera. And it’s critical to have that endpoint security. We have to have that. Then we have the extended detection and response, the XDR. And that’s a relatively new sort of solution because it’s taking, data from all sources within the stack. Right? It’s taking it from cloud and elsewhere and giving us, hopefully, a unified view. Right? But it’s still relatively new, and it’s growing. So I wouldn’t say it’s solidified and something we can completely count on, yet it’s getting better. And that’s exactly what we are after, is getting better. So you can see the migration that’s happening here to from endpoint security, from monitoring, to the ability to not just monitor but to detect and then remediate. So we can see the path that we’re going down, and we’re definitely going in the right direction. And they all have to be used, this EDR, the endpoint detection, the XDR, the extended detection and response, and ITDR, Identity Threat Detection and Response. They have to be used together. That’s the beauty of the products because when they’re used together, we can protect our entire environment, and we can protect it better. This is really the the layered part of, your security strategy. And there is a question in here and I have to answer because I really like it, it’s a great question because it targets exactly what I’m after is: Why has identity become such a critical element in defending against modern cyberattacks, particularly in cloud based environments? Because identity, ninety percent of all compromises start with identity. It’s the foothold that the attacker needs into your environment. So think about ways in which you wanna infiltrate, right, an environment and get in. The identity logging in is that very that first step in a cyberattack. It’s logging in. And the way in which they can do that, they being criminals, because they are cybercriminals, is gaining someone’s identity. So when we see things like disabled accounts or service accounts with weak passwords, you’re really opening yourself up in having those two things as not, as tight and as secure as you could. So identities are the foothold, and they’re exactly what attackers need to get in, and they’re an easy target. Think about password sprays, brute force attacks. Those aren’t always detected as easily, as quickly as they should. So those are some reasons as to why, and that’s an excellent question. So now we’re talking about the migration here that’s happened, and so we’re focusing on Identity Threat Detection and Response. And, really, that’s gonna be the key because it all comes back to identity. And identity is the foundation for zero trust, right, where you’re doing that checks and approval process of, yes, you are who you say you are. And that’s the foundation because we wanna have, multiple checks in place. Right? So Identity Threat Detection and Response, it focuses on detecting and responded responding to those identity based threats. And it’s essential to protect your user identities and the identity store, and that’s Active Directory. It complements EDR and XDR, and it can detect attacks that bypass traditional monitoring. I think that’s really important. We wanna look at what ITDR solutions are at play and how they see your environment, and what do they see in your environment. Are they allowing for auto remediation? In some cases, you know, that can be critical. That can be a lifesaver. So what can the products do for you that you won’t have to do yourself? And, also, where are they at, each stage in the life cycle of an attack? We really want an ITDR solution that enhances the overall security and the operational resilience. And this is a quote that is from Microsoft, and I think it really hits home because it says more often than not, attacks like ransomware are the second stage predicated by an identity compromise. In fact, all you need or excuse me. All you read the attention grabbing headlines, you’ll find that most novel techniques rely on compromising that identity first. So, again, that circles back to the importance of identity because that’s what attackers are after. So complementary roles in cybersecurity, the layered cybersecurity defense strategy, that’s incorporating multiple solutions for a comprehensive protection. So that’s really saying if we have a layered security strategy, if one thing fails, and by that, I mean, fails because a cybercriminal was able to circumvent that protection mechanism, there’s something else at play that’s gonna help and stand in their way and prevent them from getting further in our environment. The EDR, the endpoint detection and response, monitors and responds to threats on endpoints. Right? So that’s protecting the endpoints. We definitely need that. That’s critical. But we have to look at what’s next. Right? Then we have the XDR. That’s the extended detection and response. That’s a broader view before because it integrates multiple security products. We still need something that’s focused truly on the identity, and that’s the ITDR solution. Right? That’s the most common attack vector. So we wanna make sure we are, protecting our identities, our identity store, and, generally, that’s Active Directory. And whether that’s on prem or it’s in I almost said Azure or it’s Entra ID, Everything originates from AD. So that’s why it is so critical that we protect Active Directory. If you think about all the dependencies in your environment, I guarantee you they’re all gonna circle back to the identity. They’re all gonna come back to your identity store Active Directory. It’s the keys to your kingdom. It is absolutely the heart of your organization. Just quick side note. I think it’s very interesting when folks say, you know, technology is independent of the business. My answer is without Active Directory, you would have no business. We are the business. So it’s a little plug for I hope everyone has a seat at the table, to discuss these things that are very important. So this is a quick little quiz or a I don’t wanna say trivia, but a quiz question to find out what solutions you folks out there have deployed in your environment. So what solutions are you including in your cyber defense strategy? Are you currently using any endpoint detection response products? Are you using any XDR, the extended detection and response? What about ITDR, Identity Threat Detection and Response, or a combo for D and E? I’d be really curious. I’m gonna give you a minute to answer that. Okay. Alright. And it looks like there’s some good combinations of what’s going on out there, and so it’s nice to see. I’m glad that folks are using products I know, you know, to help protect their environment. I know it’s not always easy to get these, products in place. Okay. So most folks are using XDR. Alright. I’m glad to see the ITDR, though. That makes me happy. As an AD administrator, that makes me former, I guess I should say, AD administrator. That makes me happy. So we’re gonna talk about why ITDR is so vital to today’s layered defense. Hopefully, I’ve really been able to hit home my point that the identity is exactly what cyber criminals are after. And you can see that in a lot of the headlines and a lot of the attacks that are happening and the ways in which these attacks happen. So Active Directory is definitely in the crossheirs. Right? It’s a prime target for, cyber criminals. And, unfortunately, cyber criminals are increasingly successful in getting in. Now these are some of the larger attacks, but we don’t hear about the ones that don’t make the headlines, and they are still happening, unfortunately, on a daily basis. Right? These are just the big ones that stick in everybody’s mind because they were they had such a profound impact, and there was such widespread media coverage. But in all of these, it really began with or the majority, I should say, the compromised identity. And so we have to look at what we can do better. I’ve said for years that as an Active Directory administrator, we’ve all been silently promoted into security. Whether we knew it or not, we have to make sure our environment is tight. And one way in which we can do that is make sure we’re picking solutions and products that we put in place that protect our Active Directory environment and protect it to the full extent. Right? Not just at one point in time. It needs to protect it, as I’ve said, through all the attack phases. So that’s a critical thing to think of. Now what does Active Directory do? I’m sure all of you know that, what it does. I jokingly tell my mom that Active Directory, what I do is when you log in, you’re welcome. So she’s obviously not in IT. But AD has the four a’s. It has the authentication, proving who you are. So often, the authorization, the auth z, that you’re allowed to access what you’re allowed because you have the correct access controls in place, and then the account management. So I like the little, acronym there, the CRUD. It’s the object life cycle. Right? The create, read, update, and delete. The audit, providing who did what and where. So all of that is, you know, tracked. It’s really the four a’s of identity access management. And AB manages identities, relationships, and the distributed resources that make up a network environment. Right? I’d always say it’s kind of like a directory structure in which you can see a hierarchical view of your environment. So it’s easy for administrators and users to find things within Active Directory. But there is a lot of moving pieces and things I wanna throw out there is, like, the schema. Right? The rules. You know, global catalog servers. We talk about index searches, all those kind of things, replication. It’s unfortunately a treasure map for attackers, GPOs, another source. Right? But it’s fundamental to your IT infrastructure. And it’s critical because there are so many different dependencies in your environment on AD. Funny story, when I went to run through a, BCDR, a Business Continuity Recovery Drill at a place that I worked, one of the very first things they said, okay. We have everything documented in the plans, which is fantastic, on how to do a BCR drill, and we would do these, I think we did it yearly. And they said go ahead and access SharePoint and get the document on how to. And I thought, well, we failed at step one. So we really have to think this through because we don’t even realize all of our dependencies on AD. So until you run through a recovery, even if that’s that practice drill, even if it is just once a year, that’s really gonna allow you to weed out some failures or some realizations that you have in your environment and how you’re gonna handle that when it is time to go. Right? And I hope that no one, here has to experience it the hard way because it is not fun. This is another, I think, an excellent slide showing the progression from EDR to XDR to ITDR. You can see here that in the EDR and the XDR space, this is like the initial access, and that’s what these products are preventing or hopefully preventing. Right? This goes for password guessing, exploit vulnerabilities, which, unfortunately, will always have those kind of things, single factor VPN and phishing. And phishing is so unfortunate because it works. Right? It’s highly successful. But those EDR and the XDR solutions, that’s why they’re in place at that stage to catch that, or prevent that from happening. And then once or if they get in, they’re gonna go straight to Active Directory, and that’s what ITDR focuses on. It focuses on protecting the identity system itself. Right? Because we know at each phase in the recon, the propagation, and escalation, the ultimate goal for that cybercriminal is not only to get in, but to elevate their permission sets. That’s exactly what they wanna do. And I used to say they’re incredibly patient, but that window is shortening. Right? They aren’t as patient as they used to be, which I wonder if that means they’re just getting better tools. I think that’s actually what it means. So then once they get in and they get escalated permissions or they elevate their permissions, they’re gonna go to Entra ID. Right? Because they’re gonna go everywhere they can. And we know that you can also breach Entra and then go to on prem AD. So it can happen in both places. The goal ultimately being, again, to get those elevated permissions, get your data, and encrypt you and lock you out. Right? And then ransomware is at play because then they’ll extort you for money. And that’s obviously, you know, a horrible place to be, and we all should have a solution in place that hopefully, prevents this from happening. But if it does, gives us that restore capability. And that’s why I like to point that term, the ITDR and the r squared, is because I wanna include recovery in ITDR solutions. Right? Because it’s really response is part of it, but I I feel like recovery needs to be there too. So the components of an effective identity first defense, that’s something we obviously wanna talk about. And I think I mentioned before that criminals cybercriminals don’t, just get in. They actually just log in. It’s, unfortunately, that easy. We wanna prevent them from getting that foothold into our environment. Now I’ve mentioned several different phases of an attack, and that’s where the ITDR solution, I think, the strength comes into play. Because you want to have an ITDR solution that is there pre, during, and after. Because what that allows for is a full life cycle and a full view into what has happened prior because, obviously, you had some indicators of exposure. Right? That’s your attack vectors. They were compromised. They got in. So you hopefully, you didn’t know about those or, you know, when they were exposed and taken advantage of. And then the pre attack is gonna say where and what those indicators of exposure were, and then we’re gonna talk about what happens during and after. This is just the first look into the pre attack because this is giving you your attack vectors, what cyber criminals can attack, what weaknesses exist in your AD environment that can be exploited. What you wanna do is have an ITDR solution in place that also ties into the MITRE framework. Right? You really wanna make sure you’re able to prioritize what you need to remediate in your environment. I guarantee you there are going to be things in Active Directory that you need to secure. Now remember, AD is twenty years old, and we have to think about it as kind of our fault a little bit here for not updating the security and the best practices of AD. I’m not talking about, you know, you’ve updated your forest functional level and your DFL. What are you doing to mitigate risk, like actively mitigate risk in your environment? Are you disabling service accounts? Are you practicing good password policies? Are you ensuring there’s no password that are stored in GPOs? You know, removing SID histories. All those kind of things. Are you doing those things? Are you making sure, accounts, like general service accounts sent can’t set SPNs? Those are things that we need to not only be doing but scanning for. Right? Because we know that sometimes people, do things they shouldn’t in our environments. I mean, how many of you have, like, four hundred test user accounts? I know when I scanned for that word, in previous corporate life, I would find a staggering amount. Those are all vulnerabilities. Right? Those are all potential vulnerabilities that can be attacked. So you want an ITDR solution that can show you your vulnerabilities, but also do it continuously. I think that’s the critical key here for me is it’s great to have a one time lead, but I need something in Active Directory because if you all know the changes happen daily. Right? Minutes, hours, daily, weekly. You wanna have that ability to see into your environment in real time. So that’s the criticality of this. Now top steps to harden AD. This is also important. We’re talking about this just a minute ago of password policies and accounts and whatnot. Right? There’s a lot here at play that we can do and that we need to start doing. We talk about implementing good identity processes. That’s where we need to remove inactive accounts and users. So if you have a high number of disabled users, that’s where scripting can come into play and be advantageous for you. It’s really not a good idea to have disabled accounts and disabled computer accounts in your environment. You really should be deleting those. Stale things stale objects, I mean, you’re replicating that data. Just another reason to get rid of them. Reviewing sensitive access. That, I know, can be difficult. There’s a great tool, a shameless plug here. But Forest Druid is one way in which you can review. It’s kind of a I call it an inside out view of your critical infrastructure systems and then the folks that have access to that. It gives you, again, that inside out view. So through group nesting, you can see who has access to systems and perhaps who has access and shouldn’t. So that’s one way you can remediate. Then we have trust security. I had mentioned, SID filtering. Excuse me. Now that’s gonna be active with all AD trust you have, but you wanna disable that when you can. Because that way, a rogue administrator can’t clone that SID, right, from another domain and add it. So something to think about. You obviously wanna test before you make large scale changes, but it’s thinking it’s important to think about doing that. And also selective authentication. That way you’re removing blanket permissions. You’re giving it just to people that actually need it. So that’s another factor. And then Kerberos. That’s a big one. And I see a lot of folks when they get a security assessment or run a security assessment, they don’t even realize the vulnerabilities that exist there. A lot of times, the curve account, that is not changed. Right? And that’s something that should be changed or reset yearly, and most folks forget about it. And, honestly, it has happened. But that’s, again, where we need to remember we’re in charge of AD, and we need to up our game to protect it. Right? So we wanna make sure anything any security enhancements, we do. Right? Removing SPNs from admin accounts, removing unconstrained delegation. I mean, that was for tiered application years and years ago and shouldn’t be at play anymore. Then we have lateral movement. You can implement laps. Right? That’s a Microsoft solution. That’s a great way to do it. You can also restrict local administrator group. You can put privilege access workstation pause. You can put that at play. Things of that nature are definitely gonna help you lock down your environment and are really important ways in which we can, again, protect AD. And we talk about securing privileged users and groups, minimizing privileged users and groups. That’s a no brainer, but it’s harder said than done because I know when things aren’t working, we all put someone in there, but we need to remember to remove them. That’s where just in time and just enough administration come into play. Those, again, are two Microsoft solutions that you can put into your environment. They’re free, and you can configure and set up. Right? You can have, a great glass account. That’s another one. That’s important to have, versus using your default administrator. We shouldn’t be using domain admin. We should all have accounts, right, versus using that default. So and then securing your dependencies, limiting hypervisor admin permissions. We know that that’s a critical thing. We don’t want people to gain admin access that they don’t have. Right? If you have any backup copies, you wanna limit access to who has that, and you wanna explore tools, that can give you a lead on who has elevated permissions in your environment. So start by getting a baseline of your groups. I think that’s really important. Then we have monitoring for unusual activity. I know that is difficult. There’s a lot of different tools that we can use, and then, again, develop a baseline from that. But meaning maintaining AD specific backups is another key one. That is one we really wanna look at in the criticality. We know that AD backups aren’t good for forever. And what I mean by that is when you’re going further than two weeks back in in backups, you’re really using that for forensics. You’re not gonna be using that to restore AD. You really don’t wanna go back further than two weeks because AD is gonna trip on itself. So when you’re looking at retaining more than, you’re looking at that for forensic purposes only. So this is during an attack, and this is we are talking about the life cycle of an attack. And it’s interesting to note here because this is where you’re ……. (audio issue, stay tuned) ….. Hey, Alexandra. Sorry to interject. But Hey, Alexandra. Sorry to interject. But I think we might have lost your audio, Alexandra. Can you hear us? ….. Okay. I think I’m connected. Can hopefully, you can hear me, and I apologize. I have been having massive problems. So can everyone hear me? Let me know if you can. Yep. We’re back on, Alexandria. Thanks for getting that figured out. Yeah. I am so sorry about that. So I’m not sure where I left off. I, I was on problem solving with such a by TDM solutions. I would start from square one on this slide, and then we should be back on track. Okay. Thank you. And again, apologies to folks. I’ve had a lot of fun networking issues today. Well, not today. I started over the weekend, totally redid my network, undid it because it made no difference. So fun times. Enjoy the technology. So, I was talking to myself about MFA bombing and how, in 2023, Microsoft was saying that there’s roughly six thousand MFA fatigue attempts per day, right? And that’s really frustrating because it isn’t a direct means of bypassing MFA, but it exploits human error, and we all are going to be guilty of that, right? So that’s frustrating. We know it can be fraudulent as well and then legitimate as well mixing in there, so that’s really, really tough. So we want to have MFA in place, but we also want to train our users to be very cautious about the request that they do approve. I was saying one of the frustrations I have is that every time we come up with something, you know, MFA, for example, now they’re finding workarounds. I equate cybercriminals to folks that are locked up and that have nothing else to do but spend twenty four hours to find workarounds to break into our environments and cause destruction and wreak havoc. So we know with MFA bombing, this is strategically timed, you know, end of day or late in the day when we’re all tired. And really, the only thing we can do is, you know, up our game and really make sure we train our users and just stay on top of it as much as we can. Now password spraying, if you haven’t had a chance to read an article by Daniel Petri, please take a look at it. It is amazing. It talks about password sprays and how they don’t always get detected the way regular password changing attempts occur within your environment because there is a little bit of a delay in recording this on the DCs. It’s really, really interesting, but it ultimately gets down to the fact that this is a very quick, fast way in which and sometimes undetected in which accounts can be breached. That’s why I am a big proponent of talking about, having, strong passwords on service accounts. So I’m talking to you folks out there with service accounts that don’t have strong passwords. Please, please set strong passwords. I know it’s a bit of a PITA, but the long term benefit greatly outweighs having a strong password. And then also stop using passwords blanket across the board for all systems. That should be changed right away. So a couple of things there that you can do because, ultimately, you don’t want to have, this a bit brute force type of attack, which can evade logs happen to your environment. And you have to remember that by having weak passwords out there, you are putting a known risk in your environment, and you’re saying that that’s an acceptable risk. So that’s a frustration point. But again, that probably circles back to having a seat at the business table and talking to your app owners and the management as to why that is so critical. But the ITDR solutions that you want to have in play are ones that are going to notice these anomalies in your environment that are going to report out on this and alert you to this type of activity, Right? And same goes for that last human error. We’ve all been there. We’ve all done it. There is misconfiguration. And, unfortunately, one of my managers would say, I know when we are doing work or when my team is doing work because mistakes are going to be made and they will happen. And he said, that means you’re doing your job because you’re not going to be able to do it one hundred percent perfectly all the time. And I really like that because it is true. We all do make mistakes, but we don’t want to have an attack vector opened because we made a mistake. So that’s something that we want to have that ITDR solution in place looking for perhaps misconfigurations in our environment, those indicators of exposure, right, those potential indicators of exposure, so we can close those down, right? This also gives us the ability, some type of report that gives us a lead on our environment, will give us the ability to go to management and say, I need headcount in order to close it. Here are the risks that exist in our environment, and you can quickly run some numbers if your environment’s down of how much that costs, right? So one way you can get a really good read is to download it’s a free tool, another shameless plug for Purple Knight, but it gives you an excellent security posture, a one time read of your environment at a single point in time. And once you do that, you’ll get all of the indicators of exposures that exist in your environment, so all those attack vectors, with a very detailed readout of what that means for you and also how you can work to mitigate those risks. So it’s great because you can run it. You don’t have to be domain admin, just have to be a domain joined system. And then you can look at the report, work with your team to reduce those risks and run it again, right? It gives you a good baseline, a good starting point. So recovery is the key part of an effective response. So R is for recovery. That’s again why I’m really liking my coined term of ITDR squared because recovery is critical and we don’t always get a chance to test recovery. Right? Active Directory, I’ve always felt like, as an AD admin, I rarely got the chance to be proactive. So I need the ability to be proactive. And, again, that’s where ITDR solutions are going to help you and your team. It’s unfortunate, but cybercriminals and all that goes along with that, breaches to whatever scale it is, you know, bots, malware, ransomware, we have to assume the breach mindset. And it’s unfortunate. And it’s definitely been a switch for me, just because I’ve always been on the AD side. I never thought I have to really focus on the Restore side. But if you look at what criminals are targeting, it is Active Directory, so I am on the restore side. And guess what happens? If you are breached and you don’t fix the who, when and where, who got in, when they got in, and where they got in because you have to look at when they got in and what changes were made because you want to know every change that was made in your environment from that point in time so you can work to correct any Easter eggs they left you, right, if you don’t do that, you’re going to be rebuilding your environment within two weeks. I would bet money on that. So that’s a key thing to remember is you’ve got to be able to not just restore your environment, but you need to be able to restore it to a trusted state. And a lot of times people don’t think about that, right? They just want to know, okay, when can I turn over my AD environment or when can I have it stood back up? Well, there’s a lot of post restore tasks you’re going to want to do. Somebody just breached you and you don’t know how. You need to fix that. So that’s very important. And then how long can you afford to be without Active Directory and then all downstream apps that rely on it? I would venture to say not long not long at all. It’s interesting to note that a lot of folks say it’s critical in their environment. I think it was like eighty five percent of respondents in one poll said it’s critical and it would impact our environment. It would be detrimental. And I thought, what do the other fifteen percent think? Because any impact to your AD environment that is of criminal intent is going to have a devastating ripple effect in your environment. You will see that everything very quickly relies on AD. So running numbers there does really help with management with folks, right, that are sitting at that business table. And then you can look at how long it does take. And you can look at examples. I mean, read Maersk. It took them, what, eight or nine days to restore. It doesn’t sound like a long time, but that is a long time to be down. That’s a huge loss of business. So, think about what you’ve committed to with management, right? What are your recovery time objectives and what’s your recovery point objective, right? Your SLAs, your service level agreements. It’s a good starting point. But, essentially, you want to make sure you have something, that allows you to quickly restore Active Directory and restore it. This is the most important part here. Restore it to that trusted state. So this is, again, where I would urge people to be practicing a RESTORE procedure in an isolated lab and then invite your downstream app owners into that space so they can see what that looks like. Yeah. Okay. So it’s nine days. Darn it. So nine days for an AD recovery isn’t good enough. You should aspire to twenty four hours. And if you can’t, then you can’t repair anything else. And that’s from the CISO of Maersk. So their story was, I think, it’s five or six years ago at this point, but that was a big darn deal. And it was a pretty catastrophic outage. And they luckily had one DC that was powered off. They didn’t even realize it, and they were able to restore. But nine days is a long time, and nine days equates to a lot of dollars. So that’s the business side and those are the discussions as AD administrators we need to be having. So, we need to be looking at ITDR solutions that are fully automated, that restore us to a trusted state. Those are key critical questions we need to be asking. So, the cyber attack recovery timeline, the dwell time, so this is 207 days. Now, this is greatly diminished. This slide is, I think, a year old, and this has gone down to roughly forty five to ninety days. But if you look at the key factors for me is the identifying, the time to identify, five hours. That’s a lot of time to do a lot of damage in an environment. Right? So this is where you’re identifying there’s a problem, five hours. Then you have an incident plan. You’re invoking it. That’s, what, twelve hours. And then you’re going through all of the everything else, the cyber insurance, the attorneys, the communication, forensic analysis, that’s going to take two or three days. Right? You’re rebuilding AD, five to fourteen days. That’s a long, long time. And then you have to think about data recovery because you’re not going to get everything back, right? This is one to three months and then twenty one is the day average to restore AD and all of the components. That’s a really long time. So we really want to look at that and find ways in which we can reduce it. Again, that’s where you want to look at ITDR solutions that are fully automated in restoring your Active Directory. I’m not talking about the ability to restore one domain controller. I’m talking about the ability to restore all domain controllers. There’s a big difference. And people will tell me time and time again, oh, I have this scripted so I can rebuild my second DC really quickly. That’s fantastic. But when you have forty, thirty, fifteen, do you really want to be spending your brainpower running through scripts? Because I guarantee you, you are going to have a lot of other tasks that that are going to require all of your brain cells. You do not want to be using them to restore your DCs. Yeah. Highlighting the five to fourteen days again there for the rebuild. So post attack, that’s another important part of the phase of the attack lifecycle here, right? You want to look at what is your worst case scenario. You could be doing everything right and this still happens, right? I mean, NotPetya is a great example. That wasn’t even a they weren’t even a direct target. Some companies were not even a direct target of that, and they still got hit by that. So really what you want to look for is the cyber first approach to disaster recovery, how you can fully automate the entire forest recovery, all of your DCs, right? And then if you’ve ever done an authoritative restore and followed Microsoft’s guide, it is a painstaking process. It’s step by step and it’s hurry up and wait in a lot of cases. So, that’s where Semperis has Active Directory Forest Recovery. We are able to fully automate the restore of all domain controllers that you back up at once. So it’s a much faster process. We’ve also decoupled the operating system from the ntds. Bit. So we’re just focused on backing up Active Directory. That allows a faster restore, and we’re platform agnostic. So that makes it faster to restore. And again, we have built in post restore security scans and forensics, and that’s along with an incident response team that would be walking through this with you. And the folks on that team are truly gifted. They’re the best and the brightest in the industry. I call them the legends in Active Directory. And those are the folks that work on that team, and they’re 24×7. Those are things you want to be looking at regardless of what ITDR solution you put into play. And then key takeaways. So hopefully, I’ve hit upon that the layered defense system requires the identity focused solution, right, that’s really important. It works very well and complements the endpoint detection and the DDR and the X DDR. Active Directory security is the heart at every identity store, right, and that’s really what we have to keep secure to protect our environment, to keep it running because we know that cyber criminals are now a part of our ecosystem. They’re here to stay. So we do have to have that mentality of breach, right? We have to assume breach. We want to have robust ITDR solutions in place that address the entire Active Directory lifecycle of an attack. You want to see everything that’s coming across your wire. You want to see everything at that AD replication stream layer. You want to have the ability to auto remediate some things that happen in your environment. That rollback functionality is critical. But you also want to be able to see exactly what happened in your environment as a domain controller sees it. You want to see that coming across the wire. You also want to get a security lead out in real time, and you have that functionality within, the what we call DSP, Directory Service Protector, where you can get that within your Active Directory, whether it’s on prem or hybrid, or fully in the cloud, so Entra ID. I’m really having a tough time not seeing Azure AD today. I don’t know why. But, anyways, what we really wanna do is, help you restore. Right? We wanna do it fast, and we want to reduce the chances for malware being reintroduced. That’s why we decoupled the ntds. Dit from the operating system and being platform agnostic. Those are key things that I want you folks to focus on when you are looking at ITDR solutions. These are a couple different products and a cup I’ve mentioned Purple Knight, and Forest Druid throughout this. Purple Knight is the product in which you can get a real time scan of your Active Directory environment of those, attack vectors, of those indicators of exposure. You don’t have to be a domain admin. You just log in and run it from a domain joined system. It gives you that one time lead, that security posture of your environment. It’s fantastic. It’s free. Forest Druid is a great product in which you can identify your tier one systems, your critical infrastructure, and it gives you what I told you is the inside out. So you can look at those systems and then determine permission sets that have been granted through time, ultimately leading access to what has been defined by you as your critical or tier zero infrastructure. So I urge you to download, you know, those tools because they are free, so why not, and run them and see what score you get. I will forewarn you with Purple Knight, the average score has been a d as in dog, which isn’t great, but it does happen. But think of it as a good starting point, right? This is where you’ll be able to get ahead of the curve. We also I mentioned DSP, that’s what listens at the AD Replication Stream layer level. Our patent technology captures all changes in your environment. So, in real time, it also gives you that security score in real time. And then Active Directory Forest Recovery, we’re able to restore all domain controllers that you back up. And then we have a migration product and also a way that we can backup, and recover Entra ID resources. So a couple of great things here or several, I should say. So please go take a look. And again, Purple Knight and Forest Druid are free. So download those and run that. And then finally, we have a HIP Conference coming up in Mardi Gras, and it would be a great conference to go to if you can get there. It’s going to be fantastic. These are the legends in the industry that are going to be there, and it is a really great conference. It’s all technical based. It’s not selling you anything. So it’s fantastic. I’ve been in years past, and it’s amazing. So you’ll meet a lot of great, really cool AD people. And then before we close out, I know I took a little bit of time. And again, I apologize for the technical difficulties. I hope this has been beneficial to you folks. Does anyone have any questions for me? I see, how long does it take to restore an Active Directory forest? That’s a really hard question to answer because it depends on the size of your ncds. Dit and obviously your machines and where you’re going to. But I do know that, I can say that ADFR, Active Directory Forest Recovery, shortens the time by ninety percent. So that’s a a pretty impressive thing. And then let’s see. Why do we need a separate backup solution for AD and Entra ID recovery? It’s not really separate. It is just an additional. So I’m trying to think of how to explain this. There is a restore capability for an all restore, a full restore, so an authoritative restore, and then if you just needed to get a couple of objects. So it differentiates between the two, the capabilities, the functionality. One is a full fledged, forest storage scenario, and one is a couple of items or several items that I need to restore, and hopefully that answers that question. Let me know if not. I’m also on LinkedIn. I wanted to throw that out there. I’m slow to respond, but I do respond. So if you have some questions that I didn’t address, you know, please do let me know. And then the last question is, what are some free things that I can do to harden my AD environment? Okay. So Purple Knight, that is the best one. Please, please do that. That is just awesome because it’ll give you that security posture in your environment. So that’s that’s a really good one. But also look at Windows hardening guide, look at doing tiered administrative model, you know, pause, lapse, just in time, just enough. Those are really free and great things that you can implement in your environment, and please, please set strong passwords. Oh, gosh. Let’s see. Oh, AD Security. Okay. William, so message me on LinkedIn because I have a really good book, and I know it’s probably under my desk or behind me, but message me because I have a really good book for you, that is great at Hacked Directory. I didn’t give out gift cards. I didn’t know I was supposed to. I’m glad you liked it, but it sounds like sounds like we don’t have any other questions. Annie, do you see any I might have missed? No. I think we did a great job. We hit all the questions on there. Yeah. Okay. Cool. I feel pretty good. So much, Alexandra. That was great. Good. Thank you. I really apologize for the technical difficulties. I’ll be throwing my network I’ll be taking a hammer to it later. Well, we got through it, and thank you so much for being with us today. And thanks so much to the audio for your patience. We got through it quickly. And attending today’s webcast sponsored by Semperis and presented by Redmond Mag. Have a great rest of your day. Thanks, folks.