Recuperação de operações após um ciberataque

Hi, everyone. My name is Annie with Redmond Mag, and I’d like to thank you all for joining us. The topic of today’s webcast is Recovering Operations After A Cyberattack sponsored by Semperis. Before we begin, I’d like to cover a few housekeeping details. Please ask any questions you may have in the Q&A box on the right hand side of your console and Rob will get to them. And Semperis has provided some resources which correspond with today’s event. So please take a moment to check those out. And today’s webcast is being recorded, so keep an eye out for a link in your email to rewatch the presentation or share with a colleague. And now I’d like to introduce you to our speaker. Today, we have the pleasure of hearing for Rob Ingenthron, and he is a Senior Solutions Architect at Semperis. So we are in for a great event. And with that, I’ll pass the time over to Rob to get us started. Alright. Well, thanks for hosting this. I appreciate it. And, again, my name is Rob. I’m from Semperis, and we’ll be talking about, Recovering Operations After A Cyberattack. And to kind of add some nuance to that, ultimately, not just cyberattacks, but incidents within an organization. Recovery is very important, in that regard. And then we’ll talk about some of the products that we offer at the end as well. If people have questions like Annie said, you can, put them in the Q&A, and we’ll also have some Q&A time at the end of this presentation. So just briefly, I’ve been with Semperis for about two and a half years, but I’ve been in IT for about thirty five or forty years. I’ve been working with AD for about twenty of those, and I worked at some pretty large organizations, including one that was, one of the largest manufacturing companies in the world with a hundred and fifty thousand users and hundreds of domain controllers, and, we manufactured all kinds of stuff. So, I have some familiarity in the manufacturing realm, which, is a topic that fits into this, this webinar today. So talking about, infrastructure, we’re talking about overall the ability to recover and the importance of identity management. And we specifically focus on, Active Directory and Entra, but your identity infrastructure really ties into everything ultimately for access and for, maneuvering around a company, for getting data, that sort of thing. You can find lots of quotes and lots of examples of, incidents out there. I’m sure you’ve heard many and then used recently as well as many years ago. So, identity protection is very important, and the ability to recover quickly is very important, especially in manufacturing and operations where downtime equals lost revenue immediately. So it’s a very important aspect of your, your environment to consider. And I think that some companies don’t necessarily put in the time to assess the importance of that identity recovery side. They might leverage backups and other things. But as you can see from this list, this is not even current, but there’s a lot of major companies that have been hit with ransomware. In some in some cases, more than one time. Ransomware, you know, malicious attacks, bringing down a company can impact downstream to customers, to production, to reputation. So, again, it’s very important to do this recovery, and I think that a lot of companies don’t put in the time to really assess their ability to recover. They implement recovery capabilities without really fully testing and vetting those systems that they’ve implemented. So it’s very important again to consider many aspects of the environment. And when you’re talking about OT, like manufacturing, for example, where you have a lot of, IoT devices and manufacturing line, devices out there, one of the things that I find is that, there are some really good management capabilities out there, but a lot of these devices get deployed without really good security. And that’s part of the, part of the headwind that the OT management side has to face. On the IT side for many, many years, we’ve been dealing with that infrastructure, managing infrastructure, and still there’s always gaps, that we have to manage and maintain and mitigate. As far as OT, the IoT stuff’s relatively new. Even though this stuff’s been around for quite a long time, in the bigger picture, a lot of this is really new. A lot of it’s been pushed out for rapid deployment and not having the consideration of, the security aspects, managing security, managing updates, what kind of access do these devices have. And with a lot of the stuff that’s pushed out to the Internet, for example, made Internet available because it’s very convenient, for example, and and a lot of, companies, they’ll use Internet based, devices. There’s a lot of exposure there. If you use a tool like Shodan, it’s a publicly available tool that allows you to see all this collection of information from public facing devices where you can actually get access to things like cameras and manufacturing line equipment and refrigerators and appliances in people’s homes because they’ve exposed this data without adequate protection. So that’s one of the things that’s a a really big challenge. And what that leads to, as far as this discussion goes, is these different ways to get in, ultimately impact potentially your identity management, your ability to manage your identity in a secure fashion, and an ability to recover that. So, there’s many paths in that you have to cover. And when you talk about IT, versus OT, they have similar, issues that get introduced into a company with the available of these additional devices that have to be managed. So in a IoT environment, like I said, there’s a lot of different devices out there. They typically get pushed out oftentimes with default passwords. They don’t get updated. So there’s vulnerabilities found that don’t get patched. And some companies have a nice implementation where they can manage, like, you know, updates, patching updates, and that sort of thing. But, again, it’s just another gap, and the bad guys only have to find one problem where you have to manage all of them. So, again, ultimately, what we end up talking about is what is your ability to recover in the event of one of these paths getting leveraged to attack your identity store, your ability to get throughout the company and potentially gain valuable data, IP, access to things, shutting down systems, that sort of thing, denial of service, all of that, is an impact that could happen from managing finding a way into a company. So, one of the things that we talk about again is different standards that we have, for looking at the way you manage these things with baselines and security recommendations. And, this is a little bit hard to read because of the white on white background here. But, basically, what this is saying that you can’t read right here is, the identity is really the fundamental piece of the security, sort of, picture that you need to look at as far as managing your environment because that has ultimately access to everything. I worked at a company once where our AD was taken down by accident, in an internal issue, and it affected access to the buildings. You needed a physical key to get in the doors until that recovery was completed. So there’s a lot of downstream things that if you don’t go through a really, exhaustive exercise, you may overlook some aspects of your organization that the ability to recover is gonna impact. So the time it takes to get recovered, is gonna cause a lot of other issues with, you know, other other parts of the organization. If Active Directory isn’t secure, nothing is. We say this in every presentation that we make because, ultimately, everything’s tied into AD. Even if it’s not actually the, source of truth, like, if there’s an HR system where information’s being input as far as users go, that ultimately needs to get pushed into Active Directory, which is tied to other systems. And then today, we’re also talking about Entra ID and other directory services that get tied into that. The applications that get tied in that are broadly, you know, making, applications available, exposing other parts of the infrastructure. Active Directory is typically the core of that. For most companies that have five hundred or more employees, you’ll find AD in probably ninety percent of those companies, if not more. And AD has been around for a really long time, over twenty years now. It’s millions of lines of code. It’s a fantastic product. It’s very robust. It’s the most popular product service that’s made that’s been made available by Microsoft, ever. It is so widespread. So it’s also so widespread that it’s a popular attack point for a lot of bad guys. They’re gonna look for Active Directory. They’re gonna try to fish accounts to get into Active Directory because then they can find ways to find you know, get lateral movement, get to other systems, find IP stores if it’s a law firm getting into, you know, very secure documents, that sort of thing. So there’s a lot of access that AD provides into other systems once you get in. And Entra ID is another aspect of that. A lot of companies that have AD also have Entra. So they’re looking at moving or synchronizing accounts, into the cloud or moving accounts into the cloud, making apps available in the cloud. So there’s a a tie in with hybrid identity from on prem into the cloud. And so when a account gets phished or taken over or maliciously attacked, that’s gonna impact the cloud side as well. We basically assume that, you know, you don’t have any trust anywhere, so you need to define that. And then, ultimately, if that is compromised, again, we come back around to what is your ability to recover. So we have, in the industry, a lot of logging solutions, a lot of ways to look at what’s happening in the environment. One of the things that, was exposed with, event logs with Microsoft Windows, Microsoft had said for a long time, you know, the events really can’t be modified. So once those events are created, you know, they’re fairly immutable. But that data was proven to be modifiable by some tools that were released by a certain agency that were exposed to the Internet, and, there was a proof of concept that event data could actually be modified. So we used to talk about just the event logs getting cleared, but now we’re talking about the possibility of a more sophisticated attacker actually modifying event data to hide their tracks or changing some of the data that’s there so that a login solution will pick up different data, incorrect data. So that’s a problem because if you’re trusting that data to give you an accurate picture of what’s going on in your environment, well, if somebody’s modifying that or just outright clearing the log, you’ve got blind spots into what’s happening out there. So most solutions, like I said, are, the SIEM based solutions in companies where they’re just aggregating log data, and now you need to analyze that data as well. When you’re looking at, logs and siems, they can be bypassed. They can do you can do things in Active Directory, for example, that a company by default probably isn’t looking for, where you can leverage an attack that isn’t necessarily gonna be captured by the log. For example, Mimikatz DC shadow attack is one one of the demos that we use. And, what that does is it turns a regular computer for a fraction of a second into a domain controller, and you’re not monitoring that system as a domain controller. So you’re not looking for certain types of activity, on your endpoints. So that kind of stuff is how the bad guys, the more sophisticated ones can get in and bypass some of these typical tools that we’ve had for a long time in our organizations. And then, of course, there’s a lot to Active Directory. When we just talk about Active Directory, it’s a big, attack surface. And the biggest problem I see I’ve been around AD for a really long time since about the time it was released in, in the year 2000. The last couple of companies I’ve been at had AD when it was first released in, like, June or July of 2020. Sorry, the year 2000. And so up to now, it’s been over, twenty something years. And through multiple upgrades in place, multiple regime changes of management, different ideas of how to manage AD. Back in the old days, we worried more about the physical loss of systems versus, cyberattacks. So there is different concepts of how to manage things, how to configure things. And over time, when you do these in place upgrades, some stuff to remain backward compatible doesn’t get updated in a more secure fashion. So that’s where we talk about the eighty misconfigurations and vulnerabilities because over time, we’re configurations and vulnerabilities because over time, we’re introducing more issues. If you if you spun up a brand new Active Directory, a brand new clean greenfield directory, it’ll obviously be more secure with the latest, patching and the latest updates and the latest code, but still there’s aspects of that to make it user friendly that still have it more open than you may like and that you need to lock down. And there’s benchmarks and, models to, utilize to, better secure your environment, but you have to implement those, whether from Microsoft or any third party organization. And then the lack of a tested AD recovery plan. We did a survey back in, 2020, I think it was. Might have been 2021, somewhere around that time frame. And then, also, a third party had done a survey and a sort of an unofficial survey of a bunch of vendors or sorry, a bunch of customers of theirs. And a majority of customers had only written down a plan but hadn’t tested it. And that’s a problem because when you write it down versus testing it, you really don’t know if your plan’s gonna work, and you don’t know some of the little things that you might be missing. When you look at Microsoft’s Forest Recovery Guide, for example, it’s a hyperlink guide. It looks really pretty. The second thing it says is devise a plan. So if you’re looking at that guide in the middle of an outage, you have a lot of work ahead of you. It’s actually, like, about, twenty six to twenty eight steps depending on what you have in your environment to do a domain recovery, for example, a forest recovery for just a single domain. So there’s a lot of work involved that you may not understand until you’ve actually tried it out. So the lack of a tested recovery plan is gonna impact your overall time frame for recovery, which again for, you know, like a manufacturing company is gonna translate to revenue generated in every site where they have manufacturing lines. And then the hybrid identity attacks because Entra ID is so popular now. Microsoft’s been pushing that for years. So we’ve got the on prem sync to the cloud, and that’s not even counting the other identity spaces that might be connected. You’ve got, the ability to get into the cloud via compromised accounts on the AD on prem side. So that’s another factor that’s very important and growing, all the time. And the main problem now one of the main problems, I guess, I should say, is the expertise that we have today. A lot of, we have another, guy in our company who he’s an MVP, Sean Deuby. He’s been presenting for many, many years on Active Directory topics. And he points out that a lot of the great expertise in Active Directory is aging out. The new kids are coming in, learning cloud stuff, but, less and less are learning about the Active Directory, the older technology. Even though that technology is embedded in a lot of companies, for many, many years, they come in and have to sort of work backwards into that. So there’s a limited expertise, even more expertise with a full scale response like an Active Directory Forest Recovery is something that a lot of people haven’t done. Some people have read about it. Fewer people have actually executed it. So, that’s a very important aspect when you’re writing a plan. When you don’t have anybody who’s on your staff that has done that kind of recovery before, that can be impactful to your recovery time. And it’s important to have recovery capabilities for these, and we talk about, ITDR, the ability to recover your identity space versus EDR protecting the endpoints. They’re different. So the endpoint protection is very common these days, so you’ll find a lot of places with endpoint protection. But once you get past this local escalation and get through the endpoint protection, it expands out into your Active Directory leading to encryption of data or exfiltration of data, data extortion, getting access to the Entra ID side. But they’re different things. They’re EDR. The endpoint protection is different than the ITDR, the disaster recovery for identity space. So you have to consider those separately. The client side is definitely different than the Active Directory side. The domain controllers are an endpoint, but the identity space is a separate piece of that, a service that you have to consider that’s different that gets you access to a lot of stuff, and the protection for that’s different because you’ve got already the service, presented to everybody within your company effectively. You need to detect and defend that, in a different fashion than you would on the endpoints. Hopefully, that all makes sense as that difference there. And then looking at Active Directory, you’ve gotta do a risk analysis, and companies haven’t necessarily done this. They’ve done, like, a superficial model of this. But when you look at the vulnerabilities available, if you’ve never done a scan, first of all, I should say, you don’t even know what you don’t know. That’s one of the main problems. A lot of companies haven’t even done an assessment of AD. So they make certain assumptions without really understanding what that risk is, what the risk is in their organization. Those vulnerabilities can add up, and you can have some vulnerabilities that are just hygiene, based, something you could fix with better account hygiene, for example. But, this is the way we’ve done it is the model that gets, you know, pushed back upon in there. So they don’t make changes that they need to make, things like password length and account expiration and time to change password. All that can add up to really exposing your Active Directory these days because of all the tooling that’s available to attack Active Directory and the expertise that’s out there as well. So we wanna protect AD and Entra from cyber threats. So, when we’re talking about this model of what we’re looking at as far as Active Directory in the identity space, we have a before, during, and after picture of things. We follow this wheel, and we use the word attack on here. But, really, for me, I substitute in the word incident because there’s self inflicted things that can happen as well. Somebody could accidentally delete something that’s a very important object to your environment or maybe purge something like all the members of a really important group, like a sales organization or some manufacturing line component that, you know, managers are in or devices are added to or whatever. That’s not necessarily something that an AD recycle bin is going to help you with. So you need a a recovery capability for that. So in this before, during, and after, picture, what we’re talking about here is how you look at things at these different stages of an incident within your organization. If you’re on the before side, you’re looking at, identifying IOEs, indicators of exposure, indicators of compromise to discover things to better remediate and mitigate those problems so that you reduce your attack surface. And you wanna do continuous security monitoring because you wanna manage what those indicators look like, what your security posture is, over time. And that includes things that may be changing over the wire as well. So you’ve got Active Directory. There’s a lot of activity with AD. There’s a lot of churn, in that data structure so that, you’ve got account for and, computer trust and a lot of other things going on where things are changing, the data’s changing, and you need to monitor what’s happening in that environment. And when you have threat detection, and visibility to that threat, happening, you wanna be able to better visualize that. So, what we do with our software is we’re looking at the replication stream of Active Directory. So we’re pulling in all those changes, and we’re running over a hundred and eighty indicators, for example, in our case, where we’re looking at those. So you wanna have a solution that’s identifying problems with Active Directory proactively, but also watching what’s happening in an AD in real time. And if you have issues or, you have certain things you wanna protect, like enterprise admins, a group, membership, for example. You wanna have auto remediation for things happening. If somebody changes that membership and it doesn’t go through on a change workflow approval, well, you wanna roll that back. And you don’t necessarily wanna have somebody have it to sit at that console and look for that activity waiting for an email to come in and be reactive to an email. You know, if they’re not available, there’s gonna be a further delay. So an ability to auto remediate certain types of things to set baselines is very important, especially as you scale out. In a very small company with just a couple hundred users, it may not be as big of a deal. But, you know, when you go to a thousand users, ten thousand users, a hundred thousand users, and plus the manufacturing lines and all the equipment that’s tied out there and all the connectivity that’s out. You wanna be able to, act upon those in a more automated fashion. So the auto remediation part is very important. You wanna get alerts still, but you wanna be able to remediate things without having to just go look at them. And you want incident response orchestration, meaning that, you know, if something happens, you want a set of activities to be able to occur so that you can remediate things and have some other activity there and also getting an idea from the indicators that you’re looking at of what to do to to fix those things. So you wanna have some kind of guidance, for what to do for those cases. And then when you get to the final section here, the third part, after you’ve been attacked, things are compromised, or maybe AD is just completely down. There’s many examples of that going one of the biggest ones that, that I’ve personally, known about is Maersk back in 2017. You know, over a hundred domain controllers are taken down in a matter of about seven minutes, with ransomware. Now they gotta recover. They didn’t have any good backups because the backups were all compromised. So, you have how are you gonna recover that? So the Cyber First, discovery and recovery is really important to know what you need to recover and how to recover that. And then the forensic investigation is on part of a part of that. If you’ve got a cyber attack and you need to identify, you know, did somebody modify accounts? Is there some sort of, access hidden in there? Is there privilege escalation that’s been leveraged for, lateral attacks in your environment? You wanna be able to identify that stuff. So you need some sort of methodology to implement forensics, more easily against your production data. So we wanna improve the overall cyber resilience. We wanna find these, assets that are critical. And on the IT side, we’ve been doing that for a long time. On the OT side, that’s been happening, but I think because it’s just generally newer in the longer term of the, you know, the bigger picture of things in the longer term, it’s less mature of an environment for identifying problems there or remediating them. That’s the other piece that’s missing as well. And a lot of times you discover problems, but how do you fix those problems? So, identifying those critical assets and identifying which things are really important to make a, what we call a minimum viable company from that, directory, service that you have, the identity space is really important for a recovery after a disaster. Some companies implement that differently, but the general idea is you wanna be able to recover your identity space in a secure fashion cleanly, make sure that it’s all clean and that there’s no, latent access in there from a from a bad actor, and then bring that back up to restore your environment and having a process for that to do it more quickly. So as far as the some of the products that we offer, we have a few things, out of the box here. We have, two free community driven products that are, called Purple Knight and Forest Druid. Purple Knight offers that piece that I was talking about earlier that’s missing from a lot of companies, the part that gives you an assessment of Active Directory. It’s a point in time, assessment. It gives over it provides, output for over a hundred and fifty, I think, indicators. So you can cover both the on prem AD, the Entra ID, and Purple Knight also includes some Okta indicators if you have the Okta directory service. So you get a nice picture of things that are, areas that you need to address in your environment. Hygiene, for example, account hygiene is called out certain configuration settings. And in some cases, it looks for some activity that might indicate somebody’s been trying to do something like, bypassing your password policy, for example, or, leveraging a Mimikatz DCShadow attack. There might be some evidence of that. So you can get a pretty good assessment out of that. That’s very eye opening for a lot of companies to, actually see that report, you know, have it in their hands versus just kind of talking about it in generalities. And it’s really important too. That also includes an Entra piece, and it’s really important, again, because, Entra ID is an important aspect for a lot of companies, including, talking about AD. So the Active Directory component is important to lock down, and remediate some of those, potential issues there, vulnerabilities or access to AD. Entra is the same. You you wanna lock that down, make sure you’re tracking things like global admins and what kind of rights are out there and, looking for certain configuration settings on the Entra side that could open you up, to somebody attacking that environment as well. Forest Druid is another product that we offer. It’s kind of an inside outlook at your structure. When you look at a company, like the last one I was at, which had AD since, like I said, the year 2000, multiple regimes have been managing AD over time, you know, coming up with different organizational structures, OU structures, group structures, group nestings where you’ve got a group inside of a group, to make things easier to manage and maybe multiple nestings like that. Over time, it creates a lot of, obfuscated access that you may not be aware of that’s out there. So what Forest Druid does, is it identifies what we would call tier zero objects in your Active Directory. And there’s certain groups, the built in groups, for example, that have elevated access, like account operators, enterprise admins, domain admins. It identifies those as tier zero assets, And it identify or tries to identify and map out in a visual fashion the relationships between those groups and assets in your company that fall into that tier zero, access. And so what you might find from that in a old environment, environment that’s been around a long time, is that you’ve got nestings and access to accounts that you didn’t realize you had that actually give them the ability to do things like change domain controllers or change domain controller, security settings or configuration settings. And those are the kinds of things you wanna identify and lock down. So Forest Druid, through this mapping mechanism, makes, gives you a better awareness of what’s going on with your Active Directory structure. It’s a real time map. You can move it around. You can relocate things, to make it more visually pleasing. It also has a text based output, and it allows you to classify things. So you could have tier zero, or you can make a new, class called administrative accounts or storage administration. And you can move, accounts into that and classify them and then see all the stuff that’s still unclassified to better identify things that you need to have controls on. Perhaps you identify a group called, workstation operators, and they actually have local admin access on thousands of of desktops. Well, you might wanna classify that and put a control around that so that anybody in that group has some sort of, approval mechanism that’s required to put them in that group and monitoring the membership of that group. You might not have been monitoring them because you weren’t aware of the level of access they had. So that kind of thing is is exposed. Help desk operators or these other groups you might have, you might not realize what level of access they have through inheritance, for example. So Forest Druid is a really nice free tool, to identify that. It requires a little bit more technical expertise just to understand, you know, the AD structure. But, they’re both really easy to run. They don’t install anything. They don’t give us any data, and you can run them at any time you want. And, Purple Knight, you don’t even have to run with elevated permissions. We actually recommend you run it with a regular user account. So you get a real assessment of what a regular user could see, what they can visualize in Active Directory. And it’s really important, again, to protect these systems. And the more you can lock down and identify some of these gaps and vulnerabilities, the more you’re protecting your, Active Directory security posture. So one of the main things that we talk about, probably the thing that resonates the most as I’ve already talked about earlier, is Active Directory Forest Recovery. A lot of people don’t even know what it is, and there’s, you know, management that might rely on their staff to handle this stuff, but they don’t necessarily have an understanding of what all is involved with that. It’s a complicated process. If you need to, rebuild Active Directory, like I said, there’s a there’s a guide from Microsoft. It’s been around for many years. One of our, founders, this our CTO, actually coauthored the document that Microsoft uses. He used to get flown around, by Microsoft to do forest recoveries. So there’s a lot of, need for this, but little expertise, at a low level, the really technical level. So, broken down, it’s about twenty eight steps. Like I said before, it’s a it’s really it says multi threaded rebuild process, but it’s single threaded per domain. So each domain, you start a recovery, you bring up a DC, and you have to do all this other stuff before you even promote the next domain controller in that environment. So there’s a lot of opportunity to have issues and rebuild problems. If you miss a step, if you do something incorrectly at some point, you have to go back a little bit or all the way to start over sometimes. So very tedious, very prone to error. It’s a high level process, and when you map it out, like I said, it has links to other docs, appendix. Multiple appendices are needed, and it’s about a hundred and fifty pages. Entirely manual. Microsoft has no way to automate that. So you might have existing backups, and that’s a good thing. You do need backup. So we our solution complements existing backup, solutions. What we do, though, what our products do is just focus on AD. But your typical backup is going to backup directory services, Active Directory servers, for example. But there’s not a process that follows that Microsoft Forest Recovery Guide in the event of a disaster recovery. For example, I mentioned earlier at a previous company I worked at, somebody deleted the AD integrated DNS zone, and the whole company is down. Well, we could recover that from a backup, but there’s a bunch of steps you have to do to make an authoritative recovery to restore that data back into Active Directory properly. So it’s not just simply mounting a backup and loading it in. You have to do some additional steps to create an authoritative restore process on a domain controller. So it’s something that, I would say most junior admins have never experienced. They might understand the process, you know, if they’ve seen it a few times. But most people just don’t deal with that. They don’t have to do those sorts of recoveries, so the expertise for that is missing, out there in the wild. When we talk about the recovery again, we’re talking about the whole cycle, and this is where the delays come in. First of all, again, calling back to an earlier slide, a lot of companies I think the percentage that that was on that slide we had from back in 2020, was thirty three percent of companies hadn’t even tested a recovery plan, whether they had something documented or not. That’s a huge number of companies. So you’ve got dwell time stuff that’s sitting out there. And I think today, you might find the dwell time is actually less, but still there’s dwell time. When Mearsk got hit, I just call that one because I hear I’ve heard that one so many times. There is several days of dwell time. They weren’t exactly sure, but it was multiple days that the malware was sitting there before it got, triggered. So it’s already there. It wasn’t being detected. It was effectively a zero day type of an attack, and then the encryption starts happening. That encryption happens so fast that they couldn’t shut down the systems fast enough to stop it. It literally propagated in minutes. So once that’s happened, because of the, advantages of networking, the network speed facilitated the downtime, the the hit, the cyber attack. So, they were impacted everywhere globally, almost immediately. Then you’ve gotta identify what’s wrong. Right? People have to respond. You have to collect your teams, and then you’ve gotta, start working on your incident response plan if you even have one. If you have cyber insurance, you have to engage them. Sometimes you have to wait for the cyber insurance to make sure before you continue on that you can continue on, you’ve got the coverage in place and everything ready to go before you go on to the next steps. And if it’s a cyber attack, you may wanna do the forensic analysis. Some companies skip this, and they just start, over with a greenfield type of recovery. But you still have to analyze that AD structure because you don’t know how the bad actor got in if accounts were compromised or whatnot. So, this also applies to and I and, you know, this is focusing on AD a lot, but those IoT devices that get deployed, they’re typically getting deployed from a system that’s tied into Active Directory. So they may not be connected to AD. The the, manufacturing line systems, we the ones we used to have were, like, Windows XP, special version of Windows XP. They weren’t necessarily tied into AD, but they were deployed through an AD system. And at some point in that process, there was access available, even if they were eventually moved to another network. There was a point when they were available. So you’re potentially propagating systems with, you know, credential issues or malware potentially onto other environments, into other networks. Even though the network is isolated, the one it came from is not. So that all factors into this middle section here. And then, the recovery. So the recovery that we typically see for customers that have no solution, they just have backups, is days, many days, sometimes weeks. Maersk, again, I’ll just keep using that one. They were, first of all, having to identify a system, which they finally found. Once they got that directory server up, they had to fly it into I think it wasn’t they flew it from Africa to the UK, and then they had to spend all the time using that what was now a gold image for AD to clean that and then propagate that back out again across their infrastructure. So, this deployment can take a really long time. When you have to, recover from a backup, it’s even longer because you have to mount that backup and, like I said, go through those restore processes. And then you’ve got the data recovery piece. There’s depending on how long AD has been down for, you know, you’ve got, like I said, that churn. So you might have by the time you finally get things recovered, account expirations, computer account expirations, you know, trust or some, some other things could have been impacted. There’s a lot of downstream impacts from having AD down and not updated for a really long time. Certificate expirations, if you have, AD integrated PKI, and a lot of IoT devices would have, certificates on them, for example. And some companies are implementing that through, an AD based, PKI solution. So they’re managing all the certs through AD integrated PKI, and those certs can expire. And, you know, if you have an expiration time that’s shorter, during that period, you know, you could have certificate expirations. You have to deal with that as well. So, ultimately, more outages than the data recovery, than all the post recovery stuff you have to do, the cleanup and getting everything back in sync again. So, like, overall, it’s a huge process. The other thing is, like, in the Q&A, there’s a question about, Entra ID recovery. That’s also going to fit into this potentially. The Entra ID piece could be totally isolated just by way of the how things happened, but some data could get synced up to Entra ID, or Entra ID could be compromised by bad actors getting into there and hard deleting stuff. So Entra ID backups and recovery are really important as well, and a lot of customers don’t even realize that, the Entra side is not protected by Microsoft as far as your data. They make it very clear your data is your responsibility. They only provide infrastructure, capabilities, and recovery. So, like, if a physical server has a problem, they can recover their infrastructure. But if your data is impacted, that’s on you. So, that’s something a lot of companies don’t realize or they realize it, but they haven’t really factored in, some of the needed thought around how to manage that recovery aspect. They assume, you know, the on prem sync’s gonna take care of everything. That’s not the case. There’s unique cloud based objects that, especially if you have policies and Intune and other services that you would have in a OT environment for, like, IoT, deployments and management. You might have you might or probably would have autopilot and Intune, and those pieces are only in the cloud. That has nothing to do with the on prem AD at all. So you might have conditional access policies and things like that that you have to recover if a bad actor is going in and maliciously deleting things. So I think I covered all the backup stuff here, and I covered the rebuilds. I’m gonna skip over to this one. You can rebuild from scratch. This is probably the worst option. What happens as you start thinking through this process, when you’re doing a thought experiment here is, AD over, you know, again, over many years, probably. It’s probably been in place for many years. All of the customers I’ve worked with since I’ve been at Semperis had AD for at least ten years. Most of them are fifteen or twenty. You can imagine that structures have been created in Active Directory. The The OU structures have, ACLs on the protection, mechanisms upon them, you know, access policies. All that stuff is not gonna get carried over if you’re rebuilding from scratch. You will have to recreate all of that. So all the user accounts, all of the, the security descriptors, all that stuff has to be recreated from scratch. That would be an overwhelming task. It would take a really long time to do a greenfield recovery, where you’re basically redeploying everything from scratch. Most companies are not gonna wanna do that unless they’re really, really small. It’s just impractical. So a company that’s really large, it doesn’t have a good recovery capability is probably gonna just suffer along with, you know, problems in their Active Directory versus trying to do a greenfield, a brand new AD installation. It’s just an overwhelming endeavor to do a brand new installation. And that carries into the cloud too. This is showing the Entra piece. I should mention too that, you know, if you’re syncing on prem and now you go to a brand new Active Directory, that’s gonna affect the synchronization between the objects from on prem to the cloud because you’re not gonna have anything that matches up. So you have to manually match those items now. And, again, for just a couple hundred, maybe that’s not a big deal. But if you’ve got thousands or hundreds of thousands, you’re not gonna wanna do that. That’s just way too much work. So it’s not just about the data and AD. You have to consider the other aspects, the Entra ID component, for example, and all those protection mechanisms that you’ve set up across potentially hundreds or thousands of devices, all that’s gone if you start over from scratch. And I mentioned already the Entra sync is part of that as well. And I’m just reading through the Q&A to see if there’s anything relevant here. Yeah. So somebody also asked in here. I’m gonna get to I’m gonna answer one of these questions in a minute. I’m getting to the point of talking about the the backups. We’re talking about, the AD backups ups and their, their lifetime. Because of the churn in Active Directory, things change quickly over time, especially in a larger environment. We had probably, I don’t know, I wanna say ten thousand to twenty thousand changes a day at one of the companies I was at. You can imagine that over a few days to a week to two weeks. That’s a lot of data that you’re losing if you’re going back in time to get a what what I would call air quotes, a good backup. If you’ve got, like, some malware you discover and it’s been in there for a week and you gotta go back two weeks, that’s a long time to lose as far as your Active Directory and what has been changing. And that includes the security principles and account trust and certificates again, bunch of other stuff. You know, there’s a lot of things that can be changing, DNS and, object attributes, group memberships from HR, all that kind of stuff. That’s all changing. So there’s a lot of what we would call churn in that environment. And the farther back you go, the the loss becomes exponentially large, and so it just becomes impractical. You end up effectively having to spend a ton of time rebuilding things to get them back in sync again, and it’s very it’s a very difficult process to manage. And then you’ve got the sync piece, the Entra ID sync. That again is gonna be impacted. If you’re going back to an older AD, you’re gonna have things out of sync, and you have to deal with that sync process. I used to help manage our Azure AD connector, tool. And sometimes when we had to deal with these sync problems, it just took a lot of digging and figuring out what was wrong and then what we needed to do to get things working again. So you and you need to have that expertise. If you have to keep calling Microsoft for professional services help, for example, that can get very, very costly. So we typically are saying useful backups just go back about two weeks. You if you go back more than two weeks, you’re just losing a lot of stuff. And the point of that is not that, you know, don’t do backups. The point is you need a more, rapid recovery model that helps you get things back in place more quickly. So these are the kinds of questions you have. I’m not gonna read through all this stuff, but these are the kinds of questions you need to ask before you have a crisis. You know? What the things I’ve been talking about, documenting the AD infrastructure, knowing which DCs have which roles, and what kind of, hosting you have, what stuff’s tied into AD, what’s your DNS like, what does the Entra ID sync look like, and that sort of thing. You need to, understand and document those things and ask these questions, and a lot of companies just don’t spend the time to dive in. It’s very tedious, but very important. And also what you restore as well. That’s also part of the picture. So I already talked about this part, so I’m gonna go through this pretty quickly. But the time to recover is based on all those steps on that one slide, and this is just sort of a timeline. This is why it takes a long time when you have to do this manually. There’s a lot of pieces to this that you have to consider. You have to be prepared for. You need to have some documentation ahead of time, and you need to understand how many people are needed to do this. It may take several people, working at the same time. You might have, you know, ten or fifteen people working on this recovery because of the way the Microsoft process works. And you’ve got your traditional backups that are just doing one or two of the steps, and then you have to do all the rest of this manual stuff per the Microsoft Forest Recovery Guide. And I mentioned this as well. There’s just a lot of impact when you don’t have a good recovery plan, and a lot of companies haven’t really taken the time to implement and test something so they know how long it’s gonna take. So it’s ultimately better to prepare for, the need for recovery. Again, it’s a risk assessment. You know, you may be doing backups like I said before, but you have to weigh this against what amount of time it’s gonna take to recover. So you need to consider all these factors as part of that recovery effort. And the management needs to know, you know, what the impact’s gonna be as well. Looking at sample situations, I’ve already cited, for example, Maersk back in 2017. But here we’ve got a victim. They were providing, critical infrastructure. They had a lot of, infrastructure available, lots of endpoints, and, providing primary or making available primarily physical infrastructure. The attackers, were or sorry. They were hit by multiple attackers at the same time. It was a coordinated effort that was impacting this company, and, they’ve they basically got into various areas of Active Directory and other systems within that by leveraging those accounts, and vulnerabilities they made their way in. So it was quite an effort to get that so it was quite an effort to get that recovery. But through a concerted effort, these groups with Semperis came together and, were able to do recovery, using our products. And we have an incident response team, as part of this as well. So this is what a real life recovery looks like. I referred to some of this earlier already. You know, once AD is compromised, it’s a very messy slide. There’s actually an animated version that’s probably a little bit better to look at, but just for the sake of time here, you get compromised, and now you have to do basically two parallel tracks for a lot of companies. You’re doing the vulnerability analysis against your AD, and sometimes you have to leave, AD intact even though you know there’s bad actors in there while you try to figure out a plan of recovery. And that’s one of the things that we’re able to do with our ADFR product. Our Active Directory Forest Recovery enables us to take backups of AD and do a clean recovery in a separate environment where we can do analysis, and you can look for AD objects that are compromised or, just eliminate the reintroduction of malware from the operating system because we don’t we don’t back up the operating system. We just back up the directory service. And then you can do some hardening. So in parallel, you can prepare an environment for recovery, and either some companies opt to do that and just continue cleaning down stuff. But you continue to use the compromised AD at some point. If you have a parallel environment, you can flip it over and bring this back into production in a clean fashion. So you’ve basically taken out the bad guys and the bad actions that were taken, and you have a clean recovery environment now for Active Directory. So ADFR is a very powerful tool for facilitating, the ability to recover. The ADFR product, again, is a summary. It provides a clean restore. It’s very rapid. It’s fully automated. So it basically gives you an orchestrated automated recovery plan, which also would help with cyber insurance, for example, because you can prove that you can recover things and you can show how long it would take to do a recovery because there’s actually a time component to that where you can see the beginning and the end and have an actual assessment for, your domain controller recovery. And it’s not hardware dependent. So if you’re backing up physical boxes like in that thread example, I can actually recover to virtual systems in an air gap lab. I can take all my data, put it in an air gap lab. It’s very portable. I can stand up a new ADFR server for recovery and have all or a subset of my domain controllers recovered, in a protected environment. And we include some post attack, forensics into that as well. And then on the Entra side, we have a disaster recovery for Entra tenant. It’s really important to protect your environment. That was one of the earlier questions that was asked in the in the Q&A. You know, how important is it to back up your data? Well, Microsoft, like I said, doesn’t protect your data. That’s on you. So you need some solution. Most companies don’t have anything in place. With this, it simplifies disaster recovery because I get a regular backup of my Entra tenant every single day, and I can recover objects very easily. So even if these things are hard deleted, I can get a recovery of those by checking one or all of these, and do a quick recovery. Basically, it’s a click and restore, and it’s hard deleted objects as well. So somebody could hard delete. The hard deleting, if you don’t know what that means, they’re soft deleted and hard deleted. Soft deleted can be recovered with a recycle bin. Hard deleted cannot. Hard deleted, it’s gone. So you can do a bulk recovery of hard deleted objects very easily with our, Disaster Recovery for Entra Tenant or DRET, we call it. So the key takeaways here is there’s a lot of challenges to both OT, IoT, and IT, and you have to identify what some of these issues are. You need to really document them so you can, understand what is impacted with, some vulnerabilities and ways into your environment. Active Directory might be the weakest link in because it’s so broad and tied into so many things. And then hybrid attacks talking about your identity space in the cloud as well as on prem, you’ve got even more space to look at. And so you need to find ways to identify those issues and address those issues, more easily. So, job number one’s locking down AD, as I mentioned over and over. This finding the security indicators, and acting upon those, not just seeing them, but doing something about them. And you need to scan continuously because things are always changing. Patches might introduce a problem. Updates might introduce a problem. An AD upgrade might introduce a new problem. So you need to scan all the time, and you wanna be prepared, to do a malware free AD recovery where, if you have a disaster, you can bring AD back without reintroducing any junk. And existing and there’s a couple of questions again related to this. If you do a backup with our product, for example, it’s not like a typical backup. It’s a full backup of AD every single time. So you’re getting a snapshot of AD and a point in time of all the data within AD. So if you need to recover back, first of all, you’re not recovering the operating system. So you have, less to restore, so it’s much faster, and you’re not reintroducing any operating system component. So if that’s where a malware resides, you’re not gonna reintroduce that. So the question was, is there an accumulated backup, every hour? You can schedule backups for however long you want up to the time it takes to actually complete a backup. And then a recovery test every year. Somebody asked that. Yeah. We do an a recovery test for our customers to make sure that they’re able to recover, but and any company should do that at least yearly to make sure that you understand the process and you’ve practiced it and people know how to do it and what to do. Last couple of slides here. I just wanna mention we have some other products. Again, I talked about Purple Knight and Forest Druid. Directory Services Protector is the one that’s sitting in AD and looking at changes and identifying issues with the indicators. The Forest Recovery product is, basically facilitating a full forest recovery, with a five to six click process. So it greatly eases, the ability to recover Active Directory. And then we’ve got a migrator product coming out, and I mentioned Disaster Recovery for Entra Tenant, for protecting your Entra ID data. Last couple of things before we get to some Q&A. We have, something called HIP Conference. We’ve had these every year for many years. This year, it’s gonna be in New Orleans, November thirteenth and fourteenth. It’s a technical conference. It’s not a conference to try to sell product. There’s a few sessions where we’re talking about our solutions, but, overall, we invite technical speakers to talk about different aspects of identity protection, Hybrid Identity Protection. And there’s some great speakers that are world renowned, talking about different things in Entra, Active Directory, Hybrid Identity. It’s a fantastic two day conference, with a lot of technical expertise, and they bring in some really big names. So, if you guys can go, our sales rep can can tell you more about, getting tickets or passes, for yourselves or customers. So that’s the end of my presentation. We got a few minutes. I was reading through the Q&A here. I think I touched on all of the stuff that was in here. The other thing I was gonna mention, there was one other question about multiple ADforce, relating to our product, for Active Directory Forest Recovery. Our product can back up one or more forests and recover those, and it’s not tied to AD in any way. So you can completely wipe AD off the map, but our Forest Recovery can fully recover that with no problem. And I don’t know if the mics are open for people to ask questions, but I’m reading through the Q&A still in case anything comes in. If you have a question and wanna ask, I am reading the Q&A right now, making sure I didn’t miss anything. Yeah. And I think I covered everything else that was listed in here. And just to stress on the backup thing, one of the earlier questions was, what if our DCs are isolated or not connected to the Internet? Why do you need to run an AD audit on them? Well, AD still has the vulnerabilities. And with these other systems tied in, somebody ultimately can get lateral access into your Active Directory environment. It’s happened many times where you don’t have Internet connectivity, but there’s other things that are connected to the Internet that ultimately connect to AD. One of the examples during COVID, a lot of people were discovering how difficult or how, they needed to plan for endpoint protection for home users that were VPNing into the network. So they’ve got these, systems at home that their kids may be using for gaming on questionable websites, and now they’re connecting to their work their internal work organization with a VPN, without having the same protection on this endpoint. So those kind of things are called out, and you need to, again, consider those. Somebody asked what topics will be the focus at HIP. I don’t have a list. They just actually told me they released a list of speakers, but the topics cover all kinds of things, protecting, Entra identities, protecting AD identities, talking about current vulnerabilities today. Eric Woodruff is one of our speakers that works here. He’s gonna be talking about a presentation you just made at Black Hat, with a a vulnerability he identified into Entra ID and what you can do about it. There’s a lot of different topics. Sean Metcalfe, I think, is one of the speakers. If you know that name, he’s really well known in the AD world. He talks about a variety of things about AD protection and things you need to think about and current risks today. And we have a variety of speakers. There’s another couple of speakers coming in talking about, you know, hybrid identity management and, government related, topics. There’s a lot of different technical topics. If you wanna get more information, I’m gonna go back, on my slide here. You can go to hipconf dot com, and you should be able to get more information there as well as registration information. And if you have a sales rep through us, you can contact them about the passes for that. But I believe they’re posting the thing. There’s also another slide of some of the benefits, why you would wanna come. You get, CPE credits, for some of the sessions. So there’s that as well. I think we got, like, two minutes left. I’m still looking in the Q&A. I don’t know if there’s any other questions. And I wanna say, first of all, thank you to Redmond for allowing us to present this. I appreciate it, and, hopefully, everything went okay with my slide presentation. And if you have more information, you can reach out to us, and we can provide you with any technical, sales, whatever you need, regarding our product suite. And I don’t see anything else. Oh, do we get free credit for this one? What do you oh oh, CP. You mean for the presentation we’re doing right now? I don’t know. I don’t think so. But there if you go to that conference, if you’re talking about HIP Conference, that’s one of the things they were talking about on the list of benefits, is getting those, CPE credits for attending. And there’s multiple sessions talking about different topics, like I said. So, multiple credits out of that conference. And I’ll have to get a list of that for the next time I do a webinar so I know what their what the talk tracks are gonna be. But there’s gonna be several. Like I said, it’s two days, multiple presenters every day, all day long. Awesome. Rob, it looks like we’re at the bottom of the hour. Thanks for the presentation. That was awesome. Yeah. Yeah. Appreciate your time. Thanks for setting it up, and, I hope you all have a good day. Yeah. Thanks to the audience for attending today’s webcast sponsored by Semperis and presented by Redmond Mag. Have a great rest of your day. You’ll receive a recording in your email tomorrow. Have a good one.