Strengthen your Identity Resilience

We are live. Thank you very much. Live indeed. Thank you very much for joining us today, guys. We are here with Semperis, Solid eight and ITweb to talk about strengthening your identity resilience, fortify your Active Directory and Entra ID security posture. My name is James Francis. I’ll be your host for today’s webinar. And if you guys have been frequent visitors or attendees, viewers, thank you of the webinar and thank you for your support. You will know one of my pet topics is cybersecurity. I think it is an incredibly important topic. I think it’s a topic that is not just about technology. It involves everybody, but it is also a very technical challenge in every company. And the larger the company, the more technical it becomes. And for most enterprises, a lot of that security surrounds Active Directory and Entra ID. In fact, something like ninety percent of enterprises run that infrastructure on their systems, especially if they are on premise. And it is also what criminals target for a variety of reasons reasons that I will get to in a moment. We’re going to unpack that today. We’ve got a great expert here from Semperis. They specialize in security around Active Directory and Entra ID. So a lot of good information coming up for you guys today. First though, thank you very much for joining us. If you have joined us before, really great to have you guys back. Really glad that you are enjoying the content. If this is your first time joining us, I always say this, but thank you for joining us. Giving an hour of your time so you can find out more about the topic today being Active Directory and Entra ID security. A couple of things to know before we get started. This is a live event and you are able to interact with us on the chat sections. If you see the chat box on the side, please jump in there, say hi, tell us where you’re from, even if it’s just your company. Give comments onto those topics. And of course, you can pop questions in there if you would like people to, well, if you’d like our expert to reply to your questions. We’ll have a Q and A near the end of the webinar. In addition to that, there’s a live event, we are making a recording of today’s event as well. So you will be able to access the recording afterwards. If you’d like to revisit these points, or chat to or show to other people and get the word out there. Lastly, if you need to know anything about today’s event, if you’d like to contact our presenters today or our sponsors Semperis or Solid8, if you need any other information about these events, can contact the ITweb events team. The email address is eventsitweb dot co. Za. So just once more eventsitweb dot co. Za. Reaching the presenters copy of the presentation, information about the video, information about the webinars, those are the guys who will be able to help you out. So thank you very much for joining us. And let us jump into the topic today. And as I say, it’s around Active Directory and Entra ID security. Now, as I said in my beginning there, ninety percent of enterprises use AD, and Entra ID, specifically AD, especially also they have legacy architecture, on premise architecture. And because of this, it is a very, very big target for cybercriminals. In fact, has been studies made last year. They’ve noted a forty two percent surge in attacks targeting Active Directory for a variety of reasons. One of them is complexity. When you’re running a large organization with many, many accounts for thousands of users, as well as machine users, it is very difficult to keep an eye on everything. It is very easy for complexity to start getting in the way and create those little holes that cyber criminals climb through. More specifically, actually, a lot of the attacks usually are not directed at Active Directory first. Sometimes the guys first try to get into the system via a phishing attack or something like that. Then they go after the AD systems, and that allows them widespread really spread into the organization. If you can think about it, the phishing attack gets you into the foyer. Active Directory gets you into the rest of the building. And how do we fix this? How do we make this more secure? What should you know about these attacks? Because we cannot abandon AD. It is a great technology. Also, have Entra ID, the newer development from Microsoft. It gives more of a zero trust perimeter effect as well to their security. Plus, we do know Microsoft invests a lot of money, billions into creating good solid cybersecurity posture, cybersecurity technologies, etcetera. But it’s always an issue of complexity. There is something if you’ve watched that trailer now beforehand, which we’re gonna chat about midnight in the war room, there’s a line in there that I really liked where they said cybersecurity needs to be correct a hundred percent of the time. Cybercriminals only need to be correct once. How do you catch them? How do you stop that once from happening? Or if that once does happen, what can you do about it? We are going to be unpacking this today with my guest. He is dialing in from the UK, senior solutions architect at Semperis, Matt Hawkins. Matt, how are you today? I’m very well. Thank you. Yeah. Good good to meet you all. Just having a bit of trouble with my video. No problem. I mean, we we don’t need to see you. That’s alright. No problem at all. No one wants to see my face anyway. When we get to q and a, we’ll refresh. We’ll get you on there. But I think what the guys want to get you today is the topic at hand. So we’re going to jump into your presentation. Guys, pop your questions into the chat. Let’s chat in the Q and A later. With that, Matt, over to you. Yeah. Thanks very much. Yeah, it’s good to meet you all. So just to introduce myself, my name is Matt Hawkins. I’m a senior solutions architect at Semperis. I’ve been in the Active Directory space for about almost twenty years. And then lately, it’s more into Entra ID. And just a bit more about Semperis and who we are. We protect over one hundred million identities today, and we’re trusted by leaders across health care, financial services, retail, public sector and critical infrastructure. We’re very fortunate in that we have over one hundred and fifty years of Directory Services, MVPs, a lot of people that have joined Semperis from Microsoft that really enjoy, you know, really integrating themselves into into the project and what and what we’re trying to do. And and, you know, we’re recognized by Gartner, Foster Frost and Sullivan for a leader in that AD security space, ITDR, and and cyber resilience. So what I’m gonna do is I’m gonna jump straight in. So I think this is, you know, I think we all recognize this, right? Aware of that traditional perimeter is gone. Okay. Identity is only is really the only control plane that we left. Right. And often when we’re speaking to security leaders, we hear those kind of universal challenges around across every company, regardless of that that kind of vertical market. On one hand, you still got to protect that that old perimeter, and that still remains important and all those legacy environments. But also, need to help the organizations embrace that digital transformation, support that adoption of cloud applications. You know, and and all the time, we’ve got to do this with limited staff. Right? There’s not endless hands on keyboards that we can rely on. So we’ve got to help reduce that complexity and try and add that automation as much as possible into there. And then the kind of the second challenge or, you know, the final challenge I wanna talk about there is really, you know, you’ve got users logging in from all over the world, personal devices, access to sensitive resources. You know, you can’t control that infrastructure, all the applications running in the cloud. So what can you control? Right? And that’s really where identity is becoming that kind of really important factor in any of those organizations. So why is that kind of AD security becoming a must? Right? You know, and I think the headlines speak for themselves. Right? And, know, we say everything’s on the line, right? Data exposure, mass identity exposures, that leads to downstream fraud and phishing. Identity provider weaknesses. Okay. We have systematic choke points, right? Cross tenant risks, cross active directory risks, they’re all there. You know, vulnerability, vulnerable populations face exclusion when identity fails. Right? If you think about it, every app, everything that you log on to, your bank, to your Ticketmaster, all of those things rely on identity somewhere down the line. Right. And then, you know, couple that into kind of corporate talk, you know, it’s where our IP lies, right, is beyond that identity. And just a quick summary of things that we found, right? Yeah, eighty three percent of ransomware attacks compromise the IAM infrastructure. Right? It’s where people aim for, okay? Is that IAM infrastructure. They know where those weaknesses are. They know where those easy access points are. Sixty nine percent of successful ransomware attacks result in ransom payment, Right? That’s that’s a scary number to be thinking about. Like sixty nine percent of those attacks result in that payment. Okay? You know, a fifty five percent pay multiple times, but there’s still no guarantee of getting those decryption keys, right? So think about that as a kind of the financial burden on organizations and the impact to organizations that ransomware can have. You know, so that’s come from our kind of twenty twenty five ransomware risk report. We also did a Purple Knight report, and we’ll talk about Purple Knight in a little bit. But, you know, sixty one percent is the average initial AD security score that we find with organizations. Right? So there’s a lot of work out there to be done across the industry, across the active directories and Entra ID environments that we have deployed across the world, there’s still a lot of work out there that we can do to help secure that. So really, what are we talking about, right? You know, yes, Entra ID, right? That’s a zero trust kind of model. It’s where we all kind of heading to. But we’re kind of in this middle ground, right, where we’ve still got Active Directories connected to that Entra IDs. Okay? So you kind of got that, okay, you’ve got that XDR responsibility, which is kind of looking at those phishing, preventing those kind of initial access into the environments. Right? But what if those fail? What if those are exposed? Okay. You know, then we get into What we’re finding is people will head for the Active Directory. They know that area of weakness is, right? And you’re talking about a technology that’s twenty six years old, okay? It’s well known within there. You can easily go onto the internet and find out what those default groups are that are created within Active Directory. They’re the ones that you kind of want to aim for within your organizations. And the problem there is that if our Active Directory is then connected to our Entra ID, that path of escalation becomes quicker, right, for any attacker that gets into the environment. Right? So, you know, at any point, you know, at the point they can compromise those AD joined systems and database, then they can use that domain dominance to escalate into that cloud identity or into Entra ID and compromise those users. And then you kind of get into that area where actually Threat Actors start to exfiltrate organizational data. Right? Take the data, then run the encryption, run the ransomware, and makes, you know, and really can ruin your day in that. So really, the key is what we need to do is solve that, help solve that problem around the Active Directory. And that’s not around just around protection, right? It’s about resilience as well. Okay? And really, this is where we want to kind of get into what are those kind of results of those attacks, right? So, you know, if the worst happens and an attacker does gain access, okay, you can no longer trust your Active Directory, Okay? Twenty to fifty two days of malware dwell time within there. They could be in there well before you even notice them. Okay? Useful backups is less than fourteen days. Okay? Think about that. Your Active Directory, your identity provider is changing all the time. Okay? That means the ability to go back further, very, very difficult without some severe data loss. Okay? An AD, it can’t be trusted at that point, right? If something happens, you can’t trust that AD, you’ve got those backdoor account that may have been created in that environment, installed malware, you know, that’s all going to have you know, a severe impact on the organizations. Right? Remember, admin rights to one domain controller in the environment essentially equals access to the entire forest, access to your applications in there. So it’s something that we absolutely need to take care of and minimise that risk as much as possible so that we can protect our environments. So hybrid identity risks, okay, what can we do? Right? And that’s key, okay? Implement a good identity processes, Right? And this means, you know, taking care of identity lifecycle management, right? Making sure that all of the objects, all of the user accounts, whether they are human identities, whether they are nonhuman identities, are following that good identity processes. I. E, that account is no longer needed, it’s actually, you know, we’ve made sure that we’ve disabled that account. We’ve removed that account from being a problem in there. So removing active users and computers. Okay. Regular review that sensitive access. Right. We’ve seen this many times before where organisations implement good identity processes, but then they don’t review them on an ongoing basis. How can we constantly improve? The threat is always changing. Therefore, processes that we have need to change as well. Service accounts, I mentioned non human identities, make sure strong random passwords regularly. You know, beyond that, you know, using managed service accounts, use the things that you have with the tools that you have within Active Directory to make sure that you’re using, you know, say groups of service managed accounts, right? They go a long way to help solve that, those issues. Implement good trust security, right? SID filtering, all those. If you’ve got trust between your Active Directory Forest, then really, you know, concentrate on making sure that you’re securing those in the best way. Right? Enabling things like selective authentication across those, you know, selective authentication across those environments would be key. And Kerberos, right? Kerberos is a massive thing within Active Directory. You know, when we think about authentication, something that we see in organisations a lot is that there’s a special account within that directory called the KRBTGT account. Okay, it’s responsible for generating service tickets within Kerberos. Make sure that’s reset. Right? There’s great information, great scripts out there in the wild that can help you with that. And that goes a long way to making sure that you don’t suffer from a Kerberos attack. Okay? Plan for recent Kerberos security enhancements. And these are coming from Microsoft, right? So moving the encryption from RC4 and moving Active Directory beyond what it’s been there for the last twenty five years, that change is coming. Okay? And it’s worth reading up on it, making sure you understand what those changes are gonna mean to the organizations. Microsoft have done a lot of work around adding things to the event log so that we can see where those those technologies have been added. Right? Same for things like NTLM as well. Right? Microsoft is depreciating NTLM, know, gonna harden your Active Directory through those patching. You know, minimize that privileged group membership, right? Think about this. Microsoft call it tiering. You know, minimize those privileged group memberships, making sure that, you know, one person hasn’t got, you know, their standard user account doesn’t have tier zero access into domain controllers. That’s done via separate accounts. So separation of those accounts, remove those administrative privileges, you know, where you can, especially to things like non human identities and service accounts. Right? And think about that kind of least privileged access that you need. And really, that starts to become in what we call that kind of pre attack stage, right? And Semperis as another technology, you know, automated exercises, continues against your AD environment to spot those weaknesses before those attackers can exploit them. Right? Our security research team regularly publicizes new indicators of exposure and compromise to test your environment for those vulnerabilities, all of which align to the kind of MITRE ATT CK and other popular frameworks. You’re going to get that severity score. It’s going to give you that information to give you that initial pass of that, of where your where your security lies within the organisation. Right. And this is something that anybody can do today. Right. And these these are, you know, if you even if you just run it once, it’s going to give you a lot of information around where I am, where I like, where are my weaknesses, where are my exposures within my environment. And to do that, we have a tool called that we call Purple Knight. Okay? So this is a tool that you can download. It’s free of charge. You don’t need administrative access to run it. Okay? But what it’s going to do is very simply going to run across your Active Directory or your Entra ID environment and give you that initial view of where you are. Right? Think about it in terms of if you’ve got all of that information there within the Purple Knight report that that that will be an output from running this. It’s gonna give you those where those weaknesses, where those misconfigurations lie within your Active Directory and Entra ID environment so that you can start to think about the remediation of those. Okay? Now, you know, and that can lead up to a forty five percent attack surface reduction. Okay? So, you know, download it. It’s it’s available from the Semperis website where we can where where you can then simply run it and download it. In combination with that, we have what we call Forest Druid. Okay. Now Forest Druid is a tool that allows you to start to look at those tier zero assets, things like your domain controllers, things like your domain admin groups, those privileged groups within your environment, and allows you to give you gives you a visualization around where we can where what is that path that an attacker can use to compromise that tier zero. Okay. Again, arming you with the information that you need. Right. And Forest Druid is going to give you that ability to identify and classify those attack paths within Active Directory. Okay. You know, it is in a sort of process that leads you to essentially have two lists, objects that will continue to have access to tier zero within your environment. Okay. Then they are the objects that you need to protect, right? Because them themselves are those tier zero objects that you need to take care of. Right? Attack paths that can be remediated, right? That visualization is going to allow you to see where those risky attack paths are to your Tier zero assets so they can be remediated, and then you can reduce that attack surface within there. You know, with all of that going on, what’s key is also how to be resilient. Okay, that ability that if something happens, it may not, you know, with all those tools and assessments that we do with all the processes that may not be enough, right? So remember, and going back to James’s point, the attacker only has to be successful once, right? You as an admin or have responsibility for that identity provider, you have to be successful every single time, Right? So it’s important to make sure that when that incident does occur, you know how to survive that attack and get back to that trusted operational and functional state. Okay. And really, these are some of the rules that we kind of want to want to we want to, you know, endear to you. Develop a, you know, key thing is develop a step by step recovery plan. Understand what you need to do and what you need to prepare and how you’re going to respond to that environment. Okay, when we think about pre recovery, think about communication plans, right? Who do I need to notify? Who needs to be who needs to be involved in that incident? Right? Think about out of band communications, right? If we’re thinking about my identity providers down, I can’t get into my teams, I can’t get into my my email. Okay. What is that out of bounds communications? How will that work within your organization? How do I get the right people to where they need to be so that I can deal with that incident? You know, when we talk about pre recovery, you know, shut down all the DCs. Right. The easiest way to stop that kind of movement, stop that attack is to shut down those DCs. Okay. And then you need to kind of retrieve, identify and validate the appropriate backups. Okay. And we would always recommend kind of two for each domain within a few hours of each other. But make sure you understand when you’re preparing for an attack is how do I get to those backups? Are my backups protected in such a way that they are going to be available the event that I need it? You know, initial for forest recovery, Okay. And it depends on the size of your Active Directory, but most organisations will have a number of domain controllers within in the environment. Remember to start that kind of be prepared and start that response. I may not need all of those domain controllers back first. Okay, I need to get back to the point where I’ve got enough domain controllers in my environment that I can start that post breach forensic and security assessment and start to understand what happened within that event and how do I prevent that? How do I then prevent that from reoccurring within my environment? Right? So think about the plan of that recovery. And that may not be the entire set of domain controllers that you have within the environment. It may just be a selected number that you bring back first. So again, think about that plan of how I’m going to bring back that. You know, once we’ve kind of done that, we’ve got to clean up. We’ve got to verify that everything is back to where it was. And that could be helping with your kind of instant response teams. But it’s also about hardening that environment to make sure that that that that that can’t happen again within your environment. Okay, once you’ve done that, and that’s probably going to be the most complex task that you’re going to undertake. And again, the tools like Purple Knight and Forest Druid can help within those situations. Once you’ve done that, you can start to scale up, scale out, right? Then you can start to bring back the rest of the organization, to bring back reintegration of my applications back into application, into Active Directory at that point. Okay. And then you’re going to kind of go through that kind of wrap up process, understand what happened, what’s those lessons learned. Right. But I think the key message from here is practise, practise, practise. Okay, go through those or those those what we call tabletop exercises, where I’m going to run through that scenario of what do we do from a kind of a pre recovery right through to that wrap up. Okay, and involve the members of the team that you need in there. That may not just be IT, that may be legal, that may be communications, it may be areas in your board that you then need to you need to involve in those exercises so that everybody understands what their role is within that process. And really that kind of brings us on to what we call the kind of post attack or after attack, what happens. Okay. And what we’ve done is, you know, we need to be prepared for that worst case scenario. Okay. You could be doing everything right. Okay. But, you know, something happened that causes that organiser, your organisation to get encrypted, you know, can happen under ten minutes. So you must have that ability to recover quickly. And what we’ve done within Semperis is kind of looked at that and looked at from a cyber first approach to how do we get back our Active Directory. Okay, so automate. So the ability to automate that forest recovery process in just a few clicks, avoiding that human error, dramatically reducing that downtime, okay? And how do we what we figured out is that actually, we can decouple Active Directory from the Windows operating system during that recovery, which means we can ensure that clean malware recovery and completely avoid any of those compromised executables from reinfecting that recovered system. Okay. And even when we’ve kind of, you know, we’ve got that recovery process and that because we’ve decoupled AD from the OS, from the operating system, it means that, okay, if we need to recover, you know, maybe our production DCs are running on physical hardware, we want to restore them to AWS or Azure or Hyper V, VMware, it doesn’t matter. That gives you We’re going to give you that ability to make sure you’ve got real flexibility on where you recover that Active Directory to, right? And even when we finish that recovery, we’re not finished, right? As part of that cyber first approach, our post speech forensic capabilities help you close those doors and eliminate that persistence that that attacker might have left behind within your environment. Okay. And all of that, we back that up by a kind of elite staff of battle tested instant responders, many of whom are Microsoft MVPs. That’s going to give you that help is going to be that that hand that you can hold along all the way through that process to make sure that you’re set up for success and get your organization back up and running. I think, you know, when we talk about this, you know, what do you need to do? Okay? I think backup Active Directory and prepare for that recovery. All right? Back up every domain. Okay? Many Active Directory environments are multi domain infrastructures. Okay? You know, and so you need to make sure that you’ve got every domain. Okay, the most important will be the root domain that you have. Okay, making sure you’ve got a backup and the ability to recover that root domain. Because without that root domain, you can’t get back any of those other other domains within that. We’d always recommend you back up those two domain controllers per domain. Okay. You know, yes, you can get away with one, but we our recommendation is back two, give yourself options, right? Don’t back yourself into that corner. Test those backups regularly. And then I’m sure everybody has heard this time and time again. But you’re doing two things. One is you’re making sure you’ve got that ability and confidence in your backup system that you can recover that Active Directory, but also you’re creating muscle memory, right? The ability to, if you’ve done it time and time again, and you’ve done practice, practice, practice, when it comes to a real incident, you know that you are ready to actually undertake that task. Okay. Use supported backup methods, right? And this is this is key understanding what those supported backup methods are from Microsoft. Right? You know, I’ve seen ADs recovered from snapshots and they’ll work initially. And then in one, three, six months, they start to have issues because that forest is not being recovered in the correct fashion. Right? So understand that when you’re thinking about backing up the Active Directory, it’s backing up Sorry, I’m in the wrong slide. You’re backing up in the right way and you’re using the processes that Microsoft outlined, the guidelines that Microsoft provide around that Active Directory Forest. Ensuring backups are malware free, right? And, you know, when we talk about Active Directory, this is really about limiting what you’re backing up. Okay, just back up the components you need for that Active Directory recovery, which is the Active Directory database itself. It’s some registry keys. It’s a sysbol where all your group policies reside. It’s where your maybe your login scripts reside. So make sure you keep what you need in there to a minimum, right? Backing up components of the operating system are going to be high risk, okay? Because you’re going to, and you have the, that gives you the opportunity to introduce malware into those backups, which means essentially when you come to restore those backups, they’re going to be, the malware is going be in those backups. Keep offline copies of your backups. Again, I think this is an age old story that we keep telling. We still find organizations don’t do it, but make sure you have multiple copies of those backups, right? Or those backups are stored on immutable storage, right? So they can’t be tampered with, right? So having access to that multiple copies, you know, air gapped offline, whatever you want to call it, but make sure that they’re kind of recovery. We’ve got lots of options today, you know, things like Azure Blob Storage, backup vendors providing us with immutable storage, they can all be used in help protecting that Active Directory environment. I think the key thing as well is be ready for anything. Right? Recovery tasks can can come in many forms. Right. You know, and that could be, you know, it could be an operational disaster. Okay, accidental deletion of AD objects, right? Use the Active Directory recycle bin. Okay. Or you might have to go back to an authoritative resource from system state, which is going be a real pain. But making sure you have that ability that kind of an object level recovery you have within your capabilities. What do you do if a single domain controller is broken? Right? You’ve got domain controllers not processing logins. Maybe it’s got a corrupt database on there. Okay, How do you recover from that situation? Right? How do you get that domain controller back up and running? Right. Think about that, you know, that type of scenario. Recovery of partitions, right? Many Active Directory environments, you’re utilizing AD integrated DNS. And, you know, that’s what we call an Active Directory application partition, right? What are you doing? How do I If I need to recover that single partition, do I have that capability within backup and recovery process? Okay. Can I do that? Can I do it easily within my environment? Okay, think about that. And the big one is Forest Recovery. If I’m coming from an incident where my Active Directory is brought down or, you know, I’m suffering a cyber event that leads to or a total loss scenario. Okay, think about what those steps are. I need to recover my Active Directory Forest from from scratch. Okay, what do I need? How do I do that? What is the process that I need to I need to go through on that? Okay. And remember, different recovery scenarios will cover different tools, Like I’ve mentioned Recycle Bin, okay? Or third party tools that’s tracking those changes within Active Directory that allows then, gives me the ability to then restore those kind of object level or attribute level changes within my environment. Okay. Think about, you know, does it need to be an authoritative restore or does it need to be a rebuild? What do I need to do then? Think about those various scenarios that may play out within your organisation. Sit down and think about these and what are those scenarios that I need to cover within my environment and what type of recovery that I will need to perform. Okay? No attribute sources. Many Active Directory environments are populated via external systems. That may be HR systems, it may be part of your identity and access management system in there, but know how those those attributes are getting getting populated. Right. You know, they could be the source of the problem. Right? So understanding and knowing the processes, what is writing to your Active Directory? What has rights within applications, have rights within your Active Directory? And knowing about those sources is going to be key within there. Okay. You know, and I’ve talked quite a lot around that prepare for AD recovery. Right. Think about what you need in that. Right. Topology, disaster topology, understanding your AD topology. Is it documented? Do I have it? Do I have it available to me in the event that something happens? Right. Any disaster recovery passwords. What am I what do I need to perform that perform that recovery? Make sure that that’s kind of available to you. Think about where you’re going to store those. Okay. In the event that, you know, think again from a total loss scenario, do I have everything I need that if I have nothing available, do I have access to all of that information? Know your DNS topology, Active Directory, it relies on that that DNS topology. Okay. You know, if AD, you know, if DNS is integrated into AD, understand how that operates within your environment. You know, if you’re using external DNS, how does that affect my recovery process? Okay, because that’s going to add complications to it. So understanding what you need to do in that event is going to be critical. Reduce the number of OS versions of your DCs. I see a lot of environments, you know, they’ve got two thousand and eight, twenty twelve, twenty twelve R2, twenty nineteen, twenty twenty two. So twenty twenty five servers within that AD, right? That’s going to increase the complexity around your recovery process. Okay? So by reducing that OS versions that you have on domain controllers, you’re automatically making life simpler for yourself because I know that I know what operating systems I need to prepare so that I can recover those domain controllers. Okay? You know, you can’t restore a twenty twenty five Active Directory database onto a twenty twenty two server, okay? So, you know, understand what the OS versions are, where you can, reduce those OS versions on those domain controllers so that you are making that life easier for you. And I’ve talked about the next one, backups of relevant AD data, you know, two domain controllers per domain in your forest, making sure you’ve got kind of got those backed up, Right? Make sure that you have access to the Microsoft AD recovery guide. Make sure that you understand that recovery guide. And this is really where practice is gonna come in. Okay? And if you need to run that run through those kind of that hundred page document, twenty eight high level steps, make sure that you understand it, you know what’s going to happen within your organisation when you actually need to use it. Make sure you have that maybe even printed off, right? So that you’ve got that available to you in the event that you can’t get to the online version. So what does an Active Directory Forest Recovery look like? Okay. And these are the kind of twenty nine high level steps that you will take to get back to your Active Directory. Okay. But there’s a few issues that this process has. Right? And if you consider that, you know, these are from the Microsoft Forest Recovery Guide, okay? It’s Microsoft’s guidelines. It’s your best approach for getting back to a recovered Active Directory. And you can see the complex steps that you need to take within that Active Directory and the order you need to take them in, right? So, you know, and even on when you’ve done that, that forest may not be trustworthy. You still got to do that post breach forensics. Think about how you’re going to do that in terms of that once I’ve gone through this process, this lengthy process, and then how do I get to the next stage where I can start to I need to prepare? Okay. And remember, you know, the clock is ticking all the time. You have to wait for those processes to finish before proceeding. If you make a mistake along the way, it could be back to step one. Right? And think about where I’ve highlighted step three. Okay, that’s where your enterprise backup solutions are going to sit. That’s what they’re going to do for you automatically. Right? The rest of these steps essentially are manual within that process. Right? If you’re good, that’s going to take you days. Okay. We’ve seen organisations where that kind of can take months and that, you know, with an average of around two weeks to that recovery. Right. And remember, if this doesn’t work, you’re still without computers, servers, phones, access building, everything within there. Now, what we do at Semperis is we help that situation, right? Giving you that ability to, you know, shorten that recovery by up to ninety percent by adding parallelization automation into that process and giving you that those tools that you can perform those post breach forensics. Okay. So basically, you know, you’re going to speed up that process. We’re going to automate all of those steps that you saw on the previous slide. I’m going to help you get back to operational status faster. Okay. Okay, very quickly. What’s those key takeaways? You know, really AD is the foundation of Zero Trust. Okay? Even though you’ve got Entra ID in most environments where if you’re running in a hybrid environment, it’s still AD. Okay? It’s still that foundation of Zero Trust. An attack AD can lead to an attack Entra ID, right, and vice versa. Okay, escalation paths exist between those two identity providers. So making sure that you take care of that entire path management, attack path management within your hybrid environment. Attackers are well adapted to avoiding endpoint security, right, as security logs. We see this all the time. EDR is still relatively easy to evade. Okay? So making sure that, you know, you’re not relying on those EDR solutions. Security, you know, attackers will clear security logs, right? Making sure that you’ve got that, the information and you’ve got that ability to store that information elsewhere. Continuously scanning both Active Directory and Azure Active Directory for vulnerabilities and fixing them, right, where you can, right? The key is to reduce that attack surface. That’s where tools like Purple Knight, Forest Druid will come in, okay? Yes, they’re one time scans, but it doesn’t stop you running those on a regular basis so that you can actually do that assessment on there. We also have tools that can provide you with that continuous assessment of that security posture. So reacting, automatically reacting to changes that’s happening within your AD and Entra ID environment so that you can get that information quickly. And the key one is be prepared for the worst, right? Ensure that you can recover your Active Directory safely and quickly. Right? The rest of your disaster recovery plan will depend on it. Okay. In terms of everything you need to do, be it relies on identity. So identity is going to be that first thing that you’re going to bring back. And I guess we’re open up to any questions. James, just a note you’re muted. I forgot to unmute myself. Thank you very much. So firstly, thank you to Matt there for giving some great information. Lots of great insights there. If you guys have any questions, please pop them into the chat. We’ll jump onto them now. Before getting to that though, firstly, this event today is co sponsored by Solid8. They represent Semperis in South Africa. I’ve popped their email address in the chat there. Also in the chat, you’ll be able to get the links for Purple Knight as well as Forest Druid. And if you go over to the offers tab, you will also see we’ve activated there. It’s not really an offer. You just click on that link, it will take you to the Purple Knight page. And then one last thing for you guys, if you go and have a look under our Documents tab, that is where the little paper clip is where the files are, you’ll see there’s a twenty twenty five ransomware risk report you can download as well as the twenty twenty five Purple Knight report. Please go grab those and be more informed on what is happening out there. And you’ll also see there are some links on the screen there as well. So while we wait for some of the questions to come in, Matt, I do have some questions for you. My first question is why is Active Directory still so popular? It is a technology that’s over twenty years old. Why do we still use it? What are the benefits? I think I think I think the the the the key one is is is good at what it does. Right? It it makes that that management of identities, whether they be human identities, nonhuman identities, computer objects, it makes that administration, yeah, easier, right, for organizations. Right? I think coupled with that, we you know, many organize well, many organize organizations are still running legacy applications that’s gonna rely on that Active Directory. Right? And that’s something that we don’t see changing in the next five to ten years. You know, there’s so many legacy operating systems out there still out there today that that that will rely on Active Directory that that won’t work well with with Entra ID. So, yeah, I I think it fundamentally comes down to Microsoft done a great job of giving us an identity provider that works for organizations and and, you know, and and and is is self resilient. Right? You know, it can it can still operate even if one part of it is down. So, yeah, kudos to Microsoft on that one. So very good technology. And you know, once you get something that works very well, it’s very hard to replace it. Yeah. We have a few questions coming in from the audience. So, just first, Billman. You’re just asking if we can share the presentation. If you can reach out to the ITweb events team eventsitweb dot co. La and request it from them they should be able to help you with that. Then looking at the audience questions here, Theo Molanoka is asking does privileged access management assist in the pre attack preparation? Yeah, absolutely. Right. And this is critical in your kind of hardening process. Right? And and, you know, I think applications, PAM applications absolutely have their place in that kind of being prepared. Right? So so yeah. And and they they they go a long way to help in that kinda hardening process behind Active Directory. Yep. Absolutely have a place to an important place to play in there. You know? And, again, it helps in that kind of tiering process, right, in terms of making sure that people only have access to what they need within that app directory, and it’s controlled. It’s monitored. It’s logged within that environment of what they’re doing. Thank you. Rulani asks, can Purple Knight be run on CRM or ERP systems? I suppose it gets run on the Microsoft platform. Yeah. It does. So Purple Knight really concentrates on the on on the identity providers itself, whether that be Active Directory, Entra ID, or or or Okta. So, really, it’s just designed around those the identity providers themselves rather than ERP or CRM applications. Thank you. Faisal asked, is it typical to use both AD on prem and Entra on Azure? Yeah. I I, you know, I would say the majority of customers that I talked to you today are are what we call hybrid. So they’re using both Active Directory and Entra ID. What we what we do find is that, you know, we talk about what we call source of authority, right, which is where you’ve got Active Directory, and that is essentially feeding all of the identities up to up to Entra ID. Okay? And the majority of customers will still be running that that configuration today. So Active Directory is important in terms of, hey. It’s the source of everything I have within Entra ID. Okay? So the it’s very common that that we will still we still see that that’s still there. Microsoft are doing some great work around giving you the ability to change those sorts of authorities between Active Directory and Entra ID. So you can initially sort you know, create an object on premise in Active Directory, sync that to Entra ID. And then what at a later point, Microsoft is now giving starting to give you the ability that you can say, okay. That object is authoritative in Entra ID rather than Active Directory. And that gives you a great way of thinking, okay. How can I lessen my my my dependency on on the Active Directory? It actually sounds like a good future topic perhaps, you know, transitioning from AD to Entra ID and, because I imagine it’s something you can stagger over your your stack and slowly but surely do it. There is a quick question here from Tabang. But, Tabang, before I get your question, I’m just curious. Is Entra ID better than Active Directory, or is it more is it more contextual than that? Yeah. I, you know, I think I think with Active Directory, you’ve got that all kind of all encompassing identity provider where it’s gonna help you manage your your devices as well within their, like, group policies and things like that. Is it better? Is it well, it depends what you’re using it for. Right? And and that’s that’s the key. I think where where we are is that when we look at probably from a pure security perspective, maybe Entra ID is is is the winner there. Okay? Don’t get me wrong. It’s without it it has its flaws. Okay? Every every solution does, but it’s going a long way to fixing the problems that we that we that that that that maybe that we have within that directory today. To be fair, security and security threats have evolved so much over the years. Obviously, you can only modify something until you need to relook at it. I suppose that’s a Yeah. And going back to your point that you say ninety percent of organizations use Active Directory, and they do. Right? So that makes it a prime target. If you change that from Active Directory, say ninety percent now are using Entra Entra ID, that makes Entra ID a prime target. Okay? So those threats will evolve for both identity providers. Thank you. Asks, how much subscriptions on Purple Knight? Now I understand Purple Knight, it’s a free tool. Correct? Yeah. Absolutely. You can use the links, and then you can download the Purple Knight community edition and Forest Druid community edition. And you can, though, use those as many times as you want. They’re gonna create those point in time reports for you, but there’s no problem with you using those tools time and time again over and over. Fantastic. Is there any catch? I have to ask. You guys are giving these tools away for free. What yeah. What’s the catch? No. There’s no catch. Right? It’s it’s us trying to help the industry, in in actually making sure that that that organizations have the right information that they can start down that process of hardening that Active Directory, giving them that that helping them with those pointers of where to start in that process. Right? And and and both Purple Knight certainly, Purple Knight is is a great start in in making sure down that hardening and and remediation process for Active Directory. So it’s creating awareness, making understanding. Yeah. Thank you. Asks, can we integrate the solution, I assume Semperis, into disaster recovery? Yeah. You can. But remember, any disaster recovery isn’t just about technology. Right? It’s about people and process as well. Right? So, yes, you can certainly integrate these solutions into disaster recovery. You know, you just need to think about what that process is around that, you know, disaster recovery. And that that will be different from a disaster recovery for an application than it is from an identity provider. But, yeah, absolutely, you can integrate those those solutions into into your disaster recovery plan, how you can use it, and going back to that practice, practice, practice. You know, it’s gonna it’s gonna help you and and and yeah. Certainly. Get them in there. Says nice. He’s obviously very happy with that answer. So I’m sure they’re gonna try that out. I think we’re now closing the next year. So, Matt, I wanna ask you about this documentary Semperis is making, Midnight in the War Room. If you guys have not seen the trailer, it was playing in the lobby. You may have may have arrived a bit late. I’ll paste the link into the chat as well. But Matt, what what’s this documentary about? Yeah. Do you know what? I think it’s a great view. We we kinda we kinda looking at the if we look at what happens during a a kind of cyber event, we see it from the outside. And, really, this is to help you understand what happens on the other side, what happens in those war rooms, and the types of decisions that people have to make in those in those in those critical moments. Right? And and so it gives you a bit of awareness around, you know, what what is happening, what is what are the pressures, and just gives you that kind of thing. It’s about making you think around, okay. How do I take the experiences of others, and how do I incorporate that into my recovery plans. And I understand you guys are debuting this at the next Black Hat conference and I suppose I should just watch Semperis to see where it will become available. Yep. Exactly. Brilliant. Thank you. Daniel, Molysani has snuck in one last question. Thank you, Daniel. Could Purple Kerberos configuration on Unix or Linux lead to a AD security breach? Yes. Yes. I mean, it depends on the circumstances, but certainly, any kind of Kerberos that is integrated with Active Directory will certainly happen there. So it’s about controlling, you know, things like service principal names within your environment, understanding where that Kerberos is being used within your environment, and and making sure you’re taking those steps to harden. Okay? And especially when it comes to Unix and Linux, understand what the changes that Microsoft are gonna be making in the next few months around RC four encryption and those type of things because they may come into play when you’re when you’re thinking about Unix and Linux. Fantastic. Thank you guys. It brings us close to the end of time. So just a reminder, you can go to the Files tab, download those papers. You can also go to the Offers tab. That’s a link that will take you to Purple Knight, a free tool to help you assess vulnerabilities and issues in your Active Directory environment. And of course contact eight sorry solid eight infosolidate. Ca. Za. If you have questions about recordings, about the presentation, anything else, can also reach out to the ITweb events team eventsitweb dot co. Za. But with that, it’s been a great conversation. So I’d like to thank my guest here, Matt Hawkins, Senior Solutions Architect at Semperis giving us a lot of great advice and insight on Active Directory and Entra ID security. So Matt, thank you very much for your time today. My pleasure. Absolutely my pleasure. Hopefully we will have you on again. It was a lot of great information. But for now, to my audience as well, thank you, you guys for joining us today. The questions were great. The attendance was great. And this information is so important in the pre lobby area before we went live. Matt and I were chatting about we keep repeating the same messages in cybersecurity and it’s a tough time getting those messages out and obviously the attackers keep changing, technologies keep changing. But the more we educate ourselves and make ourselves aware about what’s happening out there and how we can tighten it, we can do something about cybersecurity. Remember, cybercriminals, unless they’re very, very motivated for a specific target, they always go after the softest target. So the more we harden security and more we dissuade them and make it harder for them, the more they will go look elsewhere and maybe just maybe one day even quit the game. I don’t know if that’s being too hopeful, but you never know. But thank you for joining us today. This has been a webinar brought to you by Semperis, Solid eight and IT Web. Strengthen your identity resilience fortify your Active Directory and Entra ID security posture. Please have a great afternoon. Have a great weekend. My name is James Francis. I was your host for today and really appreciate having you here. Thank you. Goodbye.