Engage the world’s leading Active Directory cybersecurity experts to develop and implement comprehensive AD cyberattack preparedness and response.
Active Directory is the #1 attack vector in the cybersecurity threat landscape because it’s a lucrative target for cyber criminals. As the primary identity service for 90% of organizations worldwide, AD provides user authentication and access to business-critical applications and services. An AD compromise can cause weeks of downtime. Organizations that don’t adequately protect AD are likely to end up paying ransom to restore data and resume business operations.
Semperis, the pioneer of identity-driven cyber resilience for enterprises, offers breach preparedness and response services, combining insights from battle-tested Active Directory (AD) security and incident response (IR) experts with industry-leading solutions for preventing, remediating, and recovering from AD attacks. These services allow you to tap into Semperis’ expertise before, during, and after an attack, so you can benefit from our team’s decades of combined experience responding to cyber incidents.
Preparedness Services
Stay ahead of attackers with expert breach preparedness services, including comprehensive programs to uncover security weaknesses in your AD infrastructure and improve overall security posture.
Response Services
With 100 years’ combined Microsoft MVP experience in directory services, our team has firsthand insight into where the problems are in the case of an AD attack, along with deep experience and expertise in AD clean-up, risk mitigation, and threat remediation. The team’s collective experience ranges from designing, configuring, and securing Active Directory to vulnerability research and red team penetration testing. Our team also helps organizations recover Active Directory from ransomware and insider threat attacks.
Active Directory is a complex system with numerous configurable settings and features, making it hard to secure. Design flaws, operational mistakes, and misconfigurations accumulate over the years to create a technical debt that is often difficult to address and exposes AD to a spectrum of attacks. These vulnerabilities make AD the path of least resistance for an attacker to reach critical systems and sensitive data. Our team helps with two important steps to reduce the likelihood of an attacker successfully destroying or encrypting your environment: First is finding misconfigurations and attack paths that an attacker would leverage to compromise your environment. Second is preparing for the worst-case scenario of an attacker destroying or locking your administrators and users out of AD. Semperis’ Breach Preparedness & Response Services team helps you identify and close attack paths in your AD and Azure AD environment with Active Directory security assessments, AD threat mitigation, and AD disaster recovery (DR) planning and exercises.
The Active Directory Security Assessment (ADSA) gives you a clear picture of your AD security posture and a roadmap to address exposures at the strategic, operational, and tactical levels. Our AD security experts use interviews, questionnaires, and various automated and manual scanning tools to conduct the assessment.
This service helps organizations prevent and prepare for an attack. Developed for Semperis Directory Services Protector (DSP) customers, this service includes an annual Standard Active Directory Security Assessment, periodic attack surface reduction sessions, and tailored optimization of DSP, Semperis’ Gartner-recognized AD threat detection and response solution.
This service helps organizations align recovery time objective (RTO) and recovery point objective (RPO) parameters and identifies implicit dependencies that might hinder the plan execution during an incident. This effort includes a recovery plan review, planning workshop, and a stress test of the recovery plan, including a simulated encryption of the organization.
The Security Architecture Review is a high-level review of the environment and the considerations that led to the current design. The Semperis team conducts interviews with your key team members and a walkthrough of relevant artifacts, such as architectural diagrams. Before each interview, your team completes an information-gathering questionnaire that helps the Semperis team direct the interview to areas of interest, elicit missing information, and ensure the right people are present at the interview. The primary aspects captured or produced in this stage are:
The Operational Procedures Review is an evaluation of your current operational procedures. The Semperis team conducts this review through interviews with your key team members and a walkthrough of relevant artifacts, such as flow diagrams, scripts, etc. As with the Security Architecture Review, before each interview your team will complete a questionnaire that helps the Semperis team direct the interview to areas of interest, gather missing information, and ensure the right people are present at the interview. The primary elements captured or produced in this stage are:
In the Security Configuration Review, the Semperis team uses automated tools (such as Purple Knight, an AD security assessment tool built by Semperis experts) and manual methods to identify indicators of exposure (IOE) and indicators of compromise (IOC) in your AD environment. The elements captured or produced in this stage are:
The Attack Path Analysis aims to identify dangerous or unintended attack paths to Tier 0 assets and other critical assets. Attackers could abuse these paths to elevate privileges and could introduce these paths to install domain persistence and regain privileged access. In this stage, the Semperis team collects and analyzes data using open-source and internal tools. The elements captured or produced in this stage are:
In the Analysis and Reporting phase, the Semperis team digests the data and findings captured in the assessment into an actionable report that describes the current state, provides an achievable recommended state for the environment, and offers a roadmap for achieving the recommended state. The roadmap comprises “lines of effort” and “lines of operation” for achieving the recommended state:
Semperis offers optional remediation planning workshops with our AD security experts. These workshops might take place after or during the assessment to promptly address “low-hanging fruit” and critical issues. In these interactive consulting sessions, Semperis experts work with your AD team to:
The Attack Surface Reduction service is a periodic effort that involves an annual Standard ADSA and quarterly sessions in which Semperis experts work with you to analyze IOCs, IOEs, and indicators of attack (IOAs) gathered by DSP, as well as data collected with other tools. The Semperis team will provide recommendations for reducing the attack surface and eliminating security exposures in the AD environment. In addition, the Semperis team might perform an attack path analysis to identify dangerous or unintended attack paths to Tier 0 assets and other critical assets, as well as abnormal delegated rights.
Designed for Semperis Directory Services Protector (DSP) customers, this service ensures the DSP deployment is optimized to meet your AD protection requirements. The goal is to maximize your security posture outcome, ensuring DSP provides protection tailored to your environment. This optimization review aligns with Semperis’ best practices, which include:
Semperis experts review your existing AD disaster recovery plan to understand the business goals, SLA, disaster scenarios, and methods currently in place to recover AD in the event of a disaster.
Semperis experts work with you to analyze your business goals in a disaster, such as recovery point/recovery time objectives, remote sites, number of users requiring initial access, and environment recovery priority in case of a multi-forest disaster. The workshop also maps the dependencies for the recovery process. The Semperis team will help you plan different cyber and operational disaster scenarios as part of the workshop, including reviewing offline storage/offsite backups, recovering backups online when required, and similar recovery activities. The workshop deliverable is a documented AD recovery plan that is ready to present to business owners and includes:
We recommend conducting a full test of your AD disaster recovery plan at least annually or when a major change occurs in your AD configuration. The Active Directory Disaster Recovery Exercise includes a simulated encryption of the entire organization and the process of recovering and regaining control over AD. During this exercise, Semperis experts recover your production backups into an isolated lab environment. At the end of the exercise, the Semperis team provides a report that describes the test results and documents issues, then revises the DR plan accordingly. You can use this report to help meet governance and compliance requirements.
If AD is breached, the clock is ticking. Organizations that are experiencing an in-progress cyberattack are under unprecedented pressure. When an attack targets the identity system, most critical operations can’t function until it’s rebuilt and made trustworthy again. And rebuilding identity can take weeks to accomplish—while everything else waits. Semperis offers world-class AD incident response services, including cyber-first disaster recovery, AD incident investigation and attack forensics.
If your AD environment is severely damaged, Semperis experts use Active Directory Forest Recovery (ADFR) to perform a partial or full forest recovery into a new, isolated infrastructure, without carrying over executable code from the DCs’ operating system. This approach eliminates the reintroduction of malware. The recovery process includes restoring AD functionality based on procedures developed in the Active Directory DR planning.
Following a security incident that adversely impacts AD, the first crucial recovery step is investigating whether malicious intent and intelligence were behind the incident, constituting an attack. Our experts use Semperis Directory Solutions Protector (DSP) and other tools to analyze the AD replication data and corresponding event logs and recommend the best course of action for fully eradicating the threat from the AD environment.
Following a forensic investigation of an AD attack, Semperis experts recommend steps to regain control of the AD environment and remove the threat, including eradicating threat actors and compromised/exposed objects to prevent the attacker from regaining control, performing a security assessment to identify vulnerabilities and exposures post-containment, and providing mitigation steps for AD attack surface reduction.
Most organizations have business continuity plans in place. But these plans rarely account for scenarios in which malware takes down the enterprise identity infrastructure—of which Active Directory (AD) is a core component in 90% of organizations worldwide. Cybercriminals deliberately target AD because that tactic works.
No vendor or services provider can outmatch Semperis’ collective Microsoft MVP experience in Directory Services and Group Policy. Semperis’ Breach Preparedness and Incident Response (BP&R) team is made up of Microsoft MVPs and former Microsoft Premier Field Engineers (PFEs) with unrivaled track records of protecting the most sensitive Active Directory environments in the world and deep expertise in on-prem AD, Azure AD, Okta, and other enterprise identity systems.
Active Directory compromised, not down, but fixable
Semperis incident response experts focus on assessing the current AD environment, closing existing security gaps, eradicating threat actor access, and creating a clean AD backup.
Active Directory compromised, not down, not fixable
The objective here is to quickly conduct an AD security assessment, recover AD to an isolated environment, conduct threat removal, and restore AD to a clean environment.
Active Directory down (most common scenario)
First step is to recover AD to an isolated environment and conduct breach forensics and remediation, followed by an AD assessment, threat removal, and recovery to production.
To help you respond to an attack in progress, Semperis combines insights from battle-tested identity security and incident response experts with industry-leading solutions for protecting organizations’ hybrid Active Directory before, during, and after a cyberattack. You’ll get immediate, expert response to the current incident and comprehensive assessment and remediation to guard against future threats.
Talk to our expert AD incident response team for fast action on an in-progress attack or to develop a plan to improve your overall security posture.
Contact our team
Learn more about how to accelerate AD incident response
Request a demo and one of our product experts will give you a spin of our solutions.
Semperis has unmatched expertise in AD breach response