Guided AD Disaster Prevention and Recovery

Expert Breach Preparedness & Response Services

Engage the world’s leading Active Directory cybersecurity experts to develop and implement comprehensive AD cyberattack preparedness and response.

Expert guidance to protect Active Directory before, during, and after an attack

Active Directory is the #1 attack vector in the cybersecurity threat landscape because it’s a lucrative target for cyber criminals. As the primary identity service for 90% of organizations worldwide, AD provides user authentication and access to business-critical applications and services. An AD compromise can cause weeks of downtime. Organizations that don’t adequately protect AD are likely to end up paying ransom to restore data and resume business operations.

Threatpost:
$1.4 billion
insurance payout awarded to Merck for losses incurred in the NotPetya attack
Microsoft Digital Defense Report:
1 hour, 42 minutes
the median time for an attacker to begin moving laterally after device compromise
Statista:
20 days
average downtime after a ransomware attack
Microsoft Digital Defense Report:
34.7 billion
identity threats blocked by Microsoft in 1 year



AD preparedness and response services from the industry’s leading identity security authorities

Semperis, the pioneer of identity-driven cyber resilience for enterprises, offers breach preparedness and response services, combining insights from battle-tested Active Directory (AD) security and incident response (IR) experts with industry-leading solutions for preventing, remediating, and recovering from AD attacks. These services allow you to tap into Semperis’ expertise before, during, and after an attack, so you can benefit from our team’s decades of combined experience responding to cyber incidents.

Preparedness Services

Stay ahead of attackers with expert breach preparedness services, including comprehensive programs to uncover security weaknesses in your AD infrastructure and improve overall security posture.

  • Active Directory Security Assessment (ADSA)
  • AD Threat Mitigation
  • AD Disaster Recovery Planning and Exercise

Response Services

With 100 years’ combined Microsoft MVP experience in directory services, our team has firsthand insight into where the problems are in the case of an AD attack, along with deep experience and expertise in AD clean-up, risk mitigation, and threat remediation. The team’s collective experience ranges from designing, configuring, and securing Active Directory to vulnerability research and red team penetration testing. Our team also helps organizations recover Active Directory from ransomware and insider threat attacks.

  • Cyber-first AD recovery
  • AD incident investigation and attack forensics
  • AD threat removal


Prevent an AD cyber disaster with expert breach preparedness

Active Directory is a complex system with numerous configurable settings and features, making it hard to secure. Design flaws, operational mistakes, and misconfigurations accumulate over the years to create a technical debt that is often difficult to address and exposes AD to a spectrum of attacks. These vulnerabilities make AD the path of least resistance for an attacker to reach critical systems and sensitive data. Our team helps with two important steps to reduce the likelihood of an attacker successfully destroying or encrypting your environment: First is finding misconfigurations and attack paths that an attacker would leverage to compromise your environment. Second is preparing for the worst-case scenario of an attacker destroying or locking your administrators and users out of AD. Semperis’ Breach Preparedness & Response Services team helps you identify and close attack paths in your AD and Azure AD environment with Active Directory security assessments, AD threat mitigation, and AD disaster recovery (DR) planning and exercises.

Active Directory Security Assessment

The Active Directory Security Assessment (ADSA) gives you a clear picture of your AD security posture and a roadmap to address exposures at the strategic, operational, and tactical levels. Our AD security experts use interviews, questionnaires, and various automated and manual scanning tools to conduct the assessment.

AD Threat Mitigation

This service helps organizations prevent and prepare for an attack. Developed for Semperis Directory Services Protector (DSP) customers, this service includes an annual Standard Active Directory Security Assessment, periodic attack surface reduction sessions, and tailored optimization of DSP, Semperis’ Gartner-recognized AD threat detection and response solution.

DR Planning & Exercise

This service helps organizations align recovery time objective (RTO) and recovery point objective (RPO) parameters and identifies implicit dependencies that might hinder the plan execution during an incident. This effort includes a recovery plan review, planning workshop, and a stress test of the recovery plan, including a simulated encryption of the organization.



Active Directory Security Assessment

Semperis Joins Microsoft Intelligent Security Association, Expanding Collaboration to Combat Identity-Related Cyber Threats
Security Architecture Review

The Security Architecture Review is a high-level review of the environment and the considerations that led to the current design. The Semperis team conducts interviews with your key team members and a walkthrough of relevant artifacts, such as architectural diagrams. Before each interview, your team completes an information-gathering questionnaire that helps the Semperis team direct the interview to areas of interest, elicit missing information, and ensure the right people are present at the interview. The primary aspects captured or produced in this stage are:

  • AD forest structure
  • Trust relationships
  • Security boundaries
  • Tier 0 assets and security dependencies
  • Disaster recovery infrastructure
Operational procedures review

The Operational Procedures Review is an evaluation of your current operational procedures. The Semperis team conducts this review through interviews with your key team members and a walkthrough of relevant artifacts, such as flow diagrams, scripts, etc. As with the Security Architecture Review, before each interview your team will complete a questionnaire that helps the Semperis team direct the interview to areas of interest, gather missing information, and ensure the right people are present at the interview. The primary elements captured or produced in this stage are:

  • Provisioning and de-provisioning process for Tier 0 assets
  • Management and maintenance procedures for Tier 0 assets
  • Privileged access management procedures
  • Access procedures for Tier 0 security dependencies
  • Discovery of additional Tier 0 assets
  • Disaster recovery procedures and their dependencies
Semperis’ Breach Preparedness and Response (BP&R) team
Security configuration review

In the Security Configuration Review, the Semperis team uses automated tools (such as Purple Knight, an AD security assessment tool built by Semperis experts) and manual methods to identify indicators of exposure (IOE) and indicators of compromise (IOC) in your AD environment. The elements captured or produced in this stage are:

  • Indicators identified by the Purple Knight scan
  • Manual review of indicators not currently implemented in Purple Knight
  • GPO review using open-source tools
  • Automated identification of hidden accounts
Attack analysis path

The Attack Path Analysis aims to identify dangerous or unintended attack paths to Tier 0 assets and other critical assets. Attackers could abuse these paths to elevate privileges and could introduce these paths to install domain persistence and regain privileged access. In this stage, the Semperis team collects and analyzes data using open-source and internal tools. The elements captured or produced in this stage are:

  • Attack paths from outside of Tier 0 into Tier 0
  • Abnormal delegated rights
  • Admin “hotbeds”
  • Hosts and objects with high reachability, i.e., exposure to many users
Semperis’ Breach Preparedness and Response (BP&R) team
Analysis and reporting

In the Analysis and Reporting phase, the Semperis team digests the data and findings captured in the assessment into an actionable report that describes the current state, provides an achievable recommended state for the environment, and offers a roadmap for achieving the recommended state. The roadmap comprises “lines of effort” and “lines of operation” for achieving the recommended state:

  • “Line of effort” represents an internal push to improve the security posture of the AD environment
  • “Line of operation” represents a push to contain and eradicate a threat actor from the environment, which might be applicable if a threat is identified during the assessment
Cybersecurity 2020: The Danger of Ransomware
Remediation Planning

Semperis offers optional remediation planning workshops with our AD security experts. These workshops might take place after or during the assessment to promptly address “low-hanging fruit” and critical issues. In these interactive consulting sessions, Semperis experts work with your AD team to:

  • Plan and implement remedial actions
  • Explore alternatives
  • Identify other remediation tactics

Attack Directory threat mitigation

Recovery for Azure AD
Attack surface reduction

The Attack Surface Reduction service is a periodic effort that involves an annual Standard ADSA and quarterly sessions in which Semperis experts work with you to analyze IOCs, IOEs, and indicators of attack (IOAs) gathered by DSP, as well as data collected with other tools. The Semperis team will provide recommendations for reducing the attack surface and eliminating security exposures in the AD environment. In addition, the Semperis team might perform an attack path analysis to identify dangerous or unintended attack paths to Tier 0 assets and other critical assets, as well as abnormal delegated rights.

Detection and protection optimization

Designed for Semperis Directory Services Protector (DSP) customers, this service ensures the DSP deployment is optimized to meet your AD protection requirements. The goal is to maximize your security posture outcome, ensuring DSP provides protection tailored to your environment. This optimization review aligns with Semperis’ best practices, which include:

  • Configuration review of your DSP deployment, notifications setup, database configuration, auto-response rules, integrations with third-party solutions (e.g., SIEMs), and environment-specific definitions (e.g., sensitive accounts, response policy)
  • Analysis of the data gathered by DSP to identify indicators of suspicious activity and potential compromise
  • Execution of a Directory Services Protector test plan to understand all the product’s capabilities

Active Directory Disaster Recovery Planning and Exercise

Recovery for Azure AD
Recovery plan review

Semperis experts review your existing AD disaster recovery plan to understand the business goals, SLA, disaster scenarios, and methods currently in place to recover AD in the event of a disaster.

Recovery for Azure AD
Planning workshop

Semperis experts work with you to analyze your business goals in a disaster, such as recovery point/recovery time objectives, remote sites, number of users requiring initial access, and environment recovery priority in case of a multi-forest disaster. The workshop also maps the dependencies for the recovery process. The Semperis team will help you plan different cyber and operational disaster scenarios as part of the workshop, including reviewing offline storage/offsite backups, recovering backups online when required, and similar recovery activities. The workshop deliverable is a documented AD recovery plan that is ready to present to business owners and includes:

  • Defining the recovery SLA
  • Identifying the mean time to recovery (MTTR)
  • Mapping business applications required to support the core business goals
Recovery for Azure AD
AD disaster recovery exercise

We recommend conducting a full test of your AD disaster recovery plan at least annually or when a major change occurs in your AD configuration. The Active Directory Disaster Recovery Exercise includes a simulated encryption of the entire organization and the process of recovering and regaining control over AD. During this exercise, Semperis experts recover your production backups into an isolated lab environment. At the end of the exercise, the Semperis team provides a report that describes the test results and documents issues, then revises the DR plan accordingly. You can use this report to help meet governance and compliance requirements.



Accelerate AD disaster recovery

If AD is breached, the clock is ticking. Organizations that are experiencing an in-progress cyberattack are under unprecedented pressure. When an attack targets the identity system, most critical operations can’t function until it’s rebuilt and made trustworthy again. And rebuilding identity can take weeks to accomplish—while everything else waits. Semperis offers world-class AD incident response services, including cyber-first disaster recovery, AD incident investigation and attack forensics.

Cyber-First Active Directory Recovery

If your AD environment is severely damaged, Semperis experts use Active Directory Forest Recovery (ADFR) to perform a partial or full forest recovery into a new, isolated infrastructure, without carrying over executable code from the DCs’ operating system. This approach eliminates the reintroduction of malware. The recovery process includes restoring AD functionality based on procedures developed in the Active Directory DR planning.

AD Incident Investigation & Forensics

Following a security incident that adversely impacts AD, the first crucial recovery step is investigating whether malicious intent and intelligence were behind the incident, constituting an attack. Our experts use Semperis Directory Solutions Protector (DSP) and other tools to analyze the AD replication data and corresponding event logs and recommend the best course of action for fully eradicating the threat from the AD environment.

Active Directory Threat Removal

Following a forensic investigation of an AD attack, Semperis experts recommend steps to regain control of the AD environment and remove the threat, including eradicating threat actors and compromised/exposed objects to prevent the attacker from regaining control, performing a security assessment to identify vulnerabilities and exposures post-containment, and providing mitigation steps for AD attack surface reduction.

Does your disaster recovery plan include Active Directory?

AD is a common target for cyberattackers

Most organizations have business continuity plans in place. But these plans rarely account for scenarios in which malware takes down the enterprise identity infrastructure—of which Active Directory (AD) is a core component in 90% of organizations worldwide. Cybercriminals deliberately target AD because that tactic works.

  • According to Gartner, misused credentials are now the top technique used in breaches
  • Mandiant incident response researchers report that AD is involved in 9 out of 10 attacks they investigate
  • According to Enterprise Management Associates (EMA), 40% of attempted attacks are successful
7 AD Misconfigurations to Find and Fix Now

Supported by the world’s foremost identity experts

No vendor or services provider can outmatch Semperis’ collective Microsoft MVP experience in Directory Services and Group Policy. Semperis’ Breach Preparedness and Incident Response (BP&R) team is made up of Microsoft MVPs and former Microsoft Premier Field Engineers (PFEs) with unrivaled track records of protecting the most sensitive Active Directory environments in the world and deep expertise in on-prem AD, Azure AD, Okta, and other enterprise identity systems.

SCENARIO 1

Active Directory compromised, not down, but fixable

Semperis incident response experts focus on assessing the current AD environment, closing existing security gaps, eradicating threat actor access, and creating a clean AD backup.

Systemic weakness make AD a soft target
SCENARIO 2

Active Directory compromised, not down, not fixable

The objective here is to quickly conduct an AD security assessment, recover AD to an isolated environment, conduct threat removal, and restore AD to a clean environment.

SCENARIO 3

Active Directory down (most common scenario)

First step is to recover AD to an isolated environment and conduct breach forensics and remediation, followed by an AD assessment, threat removal, and recovery to production.

How Semperis helps address AD cyber disasters

To help you respond to an attack in progress, Semperis combines insights from battle-tested identity security and incident response experts with industry-leading solutions for protecting organizations’ hybrid Active Directory before, during, and after a cyberattack. You’ll get immediate, expert response to the current incident and comprehensive assessment and remediation to guard against future threats.

SCENARIO 1: AD compromised, not down but fixable
Phase 1: AD Assessment
  • Create backup of current AD environment
  • Monitor and detect all AD changes
  • Gather info about current AD configuration
  • Conduct qualitative data analysis
  • Identify vulnerabilities, misconfigurations, and IOEs/IOCs
Phase 2: Threat Removal
  • Eradicate threat actor access, IOEs, and IOCs
  • Reduce AD attack surface
  • Back up clean AD environment
SCENARIO 2: AD compromised, not down & not fixable
Phase 1: AD Assessment
  • Create backup of current AD environment
  • Monitor and detect all AD changes
  • Gather info about current AD configuration
  • Conduct qualitative data analysis
  • Identify vulnerabilities, misconfigurations, and IOEs/IOCs
Phase 2: AD Recovery
  • Recover AD to isolated environment
  • Create tamper-resistant AD replica
  • Investigate breach and research remediation
  • Develop roadmap to enhanced security posture
Phase 3: Threat Removal
  • Eradicate threat actor access, IOEs, and IOCs
  • Reduce AD attack surface
  • Back up clean AD environment
SCENARIO 3: Active Directory is down
Phase 1: AD Recovery
  • Recover AD to isolated environment
  • Create tamper-resistant AD replica
  • Investigate breach and research remediation
Phase 2: AD assessment
  • Create backup of current AD environment
  • Monitor and detect all AD changes
  • Gather info about current
  • Conduct qualitative data analysis
  • Identify vulnerabilities, misconfigurations, and IOEs/IOCs
  • Develop roadmap to enhanced security posture
Phase 3: Threat removal
  • Eradicate threat actor access, IOEs, and IOCs
  • Reduce AD attack surface
  • Create backup of clean AD enviroment
Phase 4: Back to Production
  • Restore AD to clean production environment

Semperis has unmatched expertise in AD breach response

Healthcare

Directory Services Protector delivers as promised, but the real value of bringing in Semperis was their people and their deep understanding of and insight into AD and AD-based attacks.

Learn more Chief Technology Officer Orthopedic Specialty Medical Practice
Frost Sullivan

Semperis has unmatched experience in breach preparedness and incident response to Active Directory and other identity-based cyberattacks. Semperis’ solution-based approach focuses not only on their premier technology to meet customer challenges but also best practices and guidance for people and processes, setting them apart from their competitors.

Learn more Sarah Pavlak Frost & Sullivan
Amoco Federal Credit Union

Semperis was able to backup and restore AD insanely quickly. During our testing, we were able to back up and restore our Active Directory within 20 minutes to a completely different datacenter with minimal downtime. During a normal backup scenario, that could take 24-36 hours.

Paul Ladd AMOCO Federal Credit Union VP of Information Systems & Technology
Gartner Peer Insights

We have lots of changes happening to our Active Directory environment, adding Linux servers, etc… [Directory Services Protector] helps us monitor and revert dangerous changes with one button click.

Read review IT Team Member, Enterprise Organization
Gartner Peer Insights

The best AD recovery tool in the event of a ransomware attack!

Read review Director of Directories & IAM Solutions, IT Security & Risk Management Enterprise Banking Organization
Consulting

With ADFR, I knew I wouldn’t have to go through hours and hours of clicking through procedures and potentially reintroducing malware. Being able to leverage ADFR in the first three hours of the incident response saved me probably two to three weeks.

Senior Security Manager

Get help with an AD breach

Talk to our expert AD incident response team for fast action on an in-progress attack or to develop a plan to improve your overall security posture.

Contact our team
Our mission resonates with industry leaders

Explore more AD security and recovery solutions

More resources

Learn more about how to accelerate AD incident response