Written by Bryan Patton, CISSP and Quest Strategic Systems Consultant
Over the past four years, ransomware became the number one security threat to business, and with 69 % of companies suffering a cyber-attack in 2020, defence strategies must be put in place to protect critical information and ensure business continuity. And although sometimes, cybersecurity experts manage to find flaws in ransomware encryption algorithms allowing companies to recover encrypted files without having to pay the ransom, infamous strains like BlackMatter continuously conduct disruptive attacks and companies like Olympus suffer the consequences of inadequate cyber security.
With time, threat actors learnt that the way to a successful and profitable cyberattack lies with Active Directory (AD) compromise. By gaining access to AD, cybercriminals are free to enter the organisation’s entire system and deploy the malware. This, in turn, leads to further system encryption, credential and data theft, as threat actors navigating from the endpoint to the intended target. In today’s hybrid infrastructures, when all virtual access to on-premises and cloud-based resources are tied to AD accounts, an AD recovery strategy must a priority.
According to recent research, 66% of IT and security managers at midsized and large companies have reported at least 1 cyberattack to their organization in the prior 12 months. Just as alarming is the increase in ransom amounts paid – amounting to $45 million USD in 2021 alone.
One must be prepared to act fast, as the key component of mitigating risk in the event of a cyberattack is the speed at which a company can recover. AD provides authentication and authorization services for users and critical applications, so the recovery process will be hindered significantly if these services are not brought online immediately.
Despite common misconceptions, AD recovery is not only about a basic backup restoration. It requires a deeper understanding of the process, and one will not know every detail of the process until an emergency occurs.
According to Microsoft researchers, a phased approach to AD recovery would lead to a full and speedy data restoration. At a basic level, identify at least one domain controller (DC) to prioritise in a recovery scenario. Prioritise the main DCs and get them back online quickly, so the less critical DCs can be revived later.
In the phased approach, phase 1 involves performing an initial recovery. Firstly, one must be focused on one or several DCs in each domain restoration, depending on what tools are available. The preferred method for ransomware recovery is often a clean operating system (OS) recovery, but this option is only available if you have invested in an enterprise AD disaster recovery solution proactively.
Following this, the company can move to phase 2, concentrating on restoration and redeployment of the remaining DCs through promotion. Microsoft recommends an installation from media (IFM) as it has proved to be an efficient way to reinstall AD on a DC. However, IFM can be a tedious manual process when native tools are employed. Having a third-party solution on the backend to help your organization to speed up Phase 2 lets your organization get back up and running sooner.
The only prerequisite for a successful recovery is to have backups safeguarded because once threat actors breach perimeter defences and infiltrate your networks, these backups would be the first ones to be encrypted. Use the tools available to gather and defend those backup assets when an attack does inevitably occur, so you are better prepared to withstand those attacks and resume operations quickly afterwards.
In today’s world, ransomware presents a clear risk to every company big or small. Those that invest in bolstering their cyber resiliency proactively will be able to stand against the ongoing ransomware scourge, to survive or even thrive in case of a hit.
Otherwise, organisations will find themselves facing hefty fees, including millions to ransomware attackers themselves and critical losses in downtime. According to recent findings, on average $1.85 million is spent by an organisation to recover from a cyberattack with only 65% of data recovered in case of ransom payment.
In short, prioritise your AD and have an AD incident recovery strategy in place. Safeguard your backups and invest in tools and solutions that will enable you to put your incident recovery plan into action at a moment’s notice.