Active Directory is the beating heart of most modern networks. It’s the core system for managing identities, authentication, and authorization, both on-premises and in the cloud. However, it’s also a system built more than 20 years ago. And although in its early days, there was little need to think about disaster recovery or business continuity, today, Active Directory is a perfect target for threat actors.
You’re likely already aware of this to some extent. The problem is that where Active Directory is concerned, disaster recovery is deceptively complex. Even though it might look simple on the surface, it verges on overwhelming in practice.
How can you ensure that you have the necessary systems and processes to recover from ransomware and any disruptive incident that takes Active Directory offline? Here are five key tips and some thoughts on what constitutes a good Active Directory backup plan.
Tip 1: Be proactive
When things go wrong, it’s always better to be prepared.
Preparation begins with proactively searching for and fixing issues within your Active Directory deployment. For that, you need full visibility. There are many moving parts within Active Directory and many things that can go wrong. But you can’t resolve a problem you can’t identify.
Start by looking for indicators of exposure: vulnerabilities a threat actor can exploit. Examples include poor account hygiene, misconfigured security settings, and invisible attack paths. Also, look for indicators of compromise, such as evidence of Kerberoasting, which might signify that you’ve already experienced an attack.
This advice doesn’t just apply to your Active Directory. To devise an effective disaster recovery plan, you need comprehensive technical knowledge about your business. You need to understand how each system operates and how each component is connected to other components.
My advice is to start with a comprehensive risk and security assessment, beginning with a focus on your most important forests and assets. This review enables you to map out your infrastructure at every level of your organization. More importantly, it helps you identify the disruptive events you’re likeliest to face and determine mitigating actions for each.
Tip 2: Make communication part of disaster recovery
Predefined mitigation and recovery actions are all well and good. But who decides when, where, and how to put such actions into practice?
This is the area where I consistently see disaster recovery guidance fall woefully short. You can find plenty of information about the technical side of Active Directory disaster recovery. Yet even official Microsoft guidance mentions nothing about communication or a chain of command.
During a disruptive event, every second counts. You simply can’t afford to waste valuable time trying to figure out who should be doing what. You need a simple, step-by-step plan that’s easy to understand and execute for every member of your team.
When devising this plan, be sure to account for these factors:
● Does your organization comprise a single, contiguous entity or multiple independent business units?
● Are you outsourcing the management of your Active Directory?
● How are you going to communicate during an incident?
● With whom are you going to communicate?
● Who is the final decision-maker where mitigation and recovery efforts are concerned? Note that this answer might vary depending on the scope of an event.
● At what point do you notify C-level executives? What about external stakeholders?
Tip 3: Planning costs less than facing an attack unprepared
A typical argument against maintaining a disaster recovery plan is that there’s no budget for it.
Stop and think about how much of your infrastructure relies on Active Directory. Think about the impact of one or all of your forests being locked down by ransomware. If your organization is like most, the cost of such an outage could be crippling: lost revenue and customers, regulatory penalties, and reputational damage.
The cost of creating and maintaining a business continuity plan is inevitably less than the cost of a ransomware attack—especially if you aren’t maintaining proper backups. Paying a ransom for your assets is no guarantee that you’ll get them back. Threat actors are under no obligation to decrypt your systems and data after you pay…and often don’t.
Tip 4: Don’t try to do everything yourself
Automation can’t do everything. But where disaster recovery is concerned, it’s an enormous help. Not only can it save your team considerable time on the many tasks involved in backup and restoration, but it also considerably reduces instances of human error.
More importantly, automation saves time without requiring your team to possess specific knowledge about the inner workings of Active Directory. In addition to tools that focus on backup and recovery, there are solutions designed to automate monitoring, detection, log correlation, and threat hunting. These, too, are invaluable as we reach the point at which the amount of threat data is simply too great for human actors to digest effectively.
Unless your business has incredibly specific needs that you’re positive no vendor can fulfill, it’s almost always preferable to use a third-party tool in lieu of developing one internally. Most of the time, those development resources are best spent elsewhere. What’s more, tools like Bloodhound and Purple Knight are free to use.
Tip 5: Avoid Putting all your eggs in the Active Directory basket
The technical components of your disaster recovery plan need to be completely divorced from your Active Directory. In an attack, you risk losing access to any system that’s domain joined to your Active Directory. There’s little point in backing up your domain controller if that backup goes down when the domain does.
You’ll want to make sure you have independent instances of the following:
● Server backups
● Data backups
● Password vaults
● Authentication mechanisms
Immutable, isolated, redundant: The characteristics of a good backup plan
Every disaster recovery plan must include a few crucial components.
First, you need the capacity to recover to an isolated environment. That way, you can ensure you’re spinning up a clean instance of Active Directory. This enables you to perform a service recovery while carrying out a health and security assessment — a partial restoration that enables at least some of your business to resume regular operations.
Design recovery is your ultimate goal, fully restoring all compromised and destroyed systems. To facilitate this, I recommend maintaining multiple backups, all secured offsite and offline, until needed. These backups should be created within the applicable region and should be completely immutable once created.
Where management of the backups themselves is concerned, you have two core metrics to consider. The recovery time objective determines how quickly you want to recover. The recovery point objective, meanwhile, specifies how far back in time you’re willing to go for recovery.
In some cases, you might want to maintain daily backups. In other scenarios, weekly or even monthly backups might be acceptable.
Finally, your job is not finished with the creation of a disaster recovery plan. Completely test all plans, tools, scripts, and processes at least once a year. Make sure everything works as intended.
During these evaluations, you should also take the time to consider things you might need in the future —investments that can save you time and money.
No such thing as “one size fits all”
Where Active Directory is concerned, nearly every organization’s deployment is unique. A disaster recovery plan that works for one business isn’t guaranteed to work for another. That’s one of the things that makes the process so challenging and complex. There really is no gold standard — only guidance and advice.
I explored these questions in greater detail during a recent Hybrid Identity Protection Conference presentation: Resurrecting After a Ransomware Attack—Be Secure, And Prepared!. The presentation includes a more comprehensive, step-by-step breakdown of the process and a demo to give you an idea of how to implement disaster recovery within your organization. Take a look when you’re ready to dive more deeply into the topic of ransomware recovery.