L’Active Directory (AD) and the heart of the digital infrastructures of small, medium and large enterprises who use Microsoft systems, worldwide. Regardless of whether it is in the cloud or on an “on premise” server, the Active Directory it is a beating heart of access to resources And represents the Microsoft authentication service. When it stops functioning properly within a digital network environment, users of that network may not be able to connect to their PC, make calls via VoIP, as well as access to e-mail or even major business applications may be inhibited. and the normal operations of the company would therefore be impacted.

For this reason the Active Directory is a favorite target of digital criminals, also considering the wide adoption of the Microsoft operating system and its services in a large number of companies worldwide. In the presence of a widespread cyber incident that also involves the Active Directory service, the presence of a specific recovery plan can prove to be a key to returning to normal business continuity.

To date, however, the role of the CEO is still considered secondary, often without a backup dedicated and without a Disaster Recovery (DR) plan that provides for a prioritized and above all specific recovery of this “key application”, as Microsoft itself requires.

The Active Directory is therefore one of the company’s “core” systems, of which it is advisable to continuously take care of the “good health” in the management processes and to be prioritized in the Business Accounting (BC) and DR plans.

Cyber ​​attacks and impacts on the Active Directory

The Active Directory is that centralized Windows Server system that provides methods for storing directory data, and that defines how users and administrators are assigned all network resources such as databases, files, applications and endpoints ( source: Microsoft).

Among all the types of attacks that aim to hit the entire business continuity by blocking digital services such as ransomware or targeted DDOS, in the last two years, attacks designed and targeted for direct impact on the corporate Active Directory have been observed: AD Privilege Escalation, Domain Trust Exploitation, ADRecon are just some examples (source: Securityboulevard).

If the “generalist” attacks in half malware they could operate through “replication and distribution” by making lateral movements, recently, attacks take advantage of the features and role of domain controllers. Alessio Lo Turco, Quest’s Strategic Systems Consultant explains that “attackers use AD to deploy malware across the entire infrastructure, taking advantage of its privileges and its native craft making it a sort of ‘ADaware’. In this sense, malware is no longer that sophisticated code that exploits a bug, but it is a code that aims to gain privileges in the Microsoft ecosystem; then, it tries to create a group policy in AD (which are typically used in large companies ed) or uses an existing one, and then through the group policy, installs a series of malware and / or ransomware, to increase the surface of internal attack. The criminals’ goal is therefore access to a powerful “software deployer”. It is also important to note that when the attack has taken place for some time, even the backup may already be infected and may not work at the time of recovery ”.

The first infection is often caused by phishing evolved or targeted towards a specific victim (spear phishing) with the aim of making it fall into error and start the continuation of an attack kill chain with visible consequences even after several months.

In cases of ransomware, as the chronicles have shown, the attack can be devastating but the backup is useful if it was not already corrupted. Some good security practices such as network segmentation and backup policies for each segment can avoid total encryption of ransomware.

However, explains Alessio Lo Turco: “there are sophisticated ransomware-as-a-services that do encryption but do not change the name, extension and date of the file, which therefore still seems to be a legitimate file, even if it has been encrypted inside. This type of ransomware is insidious because it does not make it clear what has been made inaccessible and forces the recovery of the entire infrastructure. In these cases, blackmail occurs, without part of the attack being visible to the victim, therefore without the possibility of a targeted and effective recovery. It is as if the attacker worked on infinite resources while the defense was forced to limit itself to the finite resources at its disposal ”.

Active Directory management best practices

According to experts, there are three precautions to be taken and they are all good practices that have already been valid for over twenty years:

Consider the actual importance of each digital environment enabling the company information system; in particular the Active Directory is fundamental and should not be underestimated therefore, caution is required in the management of this environment, providing high frequency backups (minimum every day). Since it is a central system of the Microsoft services architecture, a Disaster Recovery plan with appropriate values ​​of Recovery Time Objective (RTO) and Recovery Point Objective (RPO) should also be provided. Remember that RTO represents the amount of real time a company has available to restore its processes to an acceptable service level after a disaster to avoid intolerable consequences associated with the outage, while RPO is defined as the maximum amount of data, measured by time, that can be lost after a recovery from a disaster, failure, or similar event before the data loss exceeds what is acceptable to an organization. Also keep backups of Active Directory according to the 3-2-1 rule; According to the 3-2-1 rule, it is necessary to keep 3 copies of the data, on 2 different backup storages, with 1 copy kept off-site. Each AD backup should be protected from corruption (to prevent it from being reusable in restore) or exfiltration (to prevent attackers from studying it). finally, it is necessary to relocate the AD backups to a digital location other than the corporate ones to prevent cryptographic damage from ransomware attack. Avoid an attack on the Active Directory by implementing preventative practices: thus avoid any user free access permissions to resources, limit the administrative privileges of access to the resources, limit the visibility of the resources, make non-modifiable AD native groups that have administrative privileges to prevent their distorted use for the benefit of an attacker; indeed, activate alarms and alerts in the event of an attempted change to those groups to highlight preparations for an attack. Finally, group policies also do not need to be created or modified and appropriate alarms must be set.

What to expect for the Active Directory recovery plan

Security best practices teach you how to have a recovery plan for each potential threat. In the case of threats affecting the AD, accidental errors may occur such as corruption of the Active Directory during maintenance or routine operations and this implies different or increasing remediation actions up to “last resort” to the activation of the Disaster Recovery plan, for example, in the case of updates not completed correctly.

Alessio Lo Turco clarifies: “the first thing to do is to have a Disaster Recovery plan dedicated to AD; second, it is important to clearly understand the roles of the various domain controllers and identify the critical domains for each with their respective capabilities, planning the restore one by one. I suggest viewing the manual for DR Microsoft, to find specific and appropriate indications to apply to your case. Another important issue in the DR plan is the sequence in which the systems are restored, because the AD requires the operating systems up and running to be restored, but in general in an attack, in ransomware for example, the operating systems are no longer available and therefore the restore times start from when all the infrastructure levels go up in an orderly manner“.

Therefore, the restore must start from the lowest levels of the ISO / OSI stack going up towards the application level. In particular, Active Directory is to be considered as a real critical application, with its own logic, structure and integrity requirements, which require equally specific DR procedures, just like those that Microsoft imposes in its aforementioned manual.

If you use dedicated backup methodologies such as “bare metal” (A bare metal recovery reinstalls an operating system, relevant applications and components and data ed) you reconstitute an image of the operating system as configured for a particular computer or server. All this always if the backup is intact and not already infected by a malware that can be activated again, bringing the situation back to a state of crisis.

To avoid this, several weeks old backups are often considered for restoring, but there is a risk of having a corporate data state that is irreconcilable between business and directory data with respect to the time elapsed (for example if you go back 1 month). For a company, one month’s data can be crucial. For this reason it would be necessary to save the backups on segregated and separate machines and make backups even of the Active Directory only. Alessio Lo Turco, in these cases, suggests: “Microsoft technology in these cases can help by using the Cloud Azure which allows for example to activate an automatic mechanism to request immediate deployment of machines on which to restore AD. The speed of availability and the lower cost compared to physical machines to be kept unused to function as a potential back u infrastructure, p combined with the possibility of having new machines without already being infected with malware makes this solution one of those viable for a restore plan. These measures allow you to get back online in a shorter time with a greater amount of recent data recovered“.

A final suggestion concerns the parallelization of the restore which if it happened in a standard way would require to sequentialize the restore of each domain, while if it is set in parallel way it allows a significant time saving, passing from several days, even weeks for complex infrastructures, to a few hours. . This is all the easier and less risky, the more automation tools are adopted for these procedures, which in addition drastically reduce the risk of errors due to the complexity of the procedures and infrastructure, and the pressure that the business inevitably exerts on the team. infrastructure management to restart as soon as possible.

Following the dictates of Microsoft at the end of the restore of the domains and domain controllers, it is advisable to change the administrative passwords and the elimination of the so-called “golden tickets”, that is, credentials that never expire to prevent any attacker from re-exploiting them. to go back online to restart his malicious activity.

The entire backup and restore process can be automated using specific products that support the creation of different recovery plans and that implement each of the aforementioned measures to avoid human errors in the process, but also to speed up the recovery time.

