Protecting Active Directory With Viable Backups

The primary recovery concern after a ransomware attack is the health of the core infrastructure. Before recovering any environment, it is crucial to confirm the viability of backups and whether there is a working and operational domain controller (DC) with functioning Active Directory (AD) services. Simply put, AD holds the keys to the Windows “kingdom,” and is required for proper functionality of systems connected to the Windows domain.

In the event of a ransomware attack, it is imperative for organizations to have a disaster recovery plan that includes DCs in addition to critical data, to avoid bottlenecked recovery efforts due to a non-functional AD environment. While recovering this environment is not impossible, it can be tricky and organizations that find themselves in this situation should consider two potential scenarios: The AD is functioning but potentially unstable, or the AD is not functioning and there are no backups. The goal, of course, is to avoid scenario two, as it commonly results in significant recovery costs as organizations are forced to rebuild the domain from scratch.

Viable Backups

To determine the state of your organization’s backups, make sure you understand what types you have in place, the restore process and how long it takes to recover a system using these. Knowing this information ahead of time will enable you to get a better estimate on how long the recovery efforts might take and ensure you have viable backups ahead of an attack.

A well-implemented backup solution can prevent you from having to rebuild an entire domain. While there are many ways of backing up your servers, many organizations follow the 3-2-1 rule: Have at least three copies of your data (one primary, two backup copies), use two different types of storage media and ensure one backup is off-site.

While your local backups can be configured to be as secure as possible, organizations should still implement a backup solution that allows you to store cloud backups, as well. Ransomware threat actors often target local backup servers and delete backups to ensure that they have a higher chance of getting their ransom paid. Local backups allow for quick restores, but having a copy in the cloud as your contingency plan is recommended if your local backups are not available.

A key part of architecting a strong backup solution is ensuring segmentation of backups. Segmentation and disparate storage locations also affect the recovery time objective (RTO) and recovery point objective (RPO) which are fundamentally a business decision. While both are factors of time, the RPO is the time of data loss between the most recent viable backup, whereas RTO is the time taken to restore the environment to business functionality. Backups are critical elements of an organization’s business as well as IT infrastructure and should be treated as such. In the age of ransomware, a solid backup and recovery strategy can prevent the loss of of millions of dollars—and that’s just the easily measurable costs.

Organizations should always be focused on “protecting the kingdom.” If you are in a situation where your organization has been impacted by ransomware, AD often is the first step in restoring operations to the environment. The last thing you want during recovery operations is for the efforts to be bottlenecked by a non-functional AD environment or non-viable backups. Conducting a comprehensive cybersecurity assessment to ensure these are in place ahead of time is crucial for efficient and effective incident response.

Avatar photo

Jeff Chan

Jeff Chan is a technical cyber security leader that has helped build incident response teams and has led a large number of digital forensics and incident response investigations. As a technical advisor at MOXFIVE, Jeff has assisted clients in managing incidents and recovering their networks from cyber security attacks.

jeff-chan has 1 posts and counting.See all posts by jeff-chan