How to Recover the Active Directory after a Cyber Incident?
Date: 20 June 2023
Cyber Management Alliance recently hosted one of its most successful Wisdom of Crowds events till date in London. Held at the Sofitel St. James’s London, the event saw one of the largest in-person Cyber Crisis Tabletop Exercises ever. The room was packed with InfoSec leaders from the UK and London brainstorming, challenging each other and discussing the biggest cybersecurity challenges that we face today.
Apart from the actual cyber tabletop exercise, the event was enriched with keynote addresses from some of the top cybersecurity leaders in the world. David Hitchins of Semperis spoke to the audience about one of the most critical steps in Cyber Incident Response and Recovery - How to recover the Active Directory (AD) after a Cyber Incident.
Based in the United States, Semperis are cybersecurity leaders and Active Directory (AD) experts. Their focus is on securing AD and Azure AD for leading businesses in the world from the ever-escalating cyber threats that plague the community. Identity-first security is their focus for achieving operational resilience.
Clearly, hearing from the global leader about how to recover the Active Directory, was really insightful and valuable for all attendees. And David made sure that the audience remained engaged and took away important lessons all the same.
This wasn’t hard to achieve as he started his address by comparing the process of managing the Active Directory to what Pirates do.
Why do Pirates wear an eye patch? For better visibility. So when they go into the darker areas of the ship, and they flip the eye patch open, that eye can see better because it’s already accustomed to the dark. This means less surprises. Pretty much what all CISOs want in terms of visibility.
And the Active Directory, then, is like the gatekeeper of the ship. He has all the keys and knows exactly who’s getting into what door when. But interestingly, in the modern threat context, that also makes AD the new attack point. This is why we put endpoint protection in place - to keep our AD secure. But unfortunately, it doesn’t stop attacks on the Active Directory. It certainly helps but if it worked hundred percent, nobody would get hacked.
He then moved on to a very simple and pertinent question - can anyone easily restore the Active Directory? The audience’s answer seemed to be a unanimous no.
David then went into what a real recovery of the Active Directory would look like:
- It would have to be malware free. But how do you ensure that?
- You would have to choose if you want to fix your AD or do you want to be operational as fast as you can?
- You would need to know the Forensics of the environment really well.
He moved on to explain exactly how Semperis recovers the Active Directory and why it looks different from just backing everything up:
- Semperis actually strips out the AD from the Operating System. This means there’s no malware there at all.
- This also removes the hardware dependencies.
- The best part is that Semperis does this in parallel. What this means is that the recovery time reduces from days and weeks to hours.
- They also have a technology that does Forensics in the specific environment.
David concluded his keynote presentation by coaxing the participants to just think about the recovery of their AD and think hard about what solutions they have in place for AD recovery at the moment. Because the truth is that if you lose your AD after an incident, you lose your business. The AD, is after all, the keys to the kingdom.
David’s keynote address was as stimulating and educational as is the norm at our Wisdom of Crowds events. We invite cybersecurity vendors to present their technology solutions and services to a niche and engaged audience. The participants get a chance to ask questions and challenge the presenters and walk away feeling better informed about the evolving cybersecurity solutions in the market.
Our unique Wisdom of Crowds events allow unparalleled collaboration and knowledge sharing amongst the participants. The event held recently in London was all the more successful as attendees worked together in groups to create Cyber Attack scenarios and worked out how they would deal with those scenarios.
The largest in-person Cyber Attack Tabletop Exercise was made more fruitful and engaging for the participants with global leaders such as Semperis coming in and sharing their knowledge with those present. This event also had keynote addresses delivered by Dope Security and Runecast.
Find out more about becoming a delegate and/or sponsor at the Wisdom of Crowds events.