Given the current threat landscape, organizations should have a cyber-resilient recovery plan ready to execute at any time, which requires preparation and a detailed plan. When a breach occurs, the recovery process will go more smoothly if the responders are familiar with the immediate post-attack tasks. Guido Grillenmeier, chief technologist at Semperis, talks about how incident response can be improved through an isolated recovery environment.
Imagine the unthinkable: An attacker compromised your active directory (AD) environment and hijacked all domain controllers (DCs). Within minutes, the attackers used their access to extend their foothold throughout the organization. Your incident response team jumped into action. They identified and disabled the accounts used by the attackers. They deactivated and replaced privileged accounts in each forest, but the attackers prevailed because malware running on your DCs was not removed. The malicious actors remain in your network.
Now it’s time to begin recovering the environment. Fortunately, you have offline backups of all domains and forests, so you can start rebuilding a safe AD forest that you can trust. But one question remains: Is the malware infection gone from the organization?
Why Is an Isolated Recovery Environment Essential?
An isolated recovery environment (IRE) is vital for recovering the active directory from cyberattacks. An IRE does not replace a traditional backup solution. The IRE provides an inaccessible environment to attackers so that your response team can conduct remediation efforts without being detected by the adversaries. If attackers have been moving stealthily through your environment for weeks or months and suddenly realize you’ve discovered them, they might immediately trigger malicious malware to encrypt your entire environment. Using an IRE for remediation allows the incident response team to operate without the fear of the backups being infected, which could cause the cleanup efforts to come undone by reintroducing malware to the production environment.Â
You can create an IRE from scratch or use existing disaster recovery environments already built for continuous testing and analyzing production system recovery in isolation. Some organizations also use IREs during annual assessments. These periodic tests keep organizations sharp and allow them to identify any gaps in their incident response and recovery strategies. What applications still work if AD is down? Do we understand all the dependencies between AD and our applications? Mapping these security dependencies is critical to creating an accurate picture of the applications and systems that rely on AD and prioritizing the recovery of specific assets.
See More: Is Security Debt Hindering Your Business Growth?
Laying the groundwork with Recovery Plan Testing
Given the current threat landscape, organizations should have a cyber-resilient recovery plan ready to execute at any time, which requires preparation and a detailed plan. When a breach occurs, the recovery process will go more smoothly if the responders are familiar with the immediate post-attack tasks. With tension running high as the organization works to put out a digital fire, familiarity will breed confidence. The knowledge gained from table-top exercises can ensure the recovery plan is effective.
Keep in mind that IREs are useful not only for testing. Some organizations maintain IREs on an ongoing basis to simulate attack scenarios and model different remediation tactics. If the day comes when attackers fully compromise AD, depending on the attack scenario – such as malware on the DC versus a corrupted schema, for example – you can recover to newly deployed server systems in an isolated environment and then perform necessary cleanup before hardening AD and then connecting it back to the production environment.
Suppose you are unaware of what the attacker might have changed in your AD in the compromised environment. In that case, the IRE allows you to look deep into AD and change configurations without the attacker noticing those changes. With this approach, you can avoid a situation in which the attacker triggers even worse actions, such as encrypting systems once the IRE is connected to the production environment. For example, resetting the KRBTGT account in every domain prevents the threat actors from creating legitimate Kerberos Ticket Granting Tickets (TGT) if the KRBTGT account has been compromised. But before resetting this account, it is essential to remember that the KRBTGT account password will have to be reset twice to have the desired effect. Another step would be to enable SID-filtering across all the trusts between AD forests.
Security assessment tools can aid this process by identifying indicators of exposure (IOEs) and indicators of compromise (IOCs). These IOEs could exist across five categories: account security, AD infrastructure security, Group Policy, Kerberos security, and AD delegation. The most common vulnerabilities are frequently issues like poor password policies, privileged accounts that have not been adequately reviewed, and weak group policy configurations that create security gaps attackers can exploit. By knowing the specific weak points in AD environments, your remediation efforts can target the issues attackers are most likely to exploit.
Creating a Safe Space for Incident Response
An ounce of prevention is worth a pound of cure, so organizations should always make sure they practice good security hygiene and follow best practices like implementing the principle of least privilege. However, foolproof security is a fantasy, and effective incident response and recovery plans are essential to reducing downtime and potential damage when adversaries attack. An air-gapped IRE gives organizations a safe space to restore and reconfigure AD while reducing the risk of reinfection.Â
Does an isolated recovery environment seem sensible for your organization? Tell us what you think on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to know!