Who could forget the infamous NotPetya attack of 2017? Within hours, malware crippled companies around the globe — most notably shipping giant Maersk. Because while Maersk had backups of many of its mission-critical servers, no one at the company could locate a single backup of a domain controller. In other words, a backup of their Active Directory (AD) was all but lost — leaving the company at a complete standstill. In total, the attack cost the shipping giant a whopping $300 million.

In today’s business world, as successful cyberattacks remain the norm, it’s imperative that organizations have backups in place for when a cyber incident inevitably occurs. And the best place to start mapping out your disaster recovery strategy is around your AD: the operations backbone of your organization.

Why shoring up your AD should be your #1 cyber priority

Ransomware is the number one security threat to business today, with 69 percent of businesses suffering an attack in 2020 alone. What’s more, the average cost of remediating a single ransomware attack is $1.85 million, and the average downtime for a successful cyberattack is 21 days. Why? Because following an attack, business operations cannot be restored until AD is fully functional again. Since AD provides authentication and authorization services for users and critical applications, a solid AD recovery plan must be at the core of every malware/ransomware defense strategy.

Gartner explains, “The restore process from many well-documented ransomware attacks has been hindered by not having an intact AD restore process.” This is because ransomware strains like SaveTheQueen and Doppler Paymer often compromise AD and leverage it to spread throughout the target organization’s systems. Particularly as the threat landscape evolves — and worsens — it’s imperative that organizations understand how to effectively prioritize and backup their AD when disasters occur.

Designing and implementing an AD backup plan for your enterprise

A phased approach to AD recovery is the Microsoft recommended best practice for a full and speedy recovery. At a high level, Microsoft’s recommended strategy is to identify at least one domain controller (DC) in each domain to prioritize in a recovery scenario. The main goal is to get those main DCs back online quickly, and then prioritize the less critical DCs.

Another way to think of it is this: Phase 1 should be centered around performing an initial recovery. Restore one or several DCs in each domain, depending on what tools you have available. The preferred method for ransomware recovery is often a clean operating system (OS) recovery — but this option is only available if you’ve invested in an enterprise AD disaster recovery solution proactively.

From there, Phase 2 is all about restoring and redeploying your remaining DCs through promotion. Microsoft recommends install from media (IFM) because it is an efficient way to reinstall AD on a DC. But with native tools, IFM can be a tedious manual process — it’s recommended to have a third-party solution on the backend to help your organization dramatically speed up Phase 2 of the recovery process, ultimately enabling your organization to get back up and running much sooner.

Hope is not a strategy — defending your backups is

All things considered, the only prerequisite for a successful recovery is having safeguarded your backups — because once bad actors breach perimeter defenses and infiltrate your networks, they’ll target your backups first to encrypt those to prevent you from using them to restore operational processes. But there are tools on the market that enterprises can use to gather and defend those backup assets when an attack does inevitably occur, so your organization is better prepared to withstand those attacks and resume operations quickly afterwards. But like anything else in cyberspace, preparedness is best — you can’t restore business operations (or your AD) if backups have been compromised. 

In today’s world, ransomware presents a clear and present risk to nearly every enterprise. Those that survive and thrive in the midst of the ongoing ransomware scourge will be those that invest in bolstering their cyber resiliency proactively.

Otherwise organizations will find themselves facing hefty fees — including millions to ransomware attackers themselves, critical losses in downtime, and perhaps most significantly, devastating losses in consumer trust. So remember, prioritize your AD, have an AD incident recovery strategy in place, safeguard your backups, and invest in tools and solutions that will enable you to put your incident recovery plan into action at a moment’s notice. After all, time wasted is money lost in cyberspace.

Photo Credit: Olivier Le Moal/Shutterstock

Bryan Patton is CISSP and consultant for Quest Software.