Cybercriminals are increasingly leveraging Active Directory to spread malware and even hold the organization for ransom. New data suggests you’re nowhere near ready for it.
I don’t need to say it, but your Active Directory (AD) is mission critical. Nearly every part of your on-premises environment – and some of your cloud environment – depends on the active presence of this directory service.
And the bad guys know it.
I’ve brought up the use of AD a few times this year. We’ve seen AD used to spread Ryuk ransomware to remote endpoints by compromising domain controllers and running a logon script via Group Policy. We’ve also seen ransomware specifically target domain controllers to hold AD for ransom. And anytime you hear about an attack involving lateral movement, it means accounts are compromised, passwords are changed and – if the bad guys can make their way to a privileged account within AD – modifications to AD groups, users, and permissions to establish persistence, stealth, and control.
So, it’s necessary for organizations to be ready to recover both parts of Active Directory that have been modified during a cyberattack, as well as recover their domain controllers.
But according to AD-focused cybersecurity vendor Semperis, in their Recovering Active Directory from Cyber Disasters report, it appears the IT organizations simply aren’t prepared:
- 84 percent of orgs feel an AD outage would be “significant, severe, or catastrophic”
- Only 3 percent of orgs are “extremely confident” about their ability to recover AD to new servers should it be necessary
- Only 15 percent of organizations have actually tested their AD recovery plan in the last six months
With cyberattacks being so prevalent today, increasing in frequency and sophistication, it’s time for organizations to ensure they have a means to recover themselves to not just a known-functioning state, but a known-secure state back before attackers had access to AD.
The bad guys know AD is the keys to the kingdom. You need to work to both prevent its’ compromise, as well as be able to recover it should it be compromised.