Detect, Recover, and Restore From Active Directory Events

Since it was introduced 20 years ago, Active Directory has become arguably the most critical application for many enterprises. The problem is that in the two decades since it was released, the enterprise security threatscape has changed drastically and businesses have not adapted their Active Directory environment to meet these new security needs. Delegations have been handled haphazardly and default permissions on objects are optimized for discovery, not security. Additionally, in recent years, attackers have gotten more sophisticated—it’s not just about compromising single systems, it’s about finding quicker paths to compromising the entire enterprise.

As part of our RSA Conference coverage, Brilliance Security Magazine sat down with Mickey Bresman, CEO at Semperis, to get his views on the current state of AD protection. He gave us some exciting insights and outlined possible solutions for protecting AD from today’s threats. 

Semperis is an enterprise identity protection company whose mission is to enable organizations to recover from disasters that compromise Active Directory. Whether accidental or malicious, whether on-premises and on the cloud, the Semperis Directory Services Protection Platform™ provides the capability to automatically restore an entire Active Directory forest and quickly recover thousands of objects and instantly revert to a previous Active Directory state. 

To emphasis the critical nature of a well-protected domain controller, Mickey recited some of the details around the most devastating cyberattack in history – NotPetya and how it crippled Maersk. The key to Maersk’s recovery was trying to recover its domain controller. It took nine days to do so and then only extreme luck saved the day. 

In excellent coverage of this event, Wired said, “After a frantic search that entailed calling hundreds of IT admins in data centers around the world, Maersk’s desperate administrators finally found one lone surviving domain controller in a remote office—in Ghana. At some point before NotPetya struck, a blackout had knocked the Ghanaian machine offline, and the computer remained disconnected from the network. It thus contained the singular known copy of the company’s domain controller data left untouched by the malware—all thanks to a power outage.”

Mickey maintains that with the technology deployed by Semperis today, this recovery could have happened in a matter of hours, not days. 

Founded in 2014 and headquartered in New York City near the World Trade Center, about 50 people work for Semperis around the world. In addition to Mickey, Semperis has had the good fortune to assemble what many would consider an all-star team of technologists. Just a few of the industry notables that help steer Semperis include:

If you’re interested in working with Semperis and these industry leaders, Mickey indicated that they are actively looking for additional talent and urges interested parties to reach out to them.

Tools that attackers can use to penetrate and compromise Active Directory include:

  • Described by GitHub as “a little tool to play with Windows security,” Mimikatz is probably the most widely used AD exploitation tool and the most versatile. CSO describes it as “a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs, and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket, or building Golden Kerberos tickets. This tool makes post-exploitation lateral movement within a network easy for attackers.”
  • PowerSploit is a PowerShell-based toolkit for recon, exfiltration, and persistence.
  • BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attacks can use BloodHound to quickly identify highly complex attack paths that would otherwise be impossible to identify quickly.
  • Death Star shows how you can use information collected from Bloodhound and other tools to automate the elevation to Domain Admin (or similar).

Mickey and Semperis offer the following to make it harder for attackers to move around Active Directory.

  • Reduce information exposure through privileged AD users and groups and GPOs. Constrain where credentials are “lying around” and use built-in technologies such as Credential Guard and Remote Credential Guard in Win10 Pro & Enterprise/2016.
  • Monitor your IT environment using an Active Directory auditing tool. 
  • Harden privileged groups: member attributes should not be world-readable. Delegation of full-control or write of the group’s member attribute should be restricted to other privileged users at the same or higher privilege tier.
  • Harden privileged users: reset the password, take ownership, or full control permissions should be tightly controlled to other users at the same privilege tier.
  • Harden GPOs: GPOs that grant privileged access should not be world-readable, and GPOs that contain security settings should be restricted on Reads.
  • Consider restricting credentials using the Tiered Admin Model presented in Microsoft’s Pass-the-Hash white paper.

In a blog post by Darren Mar-Elia, he states, “While taking these preventative measures makes it harder for attackers to compromise AD, once an attacker is hiding in your environment, there’s no way of preventing them from attacking Active Directory and wiping out your environment. That’s why implementing a Disaster Recovery solution is the single most critical step you can take to protect Active Directory. Semperis’ Active Directory State Manager gives you visibility over changes happening to your AD so that you can more quickly spot suspicious activity within the Directory, and the fully-automated Active Directory Forest Recovery solution makes recovering from an AD attack as simple as three mouse clicks, reducing your time to restore from weeks to hours. With all the new techniques that exist for attacking AD, it’s time to stop thinking about what you’ll do if someone attacks your Active Directory environment and start preparing your AD Disaster Recovery plan.”

Steven Bowcut is an award-winning journalist covering cyber and physical security. He is an editor and writer for Brilliance Security Magazine as well as other security and non-security online publications. Follow and connect with Steve on Twitter, Instagram, and LinkedIn.