Several high-risk events have recently highlighted the importance of a fully functional and secure Active Directory environment to a company’s business operations. At the time of this writing, the 2020 SolarWinds compromise was the most recent and high-profile event focused on directory lateral movement.
Once a bad actor gains access to an environment, lateral movement tends to happen quickly and without attracting much attention. In these situations, bad actors can access an environment and establish a presence for an extended period before the organization discovers the intrusion.
When such an event occurs, the Active Directory backups taken during the time of the intrusion will likely be compromised. Given the constantly changing nature of an organization’s Active Directory environment, restoring from backup is not feasible if the backups are more than a few days old.
When a bad actor makes their presence known after some period of persistence, perhaps by cryptolocking the Active Directory environment to the point where authentication services become unavailable, the first question that needs to be answered is: How do we recover from this incident in a safe and efficient manner? This brings us to the importance of air-gapped Active Directory backups.
What is an air-gapped backup? An air-gapped portion of infrastructure is a device that is not connected to or online with your environment. Examples of an air-gapped backup are tape, disk, or another medium that can be stored either on site or remotely disconnected from the online environment.
In the event of an intrusion, the bad actor likely found a way to the Active Directory environment via online recovery methods, employed lateral credential movement techniques, and gained access to privileged accounts.
When this level of intrusion occurs, a full restore from backup might be necessary. This is particularly the case if an intruder compromises all of a company’s online domain controllers. Most businesses would be severely limited in their operations if their Active Directory environment needed to be rebuilt from scratch without a clean and reliable backup. This could prove to be a rather costly and time-consuming endeavor for the organization.
In this event, the best recovery method for directory services is to have an air-gapped backup solution in place to aid in the recovery of the Active Directory environment. A directory services recovery solution like this is not possible without a complete backup set. So, how do we ensure a full recovery?
Many organizations use the “3-2-1” backup strategy. “3-2-1” refers to three copies of your data: one online copy and two backups, with the backups being on different media and in different locations. If you follow the “3-2-1” backup strategy, you will have an offline backup of the organization’s directory services. Will such a backup be viable in your directory services restoration efforts? To answer this question, you need to look at the complexity of your organization’s Active Directory environment and determine how far back in time would be feasible for a full restore of directory services—taking into consideration that users and computers frequently change passwords, along with other relevant infrastructure changes. Determining an acceptable recovery period can help define how often your air-gapped Active Directory backup should occur.
How Do We Recover?
Recovering Active Directory via a manual rebuild is not desirable, and for most organizations it is not practical. Recovery time can be significantly reduced if an air-gapped backup solution is in place. Having an air-gapped solution available when recovering from an intrusion event can help make the elements of recovery—role seizure, ACL cleanup, tiered structuring, password rolling, and redeployment—more manageable. Having an air-gapped solution in place can also help avoid the tedious tasks of manually recreating the organization’s Active Directory structure, objects, and security.
Back Up All the Things!
The best preventative measure is to back up and test. This can be a time-consuming process, but having a known, working, and testable solution is critical. The question of intrusion is not “if” but “when.” Ravenswood Technology has the in-depth experience you need to ensure your environment is secure and properly backed up.
Need help with your Active Directory environment or backups? Contact the experts at Ravenswood Technology.