The Practical ROI of a quick Active Directory recovery

data protection day, ROI
While every IT manager or administrator knows that a solid Active Directory recovery plan is an essential component of any business continuity strategy, calculating an optimised AD recovery plan’s practical return on investment (ROI) is notoriously tricky. Too many variables are at play to generate a defensible, exact calculation. And to set expectations upfront: I won’t offer any interactive ROI calculator here in this article. 
Instead, Sean Deuby, Director of Services, Semperis, looks at a few practical ways to see a return on your investment in ensuring a proper AD recovery, allowing you to do your own calculations and come to your own conclusions. Of course, losing one domain controller is a problem in itself, but let’s look at another increasingly common scenario that has catastrophic consequences: a ransomware attack that takes out every domain controller across all company sites. In that situation, recovering AD can be a white-knuckle, under-the-gun challenge. 

In the last year, we’ve discussed scores of ransomware attacks where cybercriminals modified AD in one way or another — far beyond the basic changes to user accounts or passwords — to gain entry into information systems and move laterally to propagate malware. Ransomware architects now have engineers on staff dissecting AD and its security updates, looking for opportunities to elevate permissions and quickly distribute malware across the entire organisation. Post-attack forensics from previous ransomware attacks involving AD have revealed that threat actors primarily focus on changes to group accounts, user accounts, Group Policy objects, the SYSVOL, and domain controllers. With these cybercriminal tactics in mind, consider the following factors in calculating your own AD recovery ROI: Cost of operational losses. 

A material part of your operations likely relies on AD being up and running to authenticate users as the basis for providing access to applications, systems, and data. For every hour that AD cannot operate, how much revenue or productivity would your business lose? How many hours, days, or weeks would it take before the business passes a point of no return and cannot financially recover? Remember the ransomware attack on the City of Baltimore? Their recovery of operations took months and cost over US$18mn.

Lack of a business continuity plan that includes AD 

If your organisation is mature enough, you have a BC/ DR plan in place defining the work needed to restore business operations after an outage. Most plans account for loss of infrastructure or loss of a location after a natural disaster. But few companies have a plan specifically for restoring business after a cyberattack, especially one as unpredictable as a ransomware attack. The way you recover AD in a scenario like this depends on what changes cybercriminals made within AD. You might plan to recover AD back to a previous version, but how do you determine how far back you need to go to find a known secure version? What AD-dependent systems, services, and applications will be affected or won’t function at all because of a broad-stroke recovery to an earlier AD state? Are you confident that you can even locate a recent, malware-free backup from which to restore? Without a plan or an ability to understand what was changed in AD before recovering, your organisation will spend incalculable time fixing all the problems the recovery caused. 

Recovery might not be the answer 

If all the changes being made by the bad guys during an attack boil down to, let’s say, adding an account to the Domain Admins group, then recovering AD to a few days ago or last month might not be the right answer. Instead, perhaps the less costly method is to monitor changes in AD and have the ability to either disallow changes to “protected” accounts (like the Domain Admins group) or to revert a change to a sanctioned configuration automatically. 

The considerations above summarise to three risks: 

1.The risk of a slow recovery

2. The risk of a recovery that creates more remediation work

3. The risk of a recovery that might be considered overkill for the nature of the changes made to AD.

Instead of looking at the ROI of AD recovery using some calculator you found online, the better choice is to work through several real-world scenarios and evaluate how your current means of AD recovery would fare. This can be done by answering the following questions based on the factors outlined above: 

• What critical parts of the operation depend on AD to function? What is the estimated cost of their downtime? 

• How long will it take to recover AD based on the changes made during an attack

• Do you have visibility into what malicious changes were made in AD and, if not, how far back will you need to investigate and how long will that take you? 

• Will the recovery impact any other parts of operations that you will need to fix and, if so, how long will that take? (Remember that some number of both user and computer account passwords will not match, impeding the ability to log on to the domain. Plus, earlier versions might be missing accounts, group memberships, DNS records, etc.) 

• Are you confident that recovery will put you into a known-secure state? Beware of the difference between resuming business operations and recovering business operations: If you don’t have a clean, malware-free backup from which to recover, you run the risk of reintroducing the same vulnerabilities that left you open to attack in the first place. 

In short, the ROI of AD recovery has much more to do with your current ability to recover to a known-productive and known-secure state post-attack than it does with an online ROI calculator that doesn’t account for the myriad variables involved in a ransomware attack. By walking through some scenarios and thinking specifically about your current recovery abilities, you will expose costs that can be eliminated by having a proper AD recovery solution in place—one that is designed to protect against, prevent and recover from malicious changes AD.

READ MORE:

About Semperis

For security teams charged with defending hybrid and multi-cloud environments, Semperis ensures integrity and availability of critical enterprise directory services at every step in the cyber kill chain and cuts recovery time by 90%. Purpose-built for securing Active Directory, Semperis’ patented technology protects over 40 million identities from cyberattacks, data breaches, and operational errors. As a result, the world’s leading organisations trust Semperis to spot directory vulnerabilities, intercept cyberattacks in progress and quickly recover from ransomware and other data integrity emergencies. Semperis is headquartered in New Jersey and operates internationally, with its research and development team distributed between San Francisco and Tel Aviv. Semperis has released its Active Directory Security Halftime Report. The report will be updated on a periodic basis to serve as a timely, concise index of resources for organisations that have prioritised hardening their Active Directory and Azure Active Directory defences against escalating cyberattacks.

For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Amber Donovan-Stevens

Amber is a Content Editor at Top Business Tech

Choose an AI solution to transform beyond technology

Kit Cox • 09th December 2024

The first step is knowing exactly what your business wants to achieve with AI; think faster, smarter and more efficient. Once you know what you are working towards, you can start looking for a solution that can help you make it a reality. AI integration can feel like a daunting task at the beginning, so...

A Roadmap to Security and Privacy Compliance

John Lynch Director of Kiteworks • 04th December 2024

Only by understanding the current regulatory environment and implementing robust data protection measures, can organisations enhance their security posture, ensure compliance, and build resilience against the latest cyber threats. This article provides a comprehensive roadmap of how to do it.

Data-Sharing Done Right: Finding the Best Business Approach

Bart Koek • 20th November 2024

To ensure data is not only available, but also accessible to those that need it, businesses recognise that it is vital to focus on collecting, sorting and governing all the data in their organisation. But what happens when data also needs to be accessed and shared across the business? That is where organisations discover a...

Nova: The Ultimate AI-Powered Martech Solution for Boosting Sales, Marketing...

Erin Lanahan • 19th November 2024

Discover how Nova, the AI-powered engine behind Launched, revolutionises Martech by automating sales and marketing tasks, enhancing personalisation, and delivering unmatched ROI. With advanced intent data integration, revenue attribution, and real-time insights, Nova empowers businesses to scale, streamline operations, and outperform competitors like 6Sense and 11x.ai. Experience the future of Martech with Nova’s transformative AI...

How E-commerce Marketers Can Win Black Friday

Sue Azari • 11th November 2024

As new global eCommerce players expand their influence across both European and US markets, traditional brands are navigating a rapidly shifting landscape. These fast-growing Asian platforms have gained traction by offering ultra-low prices, rapid product turnarounds, heavy investment in paid user acquisition, and leveraging viral social media trends to create demand almost in real-time. This...

Why microgrids are big news

Craig Tropea • 31st October 2024

As the world continues its march towards a greener future, businesses, communities, and individuals alike are all increasingly turning towards renewable energy sources to power their operations. What is most interesting, though, is how many of them are taking the pro-active position of researching, selecting, and implementing their preferred solutions without the assistance of traditional...

Is automation the silver bullet for customer retention?

Carter Busse • 22nd October 2024

CX innovation has accelerated rapidly since 2020, as business and consumer expectations evolved dramatically during the Covid-19 pandemic. Now, finding the best way to engage and respond to customers has become a top business priority and a key business challenge. Not only do customers expect the highest standard, but companies are prioritising superb CX to...