Other manufacturers of specialized AD backup tools – including Quest – have followed Semperis’ lead in separating identity data from the operating system. The main difference: You don’t back up the entire server, but specifically the AD database – i.e. users, groups, permissions, group policies and trust relationships – and restore them to a clean, fresh operating system environment. This eliminates the risk of reinfection caused by malware that has already become established in the system files of an AD server and is backed up by classic backups.
Of course, restoring an AD forest across multiple servers is fully automated. It is therefore not only less error-prone than the many manual steps required with classic tools, but also significantly faster. Additionally, these tools are hardware independent: recovery can occur on any infrastructure, including in the cloud or in an isolated environment.
What other solutions from these manufacturers, such as the Semperis Directory Services Protector (DSP), also provide is continuous monitoring of the identity level – i.e. real-time monitoring of changes to privileged accounts, group policies and trust relationships.
In practice, this allows you to detect attack patterns such as DCSync, Kerberoasting or password spray attacks before the attacker has gained complete control. Changes that an attacker has made to the AD can be completely reset with this help. This is a crucial time advantage: Instead of only reacting after encryption, an attack on the identity level can be detected and contained in the escalation phase.
The critical first hours: An experience
From my consulting practice, I know a recurring pattern that concerns me: After a serious incident, in many organizations it takes two to five days before qualified incident response specialists are even integrated into operations. During this time, the attacker moves freely laterally through the infrastructure – escalating privileges, exfiltrating data and preparing encryption. With a specialized identity recovery approach, however, the core system – the directory services – can be restored in hours, not weeks. This means that all downstream systems become available more quickly because the authentication basis is in place.
The difference is not theoretical. I’ve seen a company with a prepared identity recovery strategy restore core authentication services within four hours following a ransomware attack. Without this preparation, the incident response team estimates it would have taken days to weeks – with simultaneous uncertainty as to whether the restored environment could even be trusted.
