The brutal truth about recovering Active Directory

As the identity backbone for over 90% of organizations, Active Directory (AD) is the gateway to your most critical systems and data. When cybercriminals attack, they can escalate privileges and gain unrestricted access to systems and data for ransomware or exfiltration. Even worse, if they take AD down most organizations are left unable to function—making it one of the most disruptive attack vectors today. In fact, Cohesity’s Cyber Event Response Team (CERT) saw AD compromise in over 90% of incidents over the last 9 months, consistent with findings from Mandiant researchers.

AD under siege  

Among the most devastating (and popular) targets for ransomware campaigns is AD. Why? Because a successful breach enables long-term, stealthy access to your organization. From there, the attackers can lie in wait, and strike on their timeline. 

Identity system compromises often go undetected for weeks, or even months. When AD is breached, adversaries often avoid immediate detection, choosing instead to maintain stealthy access and exfiltrate sensitive data. By the time they're discovered, attackers may have made sweeping unauthorized and malicious changes, making it difficult to know what “clean” even looks like. These attacks may ultimately lead to a ransomware incident, crippling business operations and leaving backdoors for future attacks.

AD underpins access and authentication for virtually every service and application across the enterprise. If AD becomes unavailable, business operations can come to a standstill. AD’s interconnected nature makes it a prime, and uniquely dangerous, target: 

• As a directory service, it gives attackers the map to move laterally and escalate privileges. 
• As the core authentication and authorization service, it represents a single point of failure. If attackers take down AD, they can take down an entire enterprise. 
• As a Group Policy controller, it allows threat actors to push malware and maintain persistence at scale.
• Once inside, attackers can access mission-critical systems, exposing sensitive data like customer records. 

It gets worse. When a compromise occurs, the recovery process for AD is complex and challenging. Here’s why: AD recovery is not like restoring a file or even a database. It’s complicated, with many manual steps. One wrong move during restoration can destabilize your entire environment, or leave an attacker with a way back in. 

Why secure AD recovery is so difficult

It’s not enough to just restore your systems after a cyberattack—you must perform forensics and remediate the root cause of the attack. You need secure recovery. Here’s why most organizations struggle with AD recovery: 

• Manual recovery is error-prone and often requires additional time to correct missteps, extending the timeline even further. In fact, Microsoft details 29 steps to bringing AD back online after a compromise. 
• Many organizations have not conducted AD recovery drills, nor do they perform cyber response drills. (It’s easy to understand why drills don’t get done—it’s a complex, lengthy process.) As a result, the organization is at risk of unanticipated delays including: provisioning hardware (virtual or physical), conducting metadata cleanup, ensuring the recovered forest is malware-free, and resolving any breakdowns in the decision-making process during recovery.
• AD backups have a short shelf life. An enterprise-scale AD forest generates thousands, or tens of thousands, of changes daily across many Domain Controllers. 
• Conventional backups of AD will likely contain malware in the event of an attack, prolonging recovery.
• Determining the cause of a breach often requires an extensive review of Active Directory and security policies to identify accounts or configurations that may have been modified or added.

It’s easy to see why many organizations fail to meet the RTO for AD, and why attackers continue to concentrate on exploiting this workload.