IT Security: Quickly Investigate, Remediate and Recover (Part 5 #NCSAM)

Even with the best defenses, an attack or egregious accident can happen to your Active Directory; therefore you need to be prepared to quickly investigate, remediate and recover. Sadly, attacks today have taken a decidedly ugly turn, seeking the total annihilation of your infrastructure often in an attempt to hide the real breach that already occurred.

Today, in the final part of my National Cyber Security Awareness Month series focusing on Active Directory security guiding principles, we’ll explore the best ways to be prepared for when the worst happens.

To start at the beginning of this series, see the list below:

Whether you’ve lost a domain controller, a user or group policy, an entire group of users or your entire forest, you need to be prepared to investigate how it happened and have a plan to remediate and recover. Remember, AD disaster recovery is business disaster recovery.

Setting the stage: Destructive doozies

Destructive attacks are on the rise and their effects can be devastating. Every organization is vulnerable, whether as a direct target or simply collateral damage. Just think about NotPetya, an attack aimed at Ukraine from a hostile nation, and yet it took down the shipping giant Maersk and companies in Germany, the United States, Tasmania and so on – completely unconnected to Ukraine. There are more examples like NotPetya spreading destruction beyond their intended targets: Stuxnet, Shamoon, WannaCry and more.

After the devastating attack on email provider VFEmail in 2019, its CEO and founder Rick Romero tweeted, “I never thought anyone would care about my labor of love so much that they’d want to completely and thoroughly destroy it.” Don’t make the same mistake.

If you want a more thorough history, reach and methodology behind some of those attacks I mentioned above, check out the whitepaper Preparing for Attacks that Seek Total Annihilation.

Investigate, remediate and recover

Once an attack is known either because your entire AD is down, a user is disrupted or your UEBA solution notified you of suspicious activity, it’s time to roll up your sleeves and investigate what happened and how it happened, and start the remediation and recovery process. Here are some best practices to keep in mind as you build out a response plan:

– Audit changes in your environment and use tools that enable you to prevent changes to your most critical objects, such as highly privileged groups.

– Closely monitor configuration and other system changes and watch for unusual operations, such as commands that could alter boot partitions or brick a system.

– Monitor user activity, especially the activity of privileged accounts. Ideally, use a tool that creates a baseline of normal activity, looks for aberrations and analyzes them in context to minimize alert fatigue while quickly spotting true threats.

Reduce your AD attack surface

Reduce your AD attack surface.

See where you’re exposed and how to remediate it.

– Automate response. Modern attacks unfold in seconds, so you can’t afford to be content with a dashboard in your security operations center — by the time a human being spots an issue, investigates it and does something about it, the damage is done. Therefore, security automation and orchestration are essential. More specifically, you’ll want to build out a tested and proven disaster recovery strategy that enables:

  • Operating system recovery
  • Hybrid AD and Azure AD recovery
  • Comparison reporting of changes since last backup to pinpoint deleted or changed objects or attributes
  • Restore of individual attributes, such as account settings, group memberships and binary attributes, even when the object itself has not been deleted. This enables you to restore only the required attributes without restarting domain controllers.
  • Virtual test lab lab to demonstrate your DR recovery plan. Table top exercises aren’t enough. You must test the actual disaster scenarios in a spate virtual forest test lab with production data.
  • Generation of detailed recovery process report that captures every state of the recovery and in what order tasks need to be completed.

To mitigate your risk, implement security best practices to block attacks, limit their reach and help ensure prompt detection and response. But security experts and real-world attacks make it clear that you also need a comprehensive disaster recovery strategy like the ones Quest provides with Recovery Manager for Active Directory – Disaster Recovery Edition and On Demand Recovery .

Remember the CEO from VFEmail I quoted earlier in this post? He never thought anyone would care about his company’s work, its intellectual property. And yet he suffered a full-scale takedown. If you think no one is really trying to hack into and destroy your AD, or you know they are and you’re trying to understand why, then watch the on-demand webcast that explores WHY your role in securing your organization is indeed a matter of national security.


  1. Photo by Pixabay from

About the Author

Jennifer LuPiba

Jennifer LuPiba is the Chair of the Quest Software Customer Advisory Board, engaging with and capturing the voice of the customer in such areas as cybersecurity, disaster recovery, management and the impact of mergers and acquisitions on Microsoft 365, Azure Active Directory and on-premises Active Directory. She also writes thought leadership articles and blogs aimed at the c-suite to evangelize the importance of these areas to their overall business. She chairs The Experts Conference, a yearly event focused on pure Active Directory and Office 365 training at the 300 and 400 level for the boots-on-the-ground Microsoft admins and managers.

Related Articles