Businesses have not adapted their Active Directory environment to meet new security needs

Mickey Bresman is the CEO of Semperis, an enterprise identity protection company that enables organizations to quickly recover from changes and disasters that compromise Active Directory (AD). A long-time enterprise software expert, Bresman began his technical career in the Navy computing technical unit over a decade ago. Prior to co-founding Semperis, Bresman was the CTO of a Microsoft gold partner integration company, YouCC Technologies, successfully growing the company’s overall performance year over year.

Active Directory (AD) is a Windows OS directory service that facilitates working with interconnected, complex and different network resources in a unified manner. Initially released with Windows 2000 Server and revised with additional features in Windows Server 2008.


Christopher P. Skroupa: Why is there an increase of attacks on Active Directory?

Mickey Bresman: First things first, it’s important to note that Active Directory was launched almost twenty years ago and the security landscape has changed dramatically since then. Unfortunately, businesses have not adapted their AD environment to meet these new security needs and, as a result, we are seeing attackers exploit this weakness more and more frequently.

There are a few other reasons why there has been an increase in attacks on Active Directory. The main reason is that, for most enterprises AD is the most critical application, which makes it an attractive target for anyone looking to compromise or wipe out an organization. As more systems become dependent on AD for authentication, businesses have become increasingly reliant on Active Directory – you’ll even see instances where organizations rely on AD to authorize badge access for employees entering the building. In addition, the rise of the mobile workforce and cloud adoption has exposed AD to more external threats.

Active Directory holds the proverbial “keys to the kingdom”, so now attackers are leveraging AD to gather information and gain privileged access to sensitive company resources.

Skroupa: What kinds of systems are attackers looking for?

Bresman: Attackers are looking for “target-rich” systems – meaning systems where privileged credentials can be mined, identity systems that contain usernames and passwords (like Active Directory), and servers that contain privileged or sensitive information, such as PII or other business-sensitive information. Active Directory itself is also an interesting attack infrastructure since it can take down the entire organization.

Skroupa: What can proactively be done to prevent the attacks?

Bresman: The first step in preventing an attack on Active Directory is to make sure that you gain visibility into all of the activities happening in AD. In most large enterprises, there are multiple admins making changes in AD at any given moment, which makes it easier for malicious actors to gain access without being noticed. If you put into place an Active Directory auditing solution, you’ll not only see who is doing what in your AD, you will also be proactively alerted to suspicious activity prior to a full-blown attack.

It’s also critical that enterprise IT teams work to lock down their AD environments to prevent unauthorized users from getting information about privileged users and security configuration.

Skroupa: If an attack through AD happens, what’s the best course of action to reverse the damage?

Bresman: The best plan of action is to have a bulletproof Active Directory Disaster Recovery plan in place. If an attacker encrypts your Active Directory, which we saw happen a lot during the NotPetya attacks last year, you can minimize the impact with a solid backup and recovery solution. We offer the only fully-automated AD DR solution in the market today – it continuously backs up your environment and allows you to restore your Active Directory in three simple clicks. Instead of spending days getting your AD backup and running, which is most often the case, you’ll be able to reverse the damage in hours.

Skroupa: Do you have any final thoughts?

Bresman: The IT landscape is changing with cloud adoption and mobile workforce requirements, making the identity platform the new security perimeter. The recent wave of cyberattacks has demonstrated the need to rethink the protection and recovery plans for the enterprise identity.

Mickey Bresman recently spoke on a panel entitled Integrating Cyber Security into Business Operations: Innovations in Mitigating the Potential of a Breach at our annual Cyber Risk Governance program this past March in New York, NY.

Originally published on More articles by Christopher Skroupa on his Forbes column.

Follow us on twitter @SkytopStrat, and on Facebook @SkytopStrategies. Find us on YouTube, too, for exclusive interviews, panel discussions and debates that are prime examples of the market moving dialogue held at our various conferences and summits around the world.