What is Active Directory? A repository for all of your credentials and policies. What else? How about a single system that can impact everything from your EHR to your badge and physical security access. That seems like a good target for a ransomware attack. Today I give you a few excerpts from a webinar I conducted yesteraday. I hope you enjoy.
Today in health, it a little snapshot into our webinar that we did yesterday. On securing active directory. My name is bill Russell. I'm a former CIO for a 16 hospital system. And create, or this week announce it. A set of channels dedicated to keeping health it staff current and engaged. We want to thank our show sponsors who are investing in developing the next generation of health leaders, Gordian dynamics, Quill health Taos.
A site nuance, Canon medical, and current health. Check them out at this week. health.com/today. All right. I'm going to share a couple of clips from the webinar that we did yesterday. We had Matt Sickles, cybersecurity, first responder and Sean Doobie with Sempras on the call. And I, to be honest with you, I spent about two and a half, three hours with these two gentlemen this week and their experience of being on the front lines after these ransomware attacks.
, rebuilding active directory, fixing active directory, and just the things that they have, , seen and been a part of over the last. , two years is, is really incredible. And I was really excited to get the opportunity to record that webinar and to share it with the community in the first clip here.
One of the things that Matt sickle said to me was something about active directory that I hadn't really thought about. And so I came back to him with it, which is essentially. We installed active directory back in the year, 2000. We've upgraded it a lot since then, but we've never really rebuilt it. We've never redone anything to it. Active directory has been around and in a lot of cases, that main installation was done in the year 2000. So I pose this to Matt and Sean, and here are their comments.
Matt, you said something in our pre-call that I've been thinking about ever since you said it, which was we haven't rebuilt active directory since the year 2000.
We've upgraded. We've we've done all sorts of things over it, but we installed windows 2000. , and we, we built out that, that forest and that Ady, and essentially we've been working around it for 22 years.
Yeah. It's even worse than that though. Think about it. , you know, we have no other system in any organization that hasn't been, you know, redesigned re.
It has just been, you know, a stalwart, the active directory works. So why do a redesign merger acquisition, divestiture that sometimes will spot it, but think about the chaos that ensues also, you're bringing in other organizations with their bad habits of their active directory and then just trusting them.
So, you know, we show and said, this is an insecure system overall, and we trust it to do all of our authentication and authorization to compute and applications on the.
Sean, go ahead. I was just going to say one other factor in why now is that in addition to the natural state of it, and the fact that over time, , active directory has been, , a collection of, , actions taken in haste because they had to get things done.
At, at the same time from the threat actors side, , the tools have gotten exponentially easier to use to attack active directory. So the barriers to entry have gotten very low. It used to be, it was usually sophisticated nation states that were doing attacks like this. , there's a well-known, , security, , person, his name's Kevin Beaumont.
And he said it used to be sufficient. So sophisticated nation states. Now it's teenagers with flame.
That's right. Yeah. You have bloodhound. Do you have other tools that are available freely? You can use those to your advantage and they become script kiddies, right? Those are nothing more than something you download and run against it.
We've all made that terrible mistake of opening up a port on the firewall and allowing eldap connectivity into the active directory for quick authentication from a third. We have all seen that, you know, 2003 to 2010, I can't think of one organization who didn't make that bad choice. Now we are paying for a lot of those bad choices and those band-aid.
Interesting. Isn't it. , one of the things that happened during the webinars as well is I got a chance to field, a lot of questions from you from the listeners. And a lot of them had to do with, backing up and restoring because we broke it down into what can you do before to protect after directory?
What happens once you are mid breach? And we talked a little bit about that and people wanted to know. What does it take to, , come back up after a breach? How long should a backup take? Are there Precautions that you can take ahead of time. Maybe. Dual factor authentication and those kinds of things. And so I asked in rapid-fire Matt Sickles.
Some questions and here's just a couple of excerpts from that.
Matt, I'm going to ask you to answer these questions. , what are the best practices for backing up active directory?
So make sure that you don't forget about the system state restore that is built in to every domain controller. , put a manual process in place, , grab an encrypted USB drive, rotate that out, put it in a vault to save on top of your normal backup procedures. This is going to be your safety net in case something goes horribly.
All right. Number two quick answer. , why do traditional monitoring and recovery tools within Ady? Why are they not sufficient?
So one of the biggest things that Sean was just hitting on there was that when a password is gained for like a service account, with an elevated permission, it looks like normal activity.
If you're sharing the service account across the domain, reusing it for elevated permissions running system services that doesn't look like malicious activity. Once you have the password, it's very difficult to find. Malicious activity until something is planted some type of payload, a dropper or some type of level removement begins.
, last one, before we get back to Sean, I've seen some papers on restoring active directory, DCS and forest. However, I do not understand. Why it takes so long to restore why?
Well, , in a perfect state, , you would be able to go into the room. You would be able to put the USB drive, recover it, , depending on the size of your NTDs, , your, your directory service data, , It's large.
, you're, systole all of your file. Replication has to be put back together. , if you have a, you know, a solid backup method, , you can recover, but once you get the primary domain controllers back online, holding the main roles, it then has to propagate and it has to replicate out everywhere. So if you have 50 domain controllers, you may get a complete wipe out of those 50, you have to restart.
Primary locations and then bring all of the others back online as well. It's not just a single server. Right?
So that's just a taste of some of the things we talked about in the webinar.
So what's my, so what on this, I knew active directory was a target for cybercriminals. It's a repository of. Of your entire network, right? It. It's your policies. It's a roadmap to your entire network. It was designed to be that it is a directory. Of your network of your credentials and between service accounts and escalated privileges that are available to people.
Through active directory, it becomes a significant target. There are things you can do ahead of time. And we talked about those. In fact, we closed out the webinar and I gave them three different timeframes. I gave them a, what can I do in the next 24 hours? What can I do in the next three months? And what can I do over the next year?
To prepare for an attack on my active directory. And it was very pragmatic.
You can run some tools on your active directory to see where the vulnerabilities lie. You can start to include it in your. A tabletop exercises and your disaster recovery plans , you can utilize some of the tools that are available today with the Microsoft stack to build out an active directory replica in a secure,
Every environment so that you have something to come back on. One of the things. Matt sickle said, which stuck in my mind. , we talked about, you know, how old of a backup. Is a good active directory backup. And he said, when you've lost your active directory, I, it doesn't matter how old they are. Any information is valuable information and that is spoken like someone who has been on the front lines and had to try to rebuild something from nothing.
, again, great webinar. You can still sign up today if you want. There's going to be a replay that we put out there sometime later today. It will be at this week. health.com/trenches is I believe where it's at and you'll be able to register and watch the replay. , today, if you'd like that's all for today, if you know someone that might benefit from our channel, please forward them a note. They can subscribe on our website this week out.com or wherever you listen to podcasts, apple, Google, overcast, Spotify, Stitcher.
You get the picture. We are everywhere. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders, Gordian dynamics, Quill health tau site nuance. Canon medical and 📍 current health. Check them out at this week. health.com/today. Thanks for listening.
That's all for now