SHARED INTEL: What it takes to preserve business continuity, recover quickly from a cyber disaster

By Byron V. Acohido

To pay or not to pay? That’s the dilemma hundreds of organizations caught in the continuing surge of crippling ransomware attacks have faced.

Related: How ransomware became such a scourge

The FBI discourages it, as you might have guessed. What’s more, the U.S. Conference of Mayors this summer even passed a resolution declaring paying hackers for a decryption key anathema.

Yet there are valid arguments for what scores of municipalities and businesses caught with their networks frozen by extortionist hackers have been compelled to do: pay the ransom demand. Tech industry consultancy Forrester has even seen fit to issue guidance to help companies figure out whether paying the ransom demand might actually be their best option.

That pay or not to pay debate aside, there’s a more central question raised by the ransomware plague. Company decision makers need to be asking themselves this: just how good is their organization’s business continuity and disaster recovery preparedness?

This issue is in Mickey Bresman’s wheelhouse. Bresman is co-founder and CEO of Semperis, an identity-driven cyber resilience company based in the new World Trade Center in Lower Manhattan. Semperis helps companies running Microsoft Windows-based networks preserve and protect Active Directory, or AD.

AD is the administrative software that directs access to servers and applications across the breadth of Windows in tens of thousands of companies and agencies. As such it variably gets caught in the crossfire of ransomware strikes. It’s here that Semperis is helping companies build resiliency. I had the chance to visit with Bresman at Black Hat 2019. For a full drill down, please give a listen to the accompanying podcast. Here are key takeaways:

An attack scenario

Due to the ubiquitous use of Windows networks, Active Directory functions as the keys to the kingdom all across enterprise networks — in 90 percent of organizations. Hackers recognize this and so AD has become a favorite target. Here’s a scenario for how AD is factoring into ransomware attacks:

The attacker gets a toehold inside the network by phishing an employee login, or via a targeted credential stuffing exercise, or through cross-site scripting. Once inside he uses living off the land techniques,  stealthily manipulating Windows admin tools, such as PowerShell scripts and Windows registry, to move laterally and gain access to the Domain Admin group — a key part of the security framework of AD.

While that is terrible, it’s not actually the end goal, Bresman told me. As the next step, the attacker logs in to a domain controller (DC) and thereby puts himself in a position to effectively switch off the security camera. By turning off the auditing agent and disabling security logging, the attacker is free to modify accounts, alter policies and create back-doors that can be used at a later stage.

It’s an all-powerful position from which to quickly find – and deeply encrypt — personally identifiable information and, worse, ERP databases crucial to the day-to-day running of mission-critical systems. “The organization might discover something 10 to 15 minutes after a DC gets hacked, and terminate the attacker’s session, but the question becomes, what did they do during those 10 to 15 minutes?,” Bresman observes.

Cyber-first recovery

Quite clearly, we’re in dire need of a new paradigm for business continuity and disaster recovery. Prior to the current wave of deep-dive ransomware attacks, disaster recovery planning anticipated a fire, an earthquake, or even the odd terrorist bombing partially knocking out part of a business unit.


“What’s changed is that people are now starting to discuss a ‘cyber recovery-first’ approach, meaning you should be prepared for a ransomware type of situation where it’s not one data center going down, but the entire organization that’s been wiped out,” Bresman told me. “You now need to basically recover from scratch — that’s the situation companies are facing today.”

In today environment of wickedly advanced cyber extortion an effective disaster recovery posture begin with something we’ve all been told since buying our first clunky desktop PC: back it up.

“Make sure that you have a disaster recovery plan that has been tested, verified, and that you can trust,” Bresman says. “And make sure that you have automated many of the back-up and recovery processes, because if it takes you a week to recover, that’s not good enough. You should be able to recover in less than 24 hours.”

Cyber resiliency

Even the FBI acknowledges that restarting systems from backup is not easy — under the best of circumstances. While the agency discourages ransom payments, it also advises CISOs to evaluate all options to protect shareholders, employees and customers. Technical feasibility, or lack thereof, and/or the steep cost of restarting systems may make paying for a decryption key the least onerous option.

The downside of paying the ransom, according to the FBI, are manifold. Emboldened, the attackers sometimes ask for more Bitcoin before handing over a decryption key; there’s no guarantee the key will restore some or all frozen systems; and paying tends to encourage more ransomware attacks.

For its part, Semperis has quickly gained clientele among large enterprises and government institutions around the globe by focusing on securing Active Directory and innovating around AD-centric cyber resiliency, threat mitigation and rapid recovery services.

“The reason AD is so critical is because everything relies on it,” Bresman says. “AD should be up and running as quickly as possible because you cannot start the recovery of most of your other infrastructure and applications without it.”

It’s encouraging to see innovators like Bresman and Semperis gaining traction. Even so, it will take a long while more before ransomware runs its full course. I’ll keep watching.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone