Your Active Directory was compromised, now what?

Contents 2

About the Authors 3

Overview 3

Reducing the immediate threat 4

More on Advanced Persistent Threats 4

Begin at the beginning 5

Before this paper gets into the steps of re-establishing Active Directory, it’s important to review the most common way in which a breach can occur. Gone are the days of “script kiddies” guessing at passwords, and blindly finding access left by a careless administrator. Administrators are now more security conscious, and savvy. But so are the attackers, who are often organized and well-funded groups, using a mature, and developed methodology. 5

The following is a short review of the techniques used by these organizations. The techniques outlined can be used independent of one another, but the key to a threat being considered advanced is that it often uses a combination of these techniques to penetrate and maintain access. Because of this, the review below is written sequentially (serially???) but are often performed in differing order or in combination with other methods as well: 5

Why re-establishing AD after a critical compromise goes beyond normal recovery 6

Updating Resource Ownership 7

How to: Migrating to a sanitized directory 7

Phase 1: Preparing a mirrored directory 8

Phase 2: The cut over 8

Phase 3: Group and Access Re-Certification 8

Phase 4: Post migration cleanup 9