The Practical ROI of a quick Active Directory recovery

In the last year, we’ve discussed scores of ransomware attacks where cybercriminals modified AD in one way or another— far beyond the basic changes to user accounts or passwords—to gain entry into information systems and move laterally to propagate malware

Ransomware architects now have engineers on staff who are dissecting AD and its security updates looking for opportunities to elevate permissions and quickly distribute malware across the entire organisation. Post-attack forensics from previous ransomware attacks involving AD have revealed that threat actors primarily focus on changes to group accounts, user accounts, Group Policy objects, the SYSVOL, and domain controllers. With these cybercriminal tactics in mind, consider the following factors in calculating your own AD recovery ROI: Cost of operational losses.

It’s likely that a material part of your operations relies on AD being up and running to authenticate users as the basis for providing access to applications, systems, and data. For every hour that AD cannot operate, how much revenue or productivity would your business lose? How many hours, days, or weeks would it take before the business passes a point of no return and cannot financially recover? Remember the ransomware attack on the City of Baltimore? Their recovery of operations took months and cost over $18 million.

Lack of a business continuity plan that includes AD  

If your organisation is mature enough, you have a BC/ DR plan in place defining the work needed to restore business operations after an outage. Most plans account for loss of infrastructure or loss of a location after a natural disaster. But few companies have a plan specifically for restoring business after a cyberattack—and especially one as unpredictable as a ransomware attack. The way you recover AD in a scenario like this depends on what changes cybercriminals made within AD. You might plan to recover AD back to a previous version, but how do you determine how far back you need to go to find a known secure version? What AD-dependent systems, services, and applications will be affected or won’t function at all because of a broad-stroke recovery to an earlier AD state? Are you confident that you can even locate a recent, malware-free backup from which to restore? Without a plan or an ability to understand what was changed in AD before recovering, your organisation will spend incalculable time fixing all the problems the recovery caused.

Recovery might not be the answer  

If all the changes being made by the bad guys during an attack boil down to, let’s say, adding an account to the Domain Admins group, then recovering AD to a few days ago or last month might not be the right answer. Instead, perhaps the less costly method is to monitor changes in AD and have an ability to either disallow changes to “protected” accounts (like the Domain Admins group) or to automatically revert a change to a sanctioned configuration.

The considerations above summarise to three risks: the risk of a slow recovery, the risk of a recovery that creates more remediation work, and the risk of a recovery that might be considered overkill for the nature of the changes made to AD.

Instead of looking at the ROI of AD recovery using some calculator you found online, the better choice is to work through several real-world scenarios and evaluate how your current means of AD recovery would fare by answering the following questions based on the factors outlined above:

– What critical parts of the operation depend on AD to function? What is the estimated cost of their downtime?

– How long will it take to recover AD based on the changes made during an attack

– Do you have visibility into what malicious changes were made in AD and, if not, how far back will you need to investigate and how long will that take you?

– Will the recovery impact any other parts of operations that you will need to fix and, if so, how long will that take? (Remember that some number of both user and computer account passwords will not match, impeding the ability to log on to the domain. Plus, earlier versions might be missing accounts, group memberships, DNS records, etc.)

– Are you confident that recovery will put you into a known-secure state? Beware of the difference between resuming business operations and recovering business operations: If you don’t have a clean, malware-free backup from which to recover, you run the risk of reintroducing the same vulnerabilities that left you open to attack in the first place.


In short, the ROI of AD recovery has much more to do with your current ability to recover to a known-productive and known-secure state post-attack than it does with an online ROI calculator that doesn’t account for the myriad variables involved in a ransomware attack. By walking through some scenarios and thinking specifically about what your current recovery abilities are, you will expose costs that can be eliminated by having a proper AD recovery solution in place—one that is designed to protect against, prevent, and recover from malicious changes to AD.

About the Author

Sean Deuby brings 30 years’ experience in Enterprise IT and Hybrid Identity to his role as Director of Services at Semperis. An original architect and technical leader of Intel’s Active Directory, Texas Instrument’s Windows NT network, and 15-time MVP alumnus, Sean has been involved with Microsoft identity technology since its inception. His experience as an identity strategy consultant for many Fortune 500 companies gives him a broad perspective on the challenges of today’s identity-centered security. Sean is also an industry journalism veteran; as former technical director for Windows IT Pro, he has over 400 published articles on Active Directory, Azure Active Directory and related security, and Windows Server. He has presented sessions at multiple CIS / Identiverse conferences.

Featured image: ©Peshkova