Daniel Lattimer | Area Vice President - EMEA West

This week, the European Union’s Digital Operational Resilience Act (DORA) goes into effect in an effort to provide a clear roadmap for enhancing cybersecurity across the financial services industry. All financial entities operating in or with the EU—as well as information and communication technology (ICT) providers that support such entities—are now required to achieve DORA compliance.

If DORA requirements apply to your organisation and you have yet to evaluate their effect on your identity threat detection and response (ITDR) strategy and procedures, there’s no time to waste.

Why is DORA necessary?

Rapid digitisation has dramatically accelerated innovation in the financial services sector. Customer expectations have increased as technology has developed, with sector players now seeking to align and capitalise on market share opportunities through the deliverance of instant and personalised services.

For enterprises and their businesses alike, there are opportunities aplenty. However, from a security standpoint, these technological strides present challenges, making the financial sector more vulnerable to a growing array of sophisticated cyber threats.

3 steps to include in your DORA compliance checklist

Previously, we provided an overview of the five pillars of resilience outlined by DORA and their application in the context of Active Directory (AD). To embrace these pillars effectively, it is vital to include the following three steps in your DORA compliance checklist:

  1. Identify who is responsible for ensuring that your Active Directory security meets DORA resilience requirements.
  2. Accurately identify risks to your hybrid Active Directory environment.
  3. Manage risks effectively by ensuring your ability to automatically remediate suspicious changes to Active Directory and Entra ID to quickly and securely recover Active Directory and Entra ID should attackers break through your defences.

Step 1: Who is responsible for ITDR and DORA compliance?

The growing prevalence of cyber threats is pushing Active Directory out of IT infrastructure teams’ remit and towards dedicated security or identity access management (IAM) professionals.

Active Directory integrates easily with applications and provides single sign-on capabilities across the entire business environment. AD has remained ubiquitous as a critical directory service that connects users with the network resources they need to accomplish their tasks in the quarter century since its rollout. Indeed, today, it continues to simplify the life of administrators by providing a centralised platform for computer and user configurations, and rights management.

Given this role, AD has traditionally fallen within the remit of those IT infrastructure teams responsible for developing, managing, and maintaining the digital processes and services that keep a business running smoothly. But in recent times, the dial has shifted.

The modern world has brought about much greater complexity, with many businesses now reliant on a wide range of critical applications, data and other assets residing in increasingly complex digital landscapes. At the same time, cyber threats and attacks have increased exponentially, with enterprises of all shapes and sizes now facing threats spanning everything from intellectual property leaks to denial-of-service (DDoS) and ransomware attacks.

As a result, AD is no longer simply just a networking tool. Today, it has become a critical security and identity management issue.

Serving as a centralised platform that allows administrators to manage permissions and control access to network resources, AD effectively holds the “keys to the kingdom” for companies. Consequently, it has become a prime target for cyber attackers. Compromising AD can grant access to nearly all the systems, applications, and resources within an organisation.

“Because Active Directory provides rich identity and access management capabilities for users, servers, workstations, and applications, it’s invariably targeted by attackers. If an attacker gains highly privileged access to an Active Directory domain or domain controller, that access can be leveraged to access, control, or even destroy the entire Active Directory Forest.”1

Planning for Compromise (Microsoft)

This transition has raised an important question: where should AD management now sit, and who should oversee it?

Increasingly, particularly in the context of DORA, we’re seeing more and more businesses transferring the ownership of AD to identity access management (IAM) and security teams—a shift driven by the potential far-reaching impacts of attacks, errors, or downtime on AD and, in turn, on business operations.

Step 2: Identify risks to the identity infrastructure

Consider business critical, customer-facing applications. These rely on various components, including service accounts and DNS, which are managed within Active Directory. If AD is not functioning properly or is not managed and secured effectively, then the application may be exposed, leading to consequences affecting the firm’s reputation, revenue and DORA compliance breaches.

Businesses are increasingly recognising these risks and understand the need to prioritise the effective management and security of AD. However, grasping the actual risks associated with AD can be complex.

It’s not always cyber issues we’re talking about; vulnerabilities and problems can also arise from human error. AD is managed by people, and people make mistakes.

A common scenario involves individuals accidentally deleting critical components. For example, an administrator might inadvertently remove hundreds of users while attempting to modify a user group. Another frequent issue is the removal of service accounts perceived as security threats. Without fully understanding their functions or relevance, removing these accounts can derail operations in other parts of the business.

To mitigate these threats—both internal and external; malicious and accidental—organisations need to have a full understanding of their AD environment, its relevant associations and dependencies, and the vulnerabilities associated with it.

“To gain a better understanding of an organisation’s environment, malicious actors commonly enumerate Active Directory for information after gaining initial access to an environment … By doing this, malicious actors sometimes gain a better understanding of the organisation’s Active Directory environment than the organisation itself. This enables them to target Active Directory with increased likelihood of success. Malicious actors use their knowledge of the environment to exploit weakness and misconfigurations to escalate their privileges, move laterally, and gain full control of the Active Directory domain…. To improve Active Directory, organisations must comprehensively understand their own unique configuration of Active Directory.”2

Detecting and Mitigating Active Directory Compromise (Five Eyes Alliance report)

Fortunately, several free tools are available to provide immediate visibility into AD configurations, helping organisations to mitigate their most critical risks.

  • Purple Knight: Specifically named as an AD auditing tool by the National Cyber Security Centre and other cybersecurity agencies of the Five Eyes alliance, this tool offers security assessments for AD, Entra ID, and Okta. It helps organisations identify indicators of exposure (IOEs) and indicators of compromise (IOCs) within their hybrid AD environments, enhancing overall security and resilience.
  • Forest Druid: Designed to address the challenge of excessive permissions in Active Directory and Entra ID, Forest Druid takes a unique attack path management. Instead of manually sifting through every group and user relationship, it prioritises attack paths leading into the Tier 0 perimeter in hybrid identity environments. This focus on critical assets saves time and enhances security by addressing the most significant vulnerabilities first.

Gaining visibility into your current environment in this manner is crucial. These tools provide a strong foundation for identifying key vulnerabilities and potential attack paths to business-critical assets, offering a snapshot overview of your potential risks at a specific point in time.

Step 3: Embrace automation for continuous risk management

Although Purple Knight and Forest Druid can provide a strong head start, it is important to treat these tools as the beginning of continual analysis and remediation efforts. Any one-off take is typically inadequate to mitigate the potential risks associated with AD on an ongoing basis.

Consider the dynamic nature of most businesses: acquisitions bring in new Active Directory structures, users are added or removed daily, job roles change, and applications and network settings are continually updated. In other words, AD is a living, breathing environment where policies are always changing.

Drawing a line today does not guarantee that the same security posture will be true tomorrow. Instead, to manage and capture this evolving risk over time effectively and remain compliant with DORA, enterprises need a means of capturing their risk profile either regularly or in real-time.

Here, automated tools stand as the most powerful and logical solution. Attempting to monitor AD and remediate suspicious changes manually can be both time consuming and subject to human error. Automated solutions can deliver continuous monitoring and assessment, ensuring that you stay ahead of emerging threats.

And should the worst happen—as is often the case due to the frequency, persistence, and sophistication of modern cyber threats—the ability to quickly and securely recover Active Directory and Entra ID is paramount. Until AD is up and running, normal business operations simply cannot be recovered.

Semperis has several tools available to support these processes, including:

  • Directory Services Protector (DSP): Recognised by Gartner, this identity threat detection and response (ITDR) solution puts hybrid Active Directory security on autopilot. It offers continuous monitoring and unparalleled visibility across on-premises AD and Entra ID environments. Features include tamperproof tracking and automatic rollback of malicious changes, ensuring robust protection and quick recovery.
  • Lightning IRP: This ML-powered tool detects sophisticated identity attacks that traditional solutions miss, including brute force attacks, password spray attacks, and anomalous activities.
  • Active Directory Forest Recovery (ADFR): This tool helps organisations prepare for worst-case scenarios by ensuring a fast, malware-free AD forest recovery in the event of a cyber disaster. It allows for easy setup of a replica of the production AD environment for disaster recovery drills and automates the entire AD forest recovery process to minimise downtime. Further, ADFR enables recovery of AD to a known-secure state, preventing follow-on attacks and ensuring business continuity.

Complete your DORA compliance checklist today

With AD being a critical system use to store user information, manage user access and authentication, and allocate resources to services, assets and data, it is critical that financial services companies work to ensure that it is protected.

Not only does DORA compliance require it, but the safety and integrity of your business and customers depend on it. Therefore, it’s critical to take the necessary steps to mitigate potential vulnerabilities and risks on an ongoing basis.

  1. Ensure that your organisation understands the significant impact a single identity can have on various aspects of the business, including critical applications, processes, and supply chains. Given this interdependency, there may be a need to reassess the ownership and management of AD to ensure it aligns with business priorities and security needs.
  2. Leverage open-source tools such as Forest Knight and Purple Druid to gain valuable visibility into the current state of your AD environment and identify vulnerabilities and potential attack paths to business-critical assets. This initial assessment is foundational for devising strategies to effectively manage and mitigate key risks.
  3. Establish mechanisms that will ensure that you are actively mitigating AD risks on an ongoing basis. For enterprises with dynamic IT environments, it is worth investing in automated tools that can help to streamline this process while also helping to demonstrate DORA compliance and readiness to auditors.

By following these steps, organisations can enhance the security posture of their AD environments, reduce cyber threat risks, and achieve and maintain DORA compliance in an ever-evolving IT landscape.

Get help assessing your AD security compliance

Endnotes

  1. Planning for compromise | Microsoft Learn
  2. Detecting and Mitigating Active Directory Compromises