Sean Deuby | Principal Technologist

Successfully recovering from an attack on Active Directory is a race against the clock. Organizations that have been through this worst-case scenario know that being able to recover your AD is just the start: The time to recover AD is a significant factor in the extent of the damage, a risk that’s often not well understood in a cyber disaster scenario.

The Forrester Total Economic Impact of Semperis validated the importance of a fast AD recovery, which was called out as one of the top quantifiable benefits of using Semperis Active Directory Forest Recovery (ADFR). Forrester’s TEI team interviewed five Semperis customers with annual revenue ranging from $5B to $60B to uncover the business outcomes they observed from using Semperis’ identity resilience platform. The companies reported a 90% reduction in AD recovery time from using ADFR.

Why is reducing time to recover AD important? It’s because AD is the backbone of most organizations: For 90% of companies in the world, AD is the primary identity store. If AD is down, business operations come to a halt because no one can access software or services. In the case of an attack that completely wipes out AD, the IT ops and security teams can’t even mount the backups they might have assumed would save them.

As the SVP of a financial services company said, “Active Directory supports authentication and authorization, so an AD-related attack not only breaks down the internal workforce production but also impacts our customers’ ability to interact with the bank because they rely on AD for authorization.”

Before using Semperis ADFR, the study participants encountered numerous problems with their AD backup and recovery strategy:

  • AD recovery to a malware-free environment incurred significant downtime—up to two weeks, according to the manager of identity management and engineering at a healthcare company.
  • Some organizations had to engage third-party service providers to restore their data.
  • Recovering AD involved time-consuming administrative clean-up tasks such as rebuilding the Global Catalog and restoring metadata.
  • Ensuring that the AD backup was malware-free was a concern.

As one study participant said, “It was ADFR that prompted our investment in Semperis because of the risk to the organization around restoring our forests after an AD-related ransomware attack. Being able to manage the AD recovery process more effectively and efficiently is what got us to move away from a bare metal image backup to get back up and running with a fully functioning Active Directory more quickly.”

Here’s an illustration from the report that lays out the “before” and “after” states organizations reported from their experience using ADFR.

Active Directory recovery before and after Semperis ADFR
Before” and “after” states of AD forest recovery reported by organizations participating in the Forrester Total Economic Impact of Semperis study

Quantifying the benefit of a fast AD recovery following a cyberattack

So what’s the upside to a fast AD recovery? That’s been a notoriously difficult question to answer, as I wrote about in The Practical ROI of a Quick Active Directory Recovery. The Forrester study helps organizations better understand the ROI of a fast AD recovery.

We often ask our customers, “What would happen to your business if AD were down for a day, or a week, or a month?” That question gets the wheels turning in their heads as they start to realize the enormous impact an AD-related cyberattack could have on business operations—and their customers.

One participant in the study, the SVP in a financial services company, said that an AD attack without ADFR would render their entire bank inoperable for weeks and would impact at least 25,000 people until full recovery was achieved. This SVP added that just one hour of downtime costs the business several million dollars because every segment of the business relies on AD to function.

The Forrester study aggregated the information collected from participants to come up with a composite organization that represents the participants’ environments—all of which were quite large, with billions of dollars in revenue. Forrester quantified the cost of 1 hour of downtime based on the lost labor from end-user downtime and lost revenue from stalled operations. By their estimation, one hour of downtime costs the composite organization $2.7 million. That’s a big hit.

Given that the participating organizations reported a 90% reduction in AD recovery time with ADFR, the projected quantifiable benefit of a fast AD recovery with ADFR is $3.9 million for an organization with a similar profile. If you want to know what the benefit would be for your organization, Forrester will soon release an ROI calculator that will help you estimate your own projected savings from a fast AD recovery.

In the meantime, download the report to read firsthand what these study participants had to say about how implementing a tested, malware-free AD forest recovery process improved their overall security strategy.

Being able to do a few clicks and restore from a backup is huge. It’s like night and day. [Before Semperis], recovery was a nightmare because it was so complex and required a lot of resources. Having the ability to restore from a backup of AD at your fingertips is huge. It’s mind-boggling how simple it is.

CISO, healthcare company

Time is the critical factor in recovering from an AD-related attack

Because Semperis is involved in helping organizations recover from AD attacks through our Breach Preparedness & Response Services offering, we’ve seen firsthand how devastating AD downtime can be. After witnessing a few worst-case scenarios, Semperis CEO Mickey Bresman warned that extensive time to recover AD can cause irreparable harm to the organization. As he pointed out, almost any environment can be recovered given enough time and access to valid backups: “While it’s not common for recovery efforts to fail completely, the costs associated with excessive downtime can be devastating.”

If you’re curious about how you can cut time in AD forest recovery, check out the Forrester report for some real-life examples from some billion-dollar organizations who have a lot at stake if their AD goes down.

More resources