The 5 Pillars for DORA Compliance in Active Directory

The Digital Operational Resilience Act (DORA) is an incoming European Union (EU) legislative framework aimed at fortifying the operational resilience of digital systems within the financial sector. All finance entities that operate in or with the EU need to achieve DORA compliance by early 2025, as do information and communication technology (ICT) providers that support those entities. This article breaks down the 5 pillars of DORA compliance from an Active Directory security perspective so that your organisation will be well prepared to meet the demands of this regulation.

Read “DORA Compliance and ITDR”

The 5 pillars of DORA compliance

DORA contains five pillars of resilience:

• ICT risk management
• ICT-related incident management, classification, and reporting
• Digital operational resilience testing
• Managing of ICT third-party risk
• Information sharing

To reach overall DORA compliance, each pillar needs to be considered and addressed. As I explained in “DORA Compliance and ITDR”, an essential part of DORA compliance is understanding and mapping essential services, systems, and their dependencies to ensure that they are well protected from digital threats and that each service has a comprehensive, testable incident response plan in place.

Active Directory management and monitoring is the cornerstone of effective security for your environment through user identity and access management (IAM). This puts Active Directory security firmly under DORA’s remit.

A clear and accurate picture of your AD configuration is crucial for maintaining the security posture of your environment and demonstrating DORA compliance. Here’s how you can meet the requirements of DORA’s five critical pillars of resilience within the context of Active Directory and its specific challenges.

DORA Compliance Pillar 1: ICT risk management and governance

Risk management requires firms to have well-documented ICT risk management frameworks for all their key business assets. This framework should include the appropriate tooling, documentation, and processes for cyber defence, operational disturbances, and any scenario that could halt or disrupt business continuity for critical systems.

Active Directory is a foundational service, providing authentication and access for most business-critical services, including email, document, data, and application access. If Active Directory goes down, everything else goes down, too.

To meet the demands of DORA’s risk management pillar where Active Directory is concerned, your organisation needs to prove that:

• You have full visibility of your Active Directory configuration and its dependent systems and services
• You can control what happens in Active Directory
• You can recover Active Directory if anything goes wrong

Where should you start with risk management?

Firms needn’t start from scratch with DORA and risk management. You can use existing frameworks, compliances, and industry guidance, such as MITRE ATT&CK® (a global knowledgebase of cyberattack tactics and techniques), as a starting point.

Historical compliances such as SANS Top 20 or CIS Controls are also comprehensive resources on which to build a risk management framework. These compliances look at both your hardware and software assets and their configuration state.

These frameworks and compliances form the bedrock from which you can make risk-based decisions for your environment.

Technology and tooling should do the heavy lifting

DORA requires you to take a proactive yet continuous approach to risk assessment and mitigation strategies. The legislation requires that risk management frameworks “shall be documented and reviewed at least once a year … as well as upon the occurrence of major ICT-related incidents, and following … conclusions derived from relevant digital operational resilience testing or audit processes. It shall be continuously improved on the basis of lessons derived from implementation and monitoring.”¹

Regular reviews and continuous improvement are best practices for effective risk management. However, these practices also place a significant amount of pressure and work on the teams required to maintain and review these frameworks.

Technology and tooling are invaluable for taking on the heavy lifting through automation and proactive monitoring, ensuring that ongoing compliance requires minimal time and effort. For example, Semperis Directory Services Protector (DSP) provides a comprehensive view of your Active Directory software assets and their configuration state, making risk assessment and environment mapping seamless—even for complex organisations.

Beyond providing this insight, DSP also gives context to any changes that are made, even in environments where thousands of Active Directory changes are occurring. DSP can automatically detect, alert, and revert changes based on customer-configurable alert and response rules. The solution also continuously monitors for indicators of exposure and attack, so that you can identify vulnerabilities before they can be exploited; should traces of an exploit be detected, DSP surfaces these as indicators of compromise.

“DSP…helps us protect Active Directory. We were able to harden our Active Directory infrastructure like it’s never been before. We’re able to hit all those little checkboxes and make sure that it’s absolutely secure.”

Paul Ladd, VP of Information Systems & Technology, AMOCO Federal Credit Union

For those who need additional assistance, our Breach Preparedness services can provide a complete AD Security Assessment.

Knowledge is power when it comes to compliance. Taking the time to fully understand what you have before you move into the planning and testing stages is vital.

Pillar 2: Incident reporting

DORA requires standardisation of how ICT-related incidents are classified. Organisations must use defined processes and templates for incident reporting, and regulators will require reports at three stages:²

• Initial
• Intermediate
• Final stage of an incident

As with DORA’s risk management pillar, existing reporting guidance and frameworks can be helpful in developing your reporting process.

DORA’s approach to resilience is not necessarily to look at each component individually, but to review the overall attack chain or defensive chain that you have in place, as well as component interdependencies. This is where the MITRE ATT&CK framework can be useful. Map out theoretical scenarios, then report on those scenarios. The MITRE knowledge base and templates are industry standard, free, and open source. It’s a great way of understanding how attackers generally try to go after you and how you should generally defend against such threats.

The regulation describes the essential components of a holistic and effective incident reporting process. Let’s dissect these requirements and their implications for Active Directory incident reporting.

Identifying and categorising incidents

First, DORA requires that financial entities “establish procedures to identify, track, log, categorise and classify ICT-related incidents according to their priority and to the severity and criticality of the services impacted”.³ In other words, now that you have identified and assessed your risks, the next step is to agree and standardise how different incidents are categorised within the business.

Classification is a critical step. By grouping incident types and their corresponding response plans, you enable timely and accurate incident resolution.

As part of DORA’s risk management pillar, you should have mapped all likely Active Directory incident scenarios and considered the impacts, readying such incidents for classification. As I explained earlier, Active Directory is foundational to business continuity, so your classification should reflect this criticality.

In the Microsoft 2023 Digital Defense Report, Microsoft highlighted that during incident engagements, 43% of their customers who experienced incidents had insecure Active Directory configurations:

The most prevalent gaps we found during reactive incident response engagements were:

• Lack of adequate protection for local administrative accounts.
• A broken security barrier between on-premises and cloud administration.
• Lack of adherence to the least privilege model.
• Legacy authentication protocols.
• Insecure Active Directory configurations.

For almost all finance entities, Active Directory should be classed as high priority and severity due to the potential impact of compromise, infiltration, or outage.

Semperis’ free Purple Knight and Forest Druid community tools enable organisations to get a picture of their AD configuration state. Purple Knight detects indicators of exposure and compromise, and give you a clear, actionable plan to address these areas and fix any problems. Forest Druid maps attack paths to Active Directory and Entra ID. By running Purple Knight and Forest Druid as part of your regular review cycle, you take another step towards achieving compliance.

Download Purple Knight and Forest Druid now

Assigning incident response roles

Next, DORA dictates that organisations “assign roles and responsibilities that need to be activated for different ICT-related incident types and scenarios”.⁴

Detection and response time are two of the most important factors in successful incident resolution and minimizing impact. This window of opportunity closes quickly. Microsoft and other sources have noted that less than 2 hours typically passes between the time an attacker compromises a device and the attacker’s lateral movement through the network, giving teams only a short time to contain an attack. Therefore, ensuring that every person and team knows their role in incident response and has a well-rehearsed playbook and toolkit for carrying out those roles puts your organisation in the best possible position to quickly tackle any incident scenario.

Communication and notification

DORA also requires that organisations “set out plans for communication to staff, external stakeholders and media […] and for notification to clients, for internal escalation procedures” and “ensure that at least major ICT-related incidents are reported to relevant senior management and inform the management body of at least major ICT-related incidents, explaining the impact, response and additional controls to be established as a result”.⁵

Effective communication and incident notification require visibility into attackers’ actions. Not only does such insight support fast resolution, but it can also help you build a defined, simple notification process so that you can quickly communicate incidents, their impacts, and your response.

Responding to Active Directory attacks

Finally, DORA instructs organisations to “establish ICT-related incident response procedures to mitigate impacts and ensure that services become operational and secure in a timely manner”.⁶

Automation can accelerate incident response. For example, Semperis DSP can automate the remediation process and take action against malicious actions by automatically rolling back unwanted changes in Active Directory and Entra ID until your IT or security teams can review and approve them. You can also create custom alerts to automatically notify personnel about suspicious or dangerous activity in AD and Entra ID.

Of course, simply documenting your reporting plan is not enough to satisfy DORA requirements. You must also review, test, and train staff on your reporting and communication procedures and tools. Doing so helps to ensure plan compliance.

Pillar 3: Digital operational resilience testing

So far, we’ve covered the planning, mapping, and reporting components of the DORA pillars. Now it’s time for resilience testing. DORA states that organisations must “maintain and review a sound and comprehensive digital operational resilience testing programme” that includes “a range of assessments, tests, methodologies, practices and tools” and establish “procedures and policies to prioritise, classify and remedy all issues revealed throughout the performance of the tests”.⁷

Resilience testing is a crucial component of the regulation, as DORA compliance requires evidence that successful testing has taken place.

The problem with testing Active Directory scenarios

Resilience testing under DORA must encompass a variety of possible disturbances, from sophisticated cyberattacks that aim to breach or disrupt systems to operational blunders such as accidental data deletions. The problem is that Active Directory testing is not straightforward. Furthermore, the directory store’s criticality can make teams wary of running live tests:

• If you turn off Active Directory, nothing else works.
• Active Directory testing is time-consuming and labour intensive.
• Any mistakes carry a high risk of data loss and business disruption.

For these reasons, many organisations prefer to run paper-based testing exercises where AD is concerned. However, that approach won’t cut it when achieving DORA compliance.

Which key scenarios do you need to test?

Each potential Active Directory attack scenario requires a different testing playbook, due to varied levels of platform access across response teams. Consider the following possibilities:

• Active Directory is gone. The platform is compromised and cannot be trusted.
• AD is operable and but under active attack. Active Directory has not been encrypted, but some form of cyber threat or malware has breached the system.
• There has been a catastrophic mistake. For example, a database is corrupted, a critical user group has been deleted, or some users no longer have access.

For each of these scenarios, real-time drills and the implementation of manual processes play a pivotal role in resilience testing.

For example, we recently conducted a live drill with a client. During the exercise, we found that the organisation would need 48 hours to return Active Directory to normal operations, using manual processes and historical backups. This time frame is well beyond the risk tolerance for most enterprises.

Simulation and response strategies

A good option for reducing the risk and anxiety of testing AD recovery is creating an alternate testing environment where potential scenarios can be safely simulated without risking the main operational infrastructure. This approach enables a realistic assessment of the entity’s preparedness and response strategies without exposing the primary systems to risk.

Pillar 4: ICT third-party risk management

The penultimate pillar shines a light on third-party risk from ICT providers. DORA stipulates that this risk should be managed by the financial services organization, but that third-party providers are contractually obligated to support the firm in the event of a cybersecurity incident. In such cases, ICT providers need to contribute the appropriate information and highest possible standards of security for the services they provide.⁸

How does ICT risk management affect Active Directory?

Many third-party users, whether outsourced partners or suppliers, are granted access to an organisation’s systems via Active Directory. Though external, these users appear and function within the system as legitimate internal users, using accounts provided by the organisation.

This practice, while essential, introduces complexities in managing and securing access. It increases the potential risk exposure, as third-party accounts can be vulnerable to misuse or cyberattacks.

Organisations should be prepared to combat such risk. For example, through continuous monitoring of environment changes and ML-based attack detection, Semperis can identify and mitigate identity-based attacks, thus minimizing third-party risks in Active Directory.

Pillar 5: Information sharing

The final resilience pillar relates to information sharing, requesting that finance entities outline strategies for sharing threat intelligence and exchanging information securely within trusted communities.⁹

This practice is already underway in many cases. For example, the National Cyber Security Centre (NCSC) and Bank of England facilitate these discussions within the financial services community. But under DORA, finance entities are compelled to contribute with the view of improving the overall security posture of the industry.

Sharing information on AD incidents and threats

Semperis is part of these discussions, sharing insights and research to educate the industry on better protecting themselves from evolving and emerging threats. Our designated research team regularly exposes new and interesting ways attackers abuse Active Directory and Entra ID. All this research is pulled into our free community tools like Purple Knight and Forest Druid, meaning that any organisation can benefit from the power of these insights.

Get a comprehensive picture of your hybrid AD configuration now

One of the key challenges of DORA compliance is that the regulation outlines expectations for compliance but provides no specific frameworks on how firms can put these measures in place, and ultimately, where they should start.

Working through these five pillars and their requirements within Active Directory is a great first step—if you have good visibility into your configuration. But as we’ve seen, it’s impossible to protect something without sufficient insights.

So where to start? Download Purple Knight and Forest Druid to get a picture of your Active Directory configuration state and potential exposures. You will get a clear, actionable, and free plan to address these areas and fix any problems, putting you in the best position to start your DORA compliance journey for Active Directory.

Download the free tools now

Other articles in our DORA Compliance series

• DORA Compliance and ITDR

Resources

¹ https://www.digital-operational-resilience-act.com/Article_6.html

² https://www.digital-operational-resilience-act.com/Article_19.html

^3,4,5,6 https://www.digital-operational-resilience-act.com/Article_17.html

⁷ https://www.digital-operational-resilience-act.com/Article_24.html

⁸ https://www.digital-operational-resilience-act.com/Article_28.html

⁹ https://www.digital-operational-resilience-act.com/Article_45.html