James Doggett | Semperis CISO

CISOs in the financial sector have another new regulatory challenge to contend with. Earlier this year, the U.S. Securities and Exchange Commission (SEC) adopted new cybersecurity incident response and disclosure rules, demanding new approaches to disaster recovery planning. For affected organizations, the new SEC Regulation S-P requirements demand a new look at the security of your identity infrastructure.

Active Directory (AD), as a critical system controlling network access, requires particular attention in this enhancement. An AD compromise could easily constitute a reportable incident, making robust AD recovery capabilities essential for meeting the SEC’s tight disclosure timelines. To prepare, CISOs should start by assessing (and actually testing) their current AD disaster recovery plans, identifying gaps in meeting the new requirements, and implementing automated recovery solutions to enhance responsiveness.

What the new SEC Regulation S-P requirements mean for CISOs

The SEC requires companies to notify affected customers within 30 days of a cyber breach. The company must conduct a forensic analysis of the breach:

  • What happened
  • How it happened
  • What was breached

To meet even those basic reporting requirements, in 90% of attacks, companies first must recover Active Directory. Without a functioning AD, the wider network and operational systems might be unavailable.

To further illustrate the consequences of inadequate AD protection, consider the following:

  • 74% of data breaches start with privileged credential abuse
  • The average time for a bad actor to gain access to AD is 16 hours
  • Median time for an attacker to move laterally after device compromise is 1 hour, 42 minutes
  • Average time to recover Active Directory after an attack is 21 days

Now, according to SEC Regulation S-P requirements, companies must also be able to “recover from both unauthorized access to and unauthorized use of customer information.” The SEC recognizes that companies “need to anticipate and prepare for the possibility that they may be denied access to a particular system and have procedures in place for complying with the notice requirements.”

A detailed, documented plan for AD recovery is key to meeting these requirements.

Active Directory: the prime target

Over the past three years, many large-scale attacks have targeted Active Directory, the backbone of most enterprise networks. If AD is down, generally all systems are down.

This is a stark departure from predictable attack targets like patient data and your organization’s accounting files. To protect these critical assets from attack, you first need to identify which systems control access to them.  

Active Directory, which manages user authentication and access rights across the network, has become a lucrative attack vector. Malicious actors seek access to Active Directory because it provides the easiest path to your entire network, providing user- and even administrator-level access to anything within its boundaries. And it’s an easy target: Many legacy AD environments have security vulnerabilities that have accumulated over time, creating countless entryways for attackers.

Unfortunately, recovering from an Active Directory attack is often more challenging than recovering from an attack on other critical applications or even your servers. While the process is the same—stop the bleeding, start recovery, and communicate with stakeholders according to SEC guidelines—it can be challenging to determine the scope of the attack, how long the system has been compromised, and even how it is compromised. Servers can be rebooted to a recovery file, but often, AD needs to be triaged, recovered, and reinstalled across the forest, prolonging recovery times from a few days to weeks. Only after recovery can you begin a forensic analysis to determine the attack’s extent and scope.

Protecting and planning for recovery

Given the seriousness of an Active Directory attack, how can you protect yourself and plan for a swift recovery? Your disaster recovery plan needs to account for the true nature of an AD compromise.

  1. Recognize the potential scope. You must begin by recognizing an attack’s potential scope. Not only are you dealing with a system attack, but your employees’ usernames and passwords are likely exposed. Typically, if an attacker goes to Active Directory, they have the credentials necessary to access other systems. All critical assets, including your client, customer, and patient records, are compromised.  Once an attacker owns AD, they have significant power, with implications across your entire organization’s network and network-connected assets.
  2. Assess your organization’s capacity. You must also assess your organization’s capacity to triage and recover from an attack. Many times, AD’s attack vectors are obfuscated. It can be a single point of access, like an employee’s username and password. Other times, attackers could have created back doors that enable continuous, protection-resistant access. Forensic analysis can help reveal how and where the compromise happened, so it’s important to ensure your organization has the resources and expertise to conduct the forensic analysis. This is where a partnership with a third-party company is useful. If your organization is limited in skilled forensic analysts, organizations that specialize in AD recovery—including post-breach analysis—can give you the tools and on-demand support you need to expedite a full recovery.
  3. Account for extended recovery time. Your disaster recovery plan must also account for the true amount of time it takes to recover from an AD attack. This often involves:
    • Isolating the compromised environment
    • Rebuilding the Active Directory infrastructure
    • Verifying and cleaning all connected systems
    • Implementing new security measures
    • Training employees on new security protocols

These steps can take weeks to months, which can impact your organization’s ability to operate uninterrupted.

The stakes—and the solution

With cyber threats growing more sophisticated, finance and banking businesses face a challenging security environment — protecting Active Directory must be a top priority. AD is a prime target for cybercriminals because it is the backbone of most enterprise networks. The potential damage from an AD compromise is extensive, and recovery can be complex and time-consuming.

Protecting your AD is intrinsically linked to the security of your entire digital ecosystem. By understanding the risks, implementing robust preventive measures, and developing a comprehensive recovery plan, organizations can better navigate the new SEC Regulation S-P requirements—and better protect themselves against evolving threats.

Learn more about Active Directory security’s role in cyber and operational resilience for financial services.

More resources