In 2026, Active Directory remains at the heart of the now hybrid identity infrastructure of most large companies and is still widely used as an on-premises identity provider, even when organisations migrate to the cloud. 

Wavestone incident response teams note that 38% of attacks begin with identity compromise (vs. 20% in 2024). More broadly, attackers frequently exploit on-premises identities to move laterally into cloud environments (Microsoft Digital Defence Report 2025 [1]). 

In a context where the hybridisation of identities increases an already vast attack surface, companies must be able to understand the challenges and equip themselves effectively. 

Through this new 2026 overview of Active Directory security tools, we offer you: 

1. An updated map of Active Directory security tools 
2. An overview of major market trends (consolidation, transition to platforms, cloud hybridisation) 
3. Feedback on operational implementation challenges and key success factors 

An overview of AD 2026 security tools, which has been further enhanced  

By analysing the market, we have identified four main use cases for these tools: 

1. Analysis and audit 
2. Hardening and maintaining security  
3. Detection 
4. Response and reconstruction 

A listing of publishers and tools offering features that meet one or more of these four use cases was conducted. It was designed to be as comprehensive as possible, including tools from the best-known and most widely used players on the market as well as those from lesser-known players, proprietary tools and open-source tools, tools with a wide range of features and tools offering a more limited set of features. All relevant tools were thus included in a list, with various information for each one (reputation, description of the tool and use cases covered, hosting, etc.). 

The following overview selected a number of publishers from this list, for the functional coverage they offer and their large use within organisations. 

The Microsoft Entra ID logo is added to tools that offer the possibility of integrating it into their operations in addition to on-premises AD coverage. This is a strong trend in the market. 

1. A dynamic market undergoing consolidation 

The Active Directory market has undergone several changes since 2022, with different major transactions. The aim is most often for publishers to complement their offering or to cover a new need for Active Directory security. 

Among other things, we can note : 

Acquisition of PingCastle by Netwrix [2] : PingCastle, renowned for its expertise in AD security auditing, strengthens Netwrix’s offering. This acquisition enables Netwrix to expand its portfolio with a lightweight, quick-to-deploy tool that is popular with technical teams, while reaffirming its commitment to providing a unified platform covering the entire AD security lifecycle. 

Acquisition of Attivo by SentinelOne [3] : Attivo, a specialist in identity security and lateral movement detection, strengthens SentinelOne’s offering by integrating advanced AD protection capabilities into a unified platform combining EDR, XDR and identity security. 

Acquisition of BrainWave by Radiant Logic [4] : Radiant Logic strengthens identity and governance analysis capabilities. By combining BrainWave’s detailed rights mapping with Radiant Logic’s identity federation, the offering becomes more comprehensive in addressing AD challenges. 

Integration of Stealthbits by Netwrix [5] : By merging with Stealthbits, Netwrix has integrated historical Active Directory auditing and detection components (StealthAUDIT, StealthDEFEND, etc.), strengthening its offering in the protection of identities and sensitive data and moving towards a unified platform focused on AD security. 

2. From specific tools to centralised platforms 

In 2022, our overview of Active Directory security tools mentioned “specialised tools, each addressing part of the equation.” [6]. In 2026, we are seeing the emergence of centralised platforms capable of covering several needs around Active Directory and, often, Entra ID. This dynamic is primarily driven by publishers seeking to broaden their value proposition and differentiate themselves with comprehensive platforms rather than specialised tools offering specific features. 

Some publishers build their platforms through successive acquisitions, such as Netwrix (AD auditing, data protection, vulnerability discovery, PingCastle, etc.) or SentinelOne (EDR/XDR enhanced by Attivo on identity), while others are gradually enhancing their existing offerings to provide modular suites, whether they are administration/monitoring tools such as ManageEngine ADAudit Plus or Quest Change Auditor, which add AD auditing, hardening and detection components across the entire Active Directory ecosystem. 

The promises made by publishers are clear: 

• Centralisation of data (accounts, groups, rights, security events) 
• Unified view of attack paths between AD and Entra ID 
• Simplified management for security, infrastructure and IAM teams via consolidated consoles and dashboards 

From the customer’s point of view, the benefits are obvious, but the reality may be more nuanced: 

• Consolidation can reduce the number of tools and simplify integrations, but it does not eliminate the need for AD expertise or specialised tools (e.g. for post-incident reconstruction). 
• Environments often remain multi-vendor, with a mix of global platforms (XDR, CNAPP, Identity Security) and targeted AD tools, particularly in large groups or organisations that are already heavily equipped. 

In this context, the challenge is not simply to “choose a platform”, but rather to put together a coherent whole, ensuring that: 

• The AD/Entra ID scope is well covered throughout the entire lifecycle (prevention, detection, response, reconstruction). 
• The tools can feed existing processes (SOC, crisis management, PRA, IAM). 
• Dependence on a single publisher is assessed and controlled. 

3. Cloud hybridisation 

With the rise of Entra ID and SaaS applications, identity hybridisation has become the norm: AD accounts and groups are synchronised to the cloud, and the same credentials are used to access on-premises and cloud resources. Numerous recent incidents show that attackers are exploiting these hybrid architectures to pivot between AD and Entra ID, taking advantage of poor configurations or weak alignment between the two worlds. [7] 

This translates into several concrete needs: 

• Joint supervision of AD and Entra ID: ability to correlate signals from the on-premises directory (changes, anomalies, lateral movement attempts) and the cloud (Entra ID Protection signals, connection anomalies, conditional access, etc.).  
• Security policy alignment: hardening of AD (configuration, delegation, privileged accounts) in line with conditional access policies, MFA and Zero Trust requirements.  
• Hybrid reconstruction capabilities: in the event of AD compromise, reconstruction and restoration must integrate Entra ID dependencies (synchronisation, service accounts, applications) to avoid side effects on the cloud, and vice versa. 

Publisher are gradually positioning themselves on this hybridisation. Some are expanding their AD audit engines to include Entra ID (on-premises to cloud) and offer a unified view of identity vulnerabilities: Netwrix Auditor now allows Entra ID to be monitored in parallel with Active Directory with a single view of hybrid threats. Tenable Identity Exposure extends its exposure indicators to specific Entra ID risks, and Semperis Directory Services Protector correlates AD and Entra ID changes in a single console to reduce the hybrid attack surface. 

Other tools start in the cloud (Entra ID, SaaS) and move down to on-premises AD (cloud to on-premises), using a hybrid identity threat detection and response approach: Microsoft Defender for Identity provides a consolidated inventory of AD and Entra ID identities and new detection capabilities on hybrid components (Entra Connect, AD FS, etc.), while CrowdStrike Falcon Identity Threat Protection analyses hybrid accounts present in both AD and Entra ID/Azure AD. 

Operational implementation still has room for improvement 

The Active Directory security market is seeing growing and structured adoption of sophisticated tools. In many organisations, functional coverage is now adequate, or even advanced, across the various aspects of AD security (auditing, hardening, detection, backup). 

However, technological maturity contrasts with operational implementation that is still incomplete. AD disaster recovery plans (DRPs) often remain theoretical, untested, or disconnected from the backup and reconstruction tools deployed. Regular reviews (of privileges, delegations, approval relationships) are still rarely industrialised: they often depend on a few experts, with a limited level of automation. 

The effectiveness of implementation is also impacted by the constant evolution of the ecosystem, between the platformisation of tools and the hybridisation of identities. The challenge for the coming years will therefore be to align tools (both existing and future) with robust, documented and tested processes: 

1. Clarify responsibilities between infrastructure, IAM, security and SOC teams, 
2. Formalise and automate recurring controls (rights reviews, configuration validation, restoration tests). 

Only then will investments in Active Directory security tools, both on-premises and in the cloud, enable true resilience to be achieved. 

Methodology overview 

We have identified four main categories for grouping tools: 

Analysis and audit: 

• Account and Privilege: Inventory of accounts, groups and associated rights to detect excessive or non-compliant privileges. 
• AD Discovery: Exploration of the AD structure (OUs, GPOs, objects) to deduce the architecture, relationships and dependencies. 
• Vulnerability Discovery: Identification of security vulnerabilities (configuration, obsolete accounts, weak passwords, etc.). 
• Attack Path Discovery: Modelling potential attack paths to privileged accounts. 

Hardening and management: 

• Password Management: Management of password policies, synchronisation, password auditing (strength, reuse, compromise, etc.). 
• Rights & Privilege Management: Delegation, access control, role and permission management. 
• GPOs Management: Creation, analysis, modification of group policy objects. 
• Change Management: Change tracking, traceability, change management and migration tools. 

Monitoring: 

• Threat Detection: Proactive detection of suspicious behaviour, privilege escalation, lateral movement. 
• Security Incident Detection: Identification of security incidents, real-time alerts, event correlation. 
• Backup and Recovery: 
• AD Backup & Recovery: Partial or complete backup of AD objects, rapid disaster recovery. 
• Investigation & Forensics: Post-incident analysis, traceability of malicious actions, evidence collection. 

For each of the tools classified, a badge (Microsoft Entra ID logo) is added when the tool offers the possibility of integrating Microsoft Entra ID into its operation. 

Conclusion

The 2026 overview is based on an analysis of 180 tools, compared to 150 in 2022. It was constructed using a similar approach to that of 2002. It is based on a listing of tools on the market. On this basis, and in line with recurring themes in Active Directory security, a categorisation has been established to facilitate reading. 

The list of tools mentioned is not intended to be exhaustive, as the list of tools that can contribute directly or indirectly to Active Directory security is vast. This overview is therefore a summary of the main existing tools, particularly those that Wavestone consultants encounter most often in large organisations (considered, studied, tested or deployed). 

References

[1] Microsoft Digital Defense Report 2025 | Microsoft 

[2] Netwrix Acquires PingCastle | Netwrix 

[3] SentinelOne, Inc. – SentinelOne Completes Acquisition of Attivo Networks 

[4] Radiant Logic Signs Definitive Agreement to Acquire Brainwave GRC – Radiant Logic | Unify, Observe, and Act on ALL Identity Data 

[5] Netwrix annonce sa fusion avec Stealthbits | Netwrix 

[6] Radar des outils pour renforcer la sécurité d’Active Directory – RiskInsight 

[7] Microsoft Incident Response lessons on preventing cloud identity compromise | Microsoft Security Blog 

Cet article Overview of Active Directory security tools – version 2026  est apparu en premier sur RiskInsight.

This type of platform can be used to create applications based on generative AI models such as LLMs (GTP-3.5, Mistral, etc.). 

Nevertheless, the adoption of this technology is not without risk: from virtual assistants criticizing their companies [3] to data leaks [4]; there is no shortage of examples. 

To support the many deployments currently underway, you need to think quickly about your security, particularly when sensitive data is being used. In this article, we take a look at the risks and mitigations associated with using these platforms. 

Which model is right for you? 

Three types of generative AI can be used to create an application. The difference lies in the precision of the answers provided:  

1. Simple: generic AI model (GPT-4, Mistral, etc.) plugged in as such, with a user interface. It is an internal GPT. 
2. Boosted: generic AI model that leverages the company’s data, for example via RAG (Retrieval Augmented Generation). These are specialized companions for a particular use, HR GPT, Operations GPT, CISO GPT…). 
3. Specialized: the AI model retrained for a particular use. For example, India has retrained Llama 3 for its 22 official languages to make it a specialized translator. 

All three deployment methods entail risks. We will begin by describing the different modes. We will then look at the risks, and the associated mitigations. 

Risks and models 

Simple model 

This model is the simplest to deploy. It allows users to interact with the AI models proposed by the platforms. It simplifies the integration of sending prompts and receiving responses in an application. It is an internal ChatGPT, with the advantage of limiting the leakage of sensitive data inserted into a prompt, unlike the web version. Also, in this case, exchanges with users are not used to re-train and improve the model. Your data is protected. The Cloud platforms offered by Azure, AWS or GCP enable these solutions to be deployed rapidly. 

Examples of use: text summary, development assistant. 

How the simple model works

Boosted model 

This model remains generic, but will have access to selected company data. The AI could, for example, consult the group’s PSSI to provide the password policy. 

Examples of use: enterprise chatbot, data analysis. 

How the boosted model works

Specialized model 

The application is no longer based on a generic model (GPT-4, Mistral, etc.). Before using it, you will need to train your own model on your company’s data. It will always be able to consult the company’s data and will have a better understanding of it to generate its response. 

Examples of applications: fault detection on a production line, medical diagnostics. 

How the specialized model works

What risks are you exposed to? 

Regardless of the model selected, there are a number of transversal or specific risks. It is important to take these into account to ensure that the solution is securely integrated. 

Hijacking the model 

AI models are exposed to the risk of misuse. Imagine a scenario where someone uses this technology to generate harmful content. This could lead to real consequences such as the propagation of toxic content. One known attack for this purpose is Prompt Injection [5]. 

Example – Model hijacking (Prompt Injection)

Hallucination 

When AI asserts information that is false, it hallucinates. Think of it as “daydreaming”: if it doesn’t have the answer, it will “invent” things to fill the void. This can be particularly problematic in situations where accuracy is crucial: generating reports, making decisions, etc. Users could unknowingly spread this false information, or make bad decisions.  

Example – Model hallucination

Data leakage 

There are several ways in which data can be leaked. An attacker can inject a malicious prompt to retrieve it, or an employee can be given more rights than necessary and access sensitive information (e.g. strategic minutes of an executive committee meeting). The security of the underlying database must therefore be proportional to the amount of data stored. 

The model has access to certain company data. If, for example, its rights are too extensive, it will be able to consult confidential data. These responses will therefore include sensitive information that should not be disclosed. 

Example – Data leak

Model theft 

If the model is specialized, it is now your company’s intellectual property. As such, it could be a target for attackers. Confidential training data, for example, could be targeted. The question of trust in the Cloud host may also arise: wouldn’t it be better to host it locally? 

 Example – Model theft

Poisoning the model 

Without claiming to steal the model, the attacker’s aim could be to make it unreliable. The responses generated could then no longer be used by the teams. 

Poisoning can occur in two ways:  

• Boosted model: the attacker accesses the RAG and modifies the information. The model then relies on poisoned data to provide its answers.  

• Specialized model: the attacker poisons the model’s training data. Either directly on the database that he makes available on a public platform (Hugging face type), or by accessing the training database hosted in your information system. 

 Example – Poisoning the model

Main risks: what mitigations? 

Of the 5 risks presented, 3 dominate in the risk analyses carried out by our teams. We suggest you study the associated mitigations. 

The novelty of the technology provides an opportunity to build a solid security foundation. Several iterations will be necessary to achieve an effective and secure solution. 

Risk #1: Hijacking the model 

Hijacking the model and the key to remediation

We recommend the following measures to prevent the model from being hijacked: 

#1 – Toughen the configuration in two ways. Firstly, management of the master prompt (discussion window with the model). Certain keywords, for example, can be banned to prevent abuse. Secondly, the number of tokens and therefore the size of responses. A less verbose model will have less chance of being hijacked. Other parameters can be taken into account: temperature, language used, etc. 

#2 – Filter responses by applying, for example, a simple response filtering algorithm. To go further, it is possible to deploy specialised LLM firewalls. This would make it possible, for example, to prevent potential abuse (this is known as abuse monitoring). 

#3 – Limit the sources to which the model has access to generate its responses. If the model is given access to company data, it can be limited to this data only. In this way, it will not be able to search for other information on the Internet, for example.  

Risk #2: Hallucination 

 Hallucination and the key to remediation

To deal with hallucinations, we recommend the following measures: 

#1 – Train and educate users on how models work, their limitations and best practices. This enables users to use Large Language Models responsibly and to recognise misuse or potential security threats. 

#2 – Toughen the configuration in two ways. Firstly, adjusting the parameters, including setting the model temperature (how creative the model is) and limiting the number of tokens (number of words per question/answer). Secondly, the use of a more recent model (GPT-4 rather than GPT 3.5 for example). 

#3 – Optional – Re-training the model gives it a context. This will have a positive impact on the reliability of responses. Using a wide range of training data can help to cover more scenarios and reduce bias, which helps AI to better understand and generate appropriate responses. Similarly, eliminating errors and inconsistencies in training data can reduce the likelihood of the AI learning and repeating these same errors. 

Risk #3: Data leakage 

 Data leakage and the key to remediation

To deal with leaks of sensitive data, we recommend the following measures: 

#1 – Ensuring compliance with data protection laws and protocols by involving the Data Protection Officer (DPO) in projects accessing Large Language Model platforms is important to protect personal and sensitive data. By adhering to these standards, organizations not only protect individual privacy but also strengthen their defense against data breaches and misuse. 

#2 – Manage rights and access to all components interacting with the model. Understanding which data can be accessed by the model is not trivial. Auditing and recertifying this data over time helps to limit potential discrepancies. 

#3 – Reduce the verbosity of the model by limiting the number of output tokens. The less verbose a model is, the lower the probability that it will inadvertently share confidential data. 

#4 – Anonymize the data, or make it generic, if the use case allows. For example, AI will be able to work on population trends without an explicit name being cited. As well as greatly reducing the risk of data leakage, this will reduce the standards to be complied with (e.g. RGPD). 

#5 – Limit the amount of sensitive data used. Here we need to think about what data is necessary and sufficient for the model to work. The data can be processed beforehand to remove or modify sensitive data and thus reduce exposure (e.g. data anonymization). 

Cross-disciplinary mitigations 

Certain measures apply to all the risks listed above. Two of them are fundamental.  

#1 – Integrate security into projects via, for example, contextualized security analysis. This enables organizations to preventively identify and mitigate potential vulnerabilities, ensuring that only secure and verified projects access generative AI applications.  

#2 – Document each application to establish an operational framework that not only facilitates easier supervision and management, but also reduces the risk of unauthorized or malicious use.  

The development of AI applications is accelerated by the platforms available. However, the sophistication it brings is not without risk.  

Recognizing these challenges, the priority is to establish robust governance for the platform. This involves delineating roles and responsibilities, ensuring a structured approach to managing and mitigating risks. 

Governance extends beyond the platform itself. Securing the myriads of AI application use cases is just as important. It’s about ensuring that the application of this AI technology is both responsible and aligned with ethical standards, guarding against misuse and unintended consequences. 

This calls for a model of shared responsibility, where all stakeholders – developers, users and governance bodies – work together to maintain the integrity and security of AI applications. 

References 

1. https://synthedia.substack.com/p/microsoft-azure-ai-users-base-rose 
2. https://www.usine-digitale.fr/article/amazon-fait-son-entree-sur-le-marche-de-l-ia-generative-avec-bedrock.N2121081  
3. https://www.theguardian.com/technology/2024/jan/20/dpd-ai-chatbot-swears-calls-itself-useless-and-criticises-firm 
4. https://openai.com/blog/march-20-chatgpt-outage 
5. https://www.riskinsight-wavestone.com/2023/10/quand-les-mots-deviennent-des-armes-prompt-injection-et-intelligence-artificielle/ 

Cet article Generative AI applications: risks and mitigations  est apparu en premier sur RiskInsight.

Your company is currently dealing with a major ransomware crisis. Given its central role in managing access, authentication, and network resources within any organisation, cybercriminals have compromised the Active Directory in 100% of these crises.  

Your systems are now encrypted if the attackers have activated the malicious payload. They might otherwise be isolated and unavailable. In either case, your company no longer has the necessary resources to function properly, and your activity has either ceased or has been significantly slowed! 

In this case, trust in your information system has been broken. Your teams begin to feel business pressure, and one question persists: when will we be able to reopen our services? Your goal then becomes clear: you must restore Active Directory with a high enough level of trust to reopen services as soon as possible. 

Rebuilding an Active Directory is a difficult step in crisis management. If poorly executed, your organisation exposes itself to two major risks: exacerbating the operational impacts for the business or introducing a new threat to your environment.

The ANSSI has recently published three very comprehensive guides on this subject [1], which we recommend you read. 

In this article, we will go over some of the items that stood out to us during crisis management. Our teams were able to overcome numerous obstacles during their interventions. What are the main issues that have arisen? How can they be fixed?

From compromise to reopening: advice to overcome obstacles

Start remediation efficiently with a proven organization

Time lost due to poor crisis organisation can exacerbate the consequences of an Active Directory compromise. Teams are frequently unsure of what to do, who to involve, and what goals to pursue. A delayed response will increase remediation costs, revenue losses, and have an impact on the company’s reputation.

Before the crisis…
It is necessary to identify all the key players to involve in the reconstruction of the Active Directory:

The executive committee will resolve fundamental issues. For example, do we prioritise reopening critical services quickly for business reasons or slowly and securely? There are several possible postures, each with advantages and disadvantages [1 – Strategic Dimension]. The entire remediation plan is based on this decision, so the executive committee must make a decision to begin work immediately.  

Business teams will identify and prioritise the most critical services for restoration. The Active Directory compromise affects the majority of the company’s services, and your teams will be unable to handle all requests at once. 

Intervention teams (technical and security) will be formed to define and implement the remediation strategy. Because of the expertise and human efforts required to rebuild an Active Directory, temporary reinforcement of your teams is required to handle the remediation: mastering configuration review tools (PingCastle, Purple Knight, etc.), prioritising detected vulnerabilities, deployment and control of measures, and so on. 

It is critical to define processes and reflex cards in order to optimise each actor’s reaction time. Simulations and regular exercises should be organised in addition to their writing to train your teams to react effectively. 

During the crisis… 

Rapidly implement a project monitoring system that includes regular reports, action tracking, and coordination among the various teams involved. Too often, a lack of communication and information leads to a slowdown in remediation. It is not uncommon for administrators to take initiatives without taking the time to communicate them, such as opening more network ports than necessary, parallelizing two tasks from the remediation plan, and so on. These well-intended initiatives can have a significant impact on remediation, ranging from complicating the work to a distorted view of the true security level following the security work, and thus an increased risk of new lightning compromise. 

Ensure the resilience of backups by defining a robust strategy   

When dealing with an Active Directory compromise, the unavailability of backups (corrupted or compromised) is a major challenge. Attackers frequently target and disable backups or disrupt backup servers. This complicates and lengthens Active Directory restoration and recovery. 

Before the crisis…

Create a resilient backup strategy that takes best practices and recommendations into account (backup on disconnected media, immutable or in the cloud) [2]. There is currently a significant gap between state-of-the-art and implemented backup strategies (for example, Active Directory authentication of backup infrastructures, unsecured domain controller backups, and so on). 

During the crisis… 

Consider performing Active Directory remediation from a compromised domain controller. This “double bascule” method can assist in recovering and securing critical data in order to restore the Active Directory service without the use of a backup. When backups are unavailable and the strategy does not include rebuilding Active Directory from scratch, this scenario is selected. 

Anticipate technical problems such as DNS Active Directory configuration by maintaining your environment 

The vast majority of Active Directory environments have accumulated technical debt over time (complex network architecture, roles such as DHCP carried out by domain controllers rather than dedicated servers, and so on). Furthermore, Active Directory environments are now synchronised with Azure Active Directory, establishing new technological dependencies that may complicate remediation in the event of an Active Directory compromise (Active Directory/Azure Active Directory synchronisation). These two elements can cause an array of technical issues on the day of the crisis (loss of synchronisation with Azure Active Directory, unavailability of the DHCP service carried by a domain controller that must be turned off, and so on).

Before the crisis… 

Maintain Active Directory technical documentation and inventories (infrastructure, Azure Active Directory synchronisation, etc.). It often proves too difficult to obtain a clear view of the environment and the perimeter to be remediated. Up-to-date inventories will significantly improve remediation work and ensure the establishment of a consistent remediation plan. Additionally, this will allow you to identify and correct bad practises that could cause major issues on the day of the crisis (DNS service configuration, DHCP, and so on). 

During the crisis… 

After 30 days of desynchronization with the Active Directory, Azure Active Directory services may become unavailable, resulting in a ticking time bomb. Make sure to assess the consequences of losing Azure Active Directory services and avoid relying on them to handle critical tasks (email communication, for example).  

The crisis will highlight numerous technical flaws (Active Directory configuration report via audit tools, network issues, and so on). Make sure to only deal with problems that are related to the remediation plan’s objectives (see Advice No. 5 – Set a course and stick to it during remediation!). 

Optimize the reinitialization of secrets through processes adapted to your context 

Active Directory compromise results in a loss of trust in all of its secrets. As such, a reset of these is required to achieve the level of security required to reopen services while avoiding another quick compromise. Resetting a large number of user passwords and service accounts can have significant operational consequences in large environments with several thousand users and more than a hundred applications. To provide the new password for service accounts, you must first understand how the application uses the account. For users, you must devise a secure method of distributing new passwords on a large scale. 

Before the crisis… 

It is critical to have a clear understanding of the process of assigning new passwords to users. Several methods are available, depending on the environment studied, such as summoning users with the presentation of an identity card, transmitting the new username/password via physical mail, email, SMS, and so on. Regardless of the method chosen, the user must be required to reset his password on the next connection. Users may also be able to reset their own passwords using solutions that rely on two-factor authentication, for example. 

To carry out service account work, it is essential to create an inventory by identifying the associated applications and password reset methods for each of them. Obtaining this inventory by remediation teams is frequently complicated (unavailable, not maintained, etc.) and thus necessitates devoting significant time to tasks that can be completed outside of the crisis. Aside from remediation work, this exercise will help you manage your service accounts on a daily basis. One of the best practices is to change the passwords on these accounts on a regular basis. 

During the crisis… 

Once the passwords have been reset, it is necessary to ensure that the security measure has been implemented throughout the environment. This is easily accomplished with a PowerShell script, and it ensures that the attacker no longer has a valid account to exploit. 

Set a course and stick to it during the remediation! 

During an Active Directory reconstruction, it is frequently difficult to strike the right balance between exposing oneself to risks by reopening too quickly and incurring significant financial losses by reopening too slowly. Take care not to fall into the common pitfalls of managing a ransomware crisis.[3] 

Before the crisis… 

It is necessary to consider the various remediation postures: quickly restoring vital services, regaining control of the information system, or seizing the opportunity to prepare for long-term control of the information system. [1] 

Beyond defining the posture, ensure that you understand your Active Directory trust core, which is made up of the most critical assets (Tier 0). The remediation actions begin with these components (domain controllers, for example) in order to restore Active Directory’s vital services and to ensure a level of security that does not allow the attacker to compromise the entire environment again. 

During the crisis… 
Make sure that your teams stay on track. As the remediation plan is carried out, new issues will emerge (unavailability of the domain controller carrying one of the required FSMO roles for remediation, network problems, and so on). It will be necessary to question the short-term relevance of its remediation in relation to the set objectives (the answer being dependent on the executive committee’s posture: quick reopening or slower and more secure).  

Consider the opportunities presented by the crisis. For example, if the DHCP service was managed by a domain controller, take advantage of the opportunity to set up a dedicated DHCP server, thereby decoupling the service from the domain controller. 

Our lessons  

The improvement of the reconstruction process before the compromise of Active Directory ultimately rests on three main axes: 

1. The drafting of functional processes and reflex cards to be able to: 
   1. Mobilize the right people in a timely manner. 
   2. Focus on the main objectives. 
   3. The maintenance of the Active Directory environment, which requires: 
2. Defining and maintaining an architecture in accordance with best practices. 
   1. Having up-to-date inventories. 
   2. Ensuring the resilience of backups. 
3. The performance of tests to: 
   1. Validate the applicability of theoretical processes in real conditions. 
   2. Improve the reactivity and efficiency of your teams in a crisis situation.

[1] https://www.ssi.gouv.fr/actualite/lanssi-publie-pour-appel-a-commentaires-un-corpus-documentaire-sur-la-remediation/

[2] https://www.riskinsight-wavestone.com/en/2023/02/approaches-to-quick-active-directory-recovery/

[3] https://www.riskinsight-wavestone.com/en/2023/01/successful-ransomware-crisis-management-top-10-pitfalls-to-avoid/

Cet article Surviving an Active Directory compromise: Key lessons to improve the reconstruction Process  est apparu en premier sur RiskInsight.