A private orthopedic specialty medical practice with 30 locations and over 2,000 employees in the state it serves.
When a large orthopedic, physical therapy and sports medicine practice sustained a ransomware attack in February 2021, the healthcare organization took swift action to minimize the impact.
The client didn’t realize that it was their complex and distributed AD that had made them vulnerable. “We thought we had a thoughtful network implementation,” said the client’s chief technology officer (CTO). “We applied a reasonable effort to bolster security, but there are always things you could do better—and that came back to bite us. We fell victim to a ransomware attack. It was pretty brutal, impacting most of our systems.”
Initiated through a phishing email, the attackers gained initial access, made lateral movements, and successfully compromised privileged accounts. They established persistence for administrative access to many of this client’s critical systems. They started with the exploitation of weaknesses, misconfigurations and blind spots in the company’s AD environment. Fortunately, the client did not suffer any data exfiltration, and their business operations had minimal negative consequences.
The client tapped Sirius Healthcare for help with incident response, remediation, and to strengthen defenses. Sirius brought in Semperis, a security company with expertise in defending hybrid and multicloud environments as well as purpose-built tools for AD environments. Among the key aspects of the recovery effort was immediately shutting down risky access while a thorough analysis and cleansing of the client’s AD took place. The team found a domain controller (DC) that was not impacted by the attack to aid in the recovery effort. A thorough analysis of the environment and subsequent cleansing of the Active Directory was an important step in the remediation. For example, Semperis directed the client to reset their KRBTGT (Kerberos Ticket Granting Ticket, a three-way trust guarding the gates to a network); to reset their account password twice, and to disable print spooler services running on all domain controllers. “We took a lot of immediate measures to fight the attack, including quarantining affected DCs, shutting down risky access, and finding clean DCs to aid our recovery,” the CTO said.
“Once we were back on our feet, we needed to know that the bad guys were out of our environment,” the CTO explained. “At this point, we did not know if we were still compromised. We had to operate under the assumption that they were everywhere, and we had to find them and root them out.”
Sirius and Semperis helped this client monitor the environment to find out if any lingering attacker reconnaissance were still taking place. Semperis’ AD-focused security tools were employed to help the client gain an accurate and complete picture of the incident and their AD security stance. Among those tools was Semperis’ threat detection and response platform, Directory Services Protector (DSP). “The DSP tool delivered as promised, but I think the real value of bringing in Semperis was their people and their deep understanding of and insight into AD and AD-based attacks,” the CTO said.
Now DSP constantly scans and monitors the orthopedic practice’s IT environment looking for AD misconfigurations that attackers exploit to gain access. In addition, DSP tracks changes made to AD with the ability to automatically roll back malicious activities executed by bad actors, or even innocent mistakes made by internal IT team members. Perhaps the greatest value of DSP is its ability to look at AD in a deeper way than traditional security tools. DSP tracks the AD replication stream, which detects sophisticated and previously invisible attacks such as a DC Shadow attack, a late stage kill chain attack that allows attackers with privileged credentials to register rogue domain controllers.
In addition, controls have been put in place so that the orthopedic practice’s hybrid AD environment is constantly monitored. Indicators of exposure to an attack and suspicious changes are flagged so they can be can dealt with immediately to thwart devastating impacts. “We’ve really started to take things to the next level,” said the CTO. “Now we use DSP to alert us on group policy changes. [Group policies, in part, control what users can and cannot do on a computer system.] It has allowed us to implement stronger [internal] change control and improvement processes to prevent rogue IT activities that might be convenient to us but are not secure.”