Guido Grillenmeier, Principal Technologist at Semperis
For years, organisations invested primarily in perimeter security, yet the reality is that bad actors often don’t ‘break in’- they log in. Stolen credentials, tokens or cookies are used to gain access to critical systems.
Active Directory, introduced in 2000, still forms the backbone of identity management in many organisations. It is powerful yet complex, and therefore difficult to secure completely. Many attackers still targt this foundation. With freely available tools, even a non‑expert can escalate privileges and take over an entire domain.
The challenge is amplified by hybrid environments. Virtually all organisations synchronise their on‑premises Active Directory with cloud environments such as Microsoft Entra ID. This means an attack that starts with phishing or malware on an endpoint can move rapidly into the cloud. Groups such as Storm‑0501 now use this route systematically: first, infiltrate the legacy environment, then obtain privileges in the cloud and establish persistence there.
Ransomware-as-a-Service
The criminal ecosystem is professionalising at high speed. Where previously, technical expertise was required, Ransomware‑as‑a‑Service (RaaS) groups now offer turnkey attack packages. Initial access brokers sell entry to vulnerable systems on the underground market, often for a fraction of the potential damage inflicted.
A notorious example remains the attack on Colonial Pipeline, where stolen credentials from an external contractor were enough to shut down operations. This demonstrates that identity security is not just an IT issue but a strategic challenge that affects the entire organisation.
Shifting paradigms
At the heart of the shift is the move from prevention to resilience. It’s no longer only about keeping attackers out, but above all about being prepared for when they do get in. An important concept here is the Minimum Viable Company (MVC). This means an organisation defines in advance which processes, applications, and infrastructure are necessary to keep running in a crisis. That can range from order and shipping systems in manufacturing to patient records in healthcare.
In a crisis, you don’t fall back on improvisation, but on the degree to which you are prepared. Who has which role, which applications must come back online first, and how is communication organised: that must be determined and rehearsed in advance.
A recovery plan on paper won’t save you
Many organisations do have a recovery plan, but it often stays on paper. Without regular exercises, such a plan loses its value. Tabletop exercises – simulations of a crisis scenario without shutting down production – are essential. Perhaps it turns out that a critical application depends on another system, or that contact details aren’t up to date. By practising periodically, the organisation’s resilience grows.
AI as weapon and shield
A second major trend is AI. Since the introduction of ChatGPT at the end of 2022, AI has accelerated dramatically. For security teams, AI offers opportunities to recognise patterns in vast volumes of log data and flag anomalies faster.
At the same time, cybercriminals are using AI just as readily. Phishing emails are flawlessly translated and convincingly drafted. Deepfakes and real‑time voice imitation make social engineering more dangerous than ever. And while mainstream AI models refuse to generate malware, customised variants on the dark web now do so without restrictions.
Attackers don’t abide by compliance or ethics. That makes AI a powerful tool for them. For defenders, it means we must use AI to analyse the deluge of signals, while also considering the increase in false positives that puts SOC teams under pressure.
Cyber resilience as an executive KPI
Cyber resilience is not merely a technical matter. It touches the core of business strategy and must therefore be discussed at the executive level. Top‑down initiatives are essential. An effective crisis management plan requires sponsorship from the boardroom. It’s not only about technology, but also about processes, communication and governance.
Implementing resilience measures requires clear agreements on where critical information is stored, how keys and backups are secured, and which alternative communication channels are available if regular systems are compromised. Incidents in the field show that even Teams or Zoom conference calls can be eavesdropped on by attackers. Out‑of‑band communication channels are therefore crucial.
Security professionals are increasingly becoming change agents within their organisations. They must not only implement technology but also change culture and mindset: from the illusion of total prevention to a realistic focus on robustness. Cyber resilience should become a KPI by which organisations are held accountable. Not whether you are hit, but how well you respond ultimately determines whether your organisation survives. Prevention remains necessary, but without resilience, you remain vulnerable.
About Guido Grillenmeier
Guido Grillenmeier is the Principal Technologist of Semperis in EMEA. Based in Germany, Guido has been a Microsoft MVP for Directory Services for 12 years. He spent 20+ years at HP/HPE as Chief Engineer. A frequent presenter at technology conferences and contributor to technical journals, Guido is the co-author of Microsoft Windows Security Fundamentals.
Today he is concentrating on cyber-resilience, with a focus on Directory Services – both on-prem and in the cloud – securing companies around the globe. He assists customers in better understanding the security aspects of these essential services, which generally underpin a company’s overall security.
