The Cybersecurity Code of Practice for Critical Information Infrastructure 2.0 is an enhancement of the first version that was released in 2018 This Code is intended to specify the minimum cybersecurity requirements that organizations that operate Critical Information Infrastructure (CII) should implement. This applies to all components of an IT or OT system and/or network infrastructure of a CII and includes physical devices and systems, software platforms and applications of the CII. All organizations that subject to CCOP, must implement, or show significant adoption of the guidelines and practices it outlines by Date 4 July 2023. Silverfort enables CII operators to make a great step towards this goal by addressing the identity protection aspect of CCOP, including the implementation of least privileged access policies, protection of privileged accounts, comprehensive MFA protection, and Domain Controller protection.
Table Of Contents
Planning your CCOP Implementation Journey
Full implementation of CCOP requirements can materially increase an organization’s attack surface, as well as equip it with efficient tools to detect, respond, and remediate both commodity and advanced cyberattacks. However, such implementation is not achieved in a fortnight. The urging question CII security stakeholders is what the best path to close the various gaps between the current security posture of their environments is and the one CCOP demands. In simple terms it boils down to: ‘Both product X and product Y check important CCOP boxes, which should come in first?’. In an ideal world with endless budgets and security personnel the answer would be ‘Both. Now.’ However, in the real world the prioritization is inevitable.
The Prioritization Rule: Most Value in Shortest Time
As most security practitioners would know, there are two factors that outrank all others. The first is the security value – what is the delta a prevention, detection, or response capability of a certain product adds over what you have now. However, not less important is the time to value aspect, i.e. how long does it take to get this product up and running to deliver the security delta you chose it for. Too often these contradict, with security products that carry a great protection promise but take significant time and resources to deploy, or the other way around – instant deployment that yields low security returns. None of these groups can qualify as a starting point for CCOP compliance journey. Rather, security stakeholders’ radar should search for the security products and categories that maintain a fair balance between the security and time-to-value factors.
Starting with Identity Protection Yields the Highest Security Return
Identity threats is the term that describes all the attacks that utilize compromised credentials to for malicious access to targeted resources. The most prominent examples would be account takeover, malicious remote connection to the internal environment, and lateral movement. Over 70% of ransomware attacks, for example, utilize compromised credentials to spread the ransomware payload in the network, thus materially increasing their attacks’ impact. There are over 20B of compromised credential circulating in the dark web and used regularly in adversaries’ cyber operations. The identity attack surface is the least protected in the IT environment today because, unlike malware, exploits or phishing attacks, a malicious access with compromised credentials is identical to a legitimate one, making it extremely hard to identify and block.
CCOP Identity Protection Requirements: Least Privilege Access, MFA, Privileged Access Protection and Domain Controllers Monitoring
Acknowledging its importance, CCOP dedicates significant attention to the protection, detection and response capabilities that increase the organization’s resilience to identity threats, with special focus given to the three following aspects:
Attack Surface Reduction: Least privileged access
The principal of leas privileged access dictates that every user account should be able to access only the resources it needs to perform its duties with no excessive access rights beyond it. In that case even the account gets compromised, the adversary can access only a limited number if resources.
Attack Prevention (i): Privileged access protection
Privileged accounts are one of the most targeted entities, due to their access privileges that many times encompass all machines and apps in the environment. As a result, it’s imperative for security teams to enforce proactive measures to prevent adversaries from utilizing them for malicious access.
Attack Prevention (ii): Multi-Factor Authentication (MFA)
The tested and proven solution against the use of compromised credentials is MFA, which can prevent more than 99% of account takeover-based malicious access. When implemented in a comprehensive manner MFA can completely void the risk of compromised credentials, as these alone no longer suffice to enable access to resources.
Attack Detection: Domain Controller (DC) monitoring
The DC is the nerve center of on-prem environment and cloud workloads, and is, in practice, the target of almost every cyberattack, since dominating it enables adversaries unlimited access to any resource they desire. Circling back to the example of ransomware, it’s the DC compromise that enables ransomware actors to distribute the encryption payload across the entire environment. Hence, the ability to monitor DC activity and spot anomalies that indicate the presence of malicious activity is of utmost importance.
Silverfort: Address all CCOP Identity Protection Challenges with Speed and Ease
Silverfort pioneers the first purpose-built Unified Identity Protection platform that can extend MFA to any user and resource, automate the discovery, monitoring and protection of service accounts, and proactively prevent lateral movement and ransomware spread attacks. Silverfort connects to all the Domain Controllers and other on-prem Identity Providers (IdP) in the environment for continuous monitoring, risk analysis, and access policy enforcement on every authentication and access attempt that’s made by users, admins, or service accounts to any user, system, and environment.
With Silverfort organizations can fully address all the described above CCOP identity requirements, making it an ideal first step in the CCOP compliance journey. Consolidating least-privileged access, privileged account protection, MFA, and DC monitoring in a single platform enables to show a distinct progression towards achieving the CCOP resilience goals, as well as securing the identity attack surface, which is nowadays at the very core of adversaries’ cyber operations.
To learn the full details of Silverfort CCOP alignment together with a table that lists the explicit sections to which Silverfort’s protection applies download this solution brief.