Resolving the Identity Protection Gaps in APRA’s Resilience Assessment’s Findings 

The Australian Prudential Regulation Authority (APRA) recently published findings from a study examining the level of cybersecurity resilience of its regulated entities, which revealed an alarming number of security gaps. In this blog we take a look at the identity protection aspects of these gaps, and discuss how identity and security teams can assess their identity security posture within the context of APRA’s findings then subsequently take action to address their own resilience to identity threats. Every APRA-detected gap is complemented with its identity protection implication and followed by an internal assessment question. 

Additionally, we introduce Silverfort’s Unified Identity Protection platform, showing how it can enable APRA-regulated entities to resolve the identity protection element of these gaps to ensure they maintain the highest level of resilience to identity threats. 

Gap No. 1: Identification and Classification of Information Assets – Identification of All User Accounts 

Identity protection assessment question: Have I identified all internal and external user accounts that have access to critical information resources? 

Why does it matter? 

In the context of identity protection, user accounts are the attack surface that must be guarded. Because if adversaries manage to compromise these credentials, they can then easily access resources and cause heavy damage. Thus the most fundamental task is to ensure that each user account is known and monitored. This includes standard and administrative users, but also machine-to-machine service accounts as well as any third-party contactors that have access to the entity’s environment. 

Gap No. 2: Information Security Controls of Third Parties - Enforcement of Secure Authentication 

Identity protection assessment question: Do I have strong secure authentication in place for third-party contractors that have access to my internal resources? 

Why does it matter? 

Adversaries target third-party supply chains because they (rightfully) assume this to be the weakest link in an organization’s protection stack. The identity protection aspect here relates to the organization’s ability to enforce secure authentication on its supply chain ecosystem and ensure it can validate that the user requesting access is indeed the contractor itself and not an adversary who has managed to compromise the contractor’s credentials. 

Gap No. 3: Control Testing Programs Including Lateral Movement in Red Team Assessments 

Identity protection assessment question: Do I have resilience-testing programs in my environment (i.e., Red Team) that include using compromised credentials to access resources? 

Why does it matter? 

During a cyberattack, the phase where an adversary begins to move laterally in the environment is the X factor that transforms a local event into an organization-level incident. If the purpose of the attack is ransomware, then the difference is being able to encrypt multiple machines rather than just a single one. If it’s data theft, lateral movement is where the attacker manages to make their way from the “patient zero” machine to a targeted resource where sensitive data resides. This makes incorporating this part of resilience testing critically important. 

Gap No. 4: Incident Response Plans – Comprehensive Insight into User Authentication Trails 

Identity protection assessment question: Does my forensic visibility stack include the ability to easily view and analyze all users’ authentications and access attempts to be able to track an adversary’s path across my environment? 

Why does it matter? 

The core part of a response process is being able to trace the full path of attacks, from initial access to target actions, so that every instance of malicious activity and presence can be identified and removed. On the identity side of this investigation, it’s the ability to see the movement of user accounts across machines, identify the exact point where they were compromised, and spot the malicious techniques involved in the attack. This cannot be achieved unless there’s a central hub where all authentications and access attempts are aggregated. 

Gap No. 5: Internal Audit Reviews of Information Security Controls – Actual Coverage Provided by MFA and PAM 

Identity protection assessment question: Do my internal security audits involve checking the scope of identity protection measures (e.g. MFA, PAM, risk-based authentication, etc.) including coverage and actual use? 

Why does it matter? 

At the end of the day, the security controls in place make the difference between a failed attack attempt and a successful breach. Moreover, it’s not enough to just have security solutions in place but also ensure their level of coverage and correct use. For example, MFA that is enforced on admins only leaves regular domain users exposed. As well, MFA that, in theory, applies to all users but is not fully in use because of workforce objections reveals a similar gap. Furthermore, MFA protection on RDP access without similar coverage for command-line access is also not enough. Identity protection controls can only achieve real-time protection if they are deployed in a comprehensive manner and cover an entire workforce and all resources. 

Gap No. 6: Notification of Material Incidents and Control Weaknesses – Identity Threat Detection  

Identity protection assessment question: Can I easily identify and scope identity protection weaknesses and incidents in my environments? 

Why does it matter? 

Detection of an active identity-based attack can be a complicated challenge. Unlike malware, which leaves distinct forensic artifacts on compromised endpoints, identity threats are just a sequence of authentications. Moreover, determining that an account was compromised means an immediate reset or even the disabling of that account, making false positive a high concern. 

The Silverfort Platform: Real-time Protection Against Identity Threats 

Silverfort has pioneered the first purpose-built Unified Identity Protection platform that can extend MFA to any user and resource, automate the discovery, monitoring, and protection of service accounts, and proactively prevent lateral movement and ransomware spread attacks.  

Silverfort connects to all domain controllers and other on-prem identity providers (IdPs) in the environment for continuous monitoring, risk analysis, and access policy enforcement on every authentication and access attempt made by users, admins, or service accounts to any user, system, and environment. 

Resolve Every APRA-Detected gap with Silverfort 

In the context of APRA’s detected gaps, Silverfort enables identity and security teams to address all of them. Silverfort’s integration with all IdPs in the environment provides 100% visibility into every user authentications and access attempt. Its agentless architecture makes it easy to enforce MFA on third-party access and its MFA can cover all resources and access methods (including legacy apps and command-line access) as well as privileged account protection — providing the highest resilience against malicious use of compromised credentials. Silverfort’s risk engine is purpose built to detect identity threats, from Brute Force to Pass-the-Hash and other techniques, and its detailed authentication logs provide clear insight into all users’ authentication and access attempts. 

Want to increase your resilience to identity threats and align with APRA’s best practices? Schedule a call with one of our experts.