In an age when cyber threats are ever-present and evolving, organisations need robust cybersecurity strategies to safeguard their data and operations. The Australian government has recognised this imperative and developed a set of prioritised mitigation strategies to help organisations protect themselves against various cyber threats. Among these mitigation strategies, the "Essential Eight" is recognised as the most effective methods in strengthening cybersecurity defences.
In this blog post, we’ll cover:
The Australian Cyber Security Centre (ACSC) led by The Australian Signals Directorate (ASD) has developed a list of strategies for mitigating cybersecurity incidents, known as "Strategies to Mitigate Cyber Security Incidents”. This advisory draws upon the ASD's expertise gained from handling cybersecurity incidents, as well as their experience in conducting vulnerability assessments and penetration testing.
The list of mitigation strategies is divided into five main categories with different recommended strategies. Each of the strategies has its effectiveness ratings and is labelled "Essential", "Excellent", "Very Good" or 'Limited,' to indicate its relative importance in cybersecurity defences.
The "Essential Eight" refers to the eight strategies which are labelled as "Essential" in the list. These eight strategies focus on proactive measures to reduce vulnerabilities and limit potential attack vectors. These strategies are considered foundational and highly effective in providing a baseline cyber defence.
There are altogether 37 strategies on the strategy list and they are divided into 5 main categories. Each category focuses on a specific aspect of cybersecurity. We'll now break down all these 5 categories and explain their relevant strategies.
|
Mitigation Strategies to Prevent Malware Delivery and Execution |
||||
|
Essential |
Application control to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers. |
|||
|
Essential |
Patch applications (e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers). Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications. |
|||
|
Essential |
Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate. |
|||
|
Essential |
User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers. |
|||
|
Excellent |
Automated dynamic analysis of email and web content run in a sandbox, blocked if suspicious behaviour is identified (e.g. network traffic, new or modified files, or other system configuration changes). |
|||
|
Excellent |
Email content filtering. Allow only approved attachment types (including in archives and nested archives). Analyse/sanitise hyperlinks, PDF and Microsoft Office attachments. Quarantine Microsoft Office macros. |
|||
|
Excellent |
Web content filtering. Allow only approved types of web content and websites with good reputation ratings. Block access to malicious domains and IP addresses, ads, anonymity networks and free domains. |
|||
|
Excellent |
Deny corporate computers direct internet connectivity. Use a gateway firewall to require use of a split DNS server, an email server and an authenticated web proxy server for outbound web connections. |
|||
|
Excellent |
Operating system generic exploit mitigation e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). |
|||
|
Very Good |
Server application hardening especially internet-accessible web applications (sanitise input and use TLS not SSL) and databases, as well as applications that access important (sensitive/high-availability) data. |
|||
|
Very Good |
Operating system hardening (including for network devices) based on a Standard Operating Environment, disabling unneeded functionality (e.g. RDP, AutoRun, LanMan, SMB/NetBIOS, LLMNR and WPAD). |
|||
|
Very Good |
Antivirus software using heuristics and reputation ratings to check a file’s prevalence and digital signature prior to execution. Use antivirus software from different vendors for gateways versus computers. |
|||
|
Very Good |
Control removable storage media and connected devices. Block unapproved CD/DVD/USB storage media. Block connectivity with unapproved smartphones, tablets and Bluetooth/Wi-Fi/3G/4G/5G devices. |
|||
|
Very Good |
Block spoofed emails. Use Sender Policy Framework (SPF) or Sender ID to check incoming emails. Use ‘hard fail’ SPF TXT and DMARC DNS records to mitigate emails that spoof the organisation’s domain. |
|||
|
Good |
User education. Avoid phishing emails (e.g. with links to login to fake websites), weak passphrases, passphrase reuse, as well as unapproved: removable storage media, connected devices and cloud services. |
|||
|
Limited |
Antivirus software with up-to-date signatures to identify malware, from a vendor that rapidly adds signatures for new malware. Use antivirus software from different vendors for gateways versus computers. |
|||
|
Limited |
TLS encryption between email servers to help prevent legitimate emails being intercepted and subsequently leveraged for social engineering. Perform content scanning after email traffic is decrypted. |
|||
|
Mitigation Strategies to Limit the Extent of Cyber Security Incidents |
||||
|
Essential |
Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing. |
|||
|
Essential |
Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions. |
|||
|
Essential |
Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository. |
|||
|
Excellent |
Disable local administrator accounts or assign passphrases that are random and unique for each computer’s local administrator account to prevent propagation using shared local administrator credentials. |
|||
|
Excellent |
Network segmentation. Deny traffic between computers unless required. Constrain devices with low assurance (e.g. BYOD and IoT). Restrict access to network drives and data repositories based on user duties. |
|||
|
Excellent |
Protect authentication credentials. Remove CPassword values (MS14-025). Configure WDigest (KB2871997). Use Windows Defender Credential Guard. Change default passphrases. Require long complex passphrases. |
|||
|
Very Good |
Non-persistent virtualised sandboxed environment, denying access to important (sensitive/high-availability) data, for risky activities (e.g. web browsing, and viewing untrusted Microsoft Office and PDF files). |
|||
|
Very Good |
Software-based application firewall, blocking incoming network traffic that is malicious/unauthorised, and denying network traffic by default (e.g. unneeded/unauthorised RDP and SMB/NetBIOS traffic). |
|||
|
Very Good |
Software-based application firewall, blocking outgoing network traffic that is not generated by approved/trusted programs, and denying network traffic by default. |
|||
|
Very Good |
Outbound web and email data loss prevention. Block unapproved cloud computing services. Log recipient, size and frequency of outbound emails. Block and log emails with sensitive words or data patterns. |
|||
|
Mitigation Strategies to Detect Cyber Security Incidents and Respond |
||||
|
Excellent |
Continuous incident detection and response with automated immediate analysis of centralised time-synchronised logs of allowed and denied computer events, authentication, file access and network activity. |
|||
|
Very Good |
Host-based intrusion detection/prevention system to identify anomalous behaviour during program execution (e.g. process injection, keystroke logging, driver loading and persistence). |
|||
|
Very Good |
Endpoint detection and response software on all computers to centrally log system behaviour and facilitate cyber security incident response activities. Microsoft’s free SysMon tool is an entry level option. |
|||
|
Very Good |
Hunt to discover incidents based on knowledge of adversary tradecraft. Leverage threat intelligence consisting of analysed threat data with context enabling mitigating action, not just indicators of compromise. |
|||
|
Limited |
Network-based intrusion detection/prevention system using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries. |
|||
|
Limited |
Capture network traffic to and from corporate computers storing important data or considered as critical assets, and network traffic traversing the network perimeter, to perform incident detection and analysis. |
|||
|
Mitigation Strategies to Recover Data and System Availability |
||||
|
Essential |
Regular backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes. |
|||
|
Very Good |
Business continuity and disaster recovery plans which are tested, documented and printed in hardcopy with a softcopy stored offline. Focus on the highest priority systems and data to recover. |
|||
|
Very Good |
System recovery capabilities e.g. virtualisation with snapshot backups, remotely installing operating systems and applications on computers, approved enterprise mobility, and onsite vendor support contracts. |
|||
|
Mitigation Strategy Specific to Preventing Malicious Insiders |
||||
|
Very Good |
Personnel management e.g. ongoing vetting especially for users with privileged access, immediately disable all accounts of departing users, and remind users of their security obligations and penalties. |
|||
The “Essential Eight” refers to the strategies labelled as "Essential" on ASD's migration strategy list. These 8 strategies are recognised as the most important strategies that organisations should implement. They are practical and proven to be effective in mitigating cybersecurity risks. Let's dive into the details and learn how to implement them in your organisation.
The Essential Eight Maturity Model (E8MM) comprises 4 maturity levels, designed to assess and guide the implementation of the Essential Eight.
When implementing the Essential Eight, organisations should identify and plan for a target maturity level suitable for their environment. Organisations should then progressively implement each maturity level until that target is achieved.
The E8MM is regularly updated based on the latest findings from the ASD’s cyber threat intelligence and incident response activities, ensuring it stays relevant to the evolving tactics of cyber attackers.
Organisations are advised to use the most recent version of the E8MM for effective protection against current methods employed by cyber attackers. Older versions of the E8MM may not be effective due to the ongoing advancement in the techniques used by these malicious actors.
To decide which maturity an organisation should target, an organisation should evaluate their attractiveness to cyber attackers and the potential impact a cyber security breach may bring to them.
Generally speaking, ASD suggests that small businesses with low-risk profiles aim for Maturity Level One, medium-sized businesses with moderate risk profiles target Maturity Level Two, and larger organisations or those with high-risk profiles should strive for Maturity Level Three.
ASD encourages organisations to aim for the highest level of maturity they can achieve. In addition, regular assessments and updates are recommended to maintain or improve their maturity level, especially in response to the evolving cyber threat landscape.
When implementing the mitigation strategies, ASD suggests organisations first implement it for high-risk users and computers such as those with access to important (sensitive or high-availability) data and exposed to untrustworthy internet content. After that, organisations could implement it for all other users and computers with relatively lower risk.
Organisations should also perform hands-on testing to verify the effectiveness of their implementation of mitigation strategies.
Did you know when implementing the mitigation strategies, security awareness training and a policy management tool can tremendously facilitate implementation efficiency? Security awareness training equips employees with the knowledge and skills to act as a first line of defence against cyber threats, while a policy management tool ensures that cybersecurity policies are effectively developed, managed, and adhered to across the organisation. Here are the main benefits you could get from employing these tools.
The above are just a few of the many benefits that security awareness training and a policy management tool can bring you. Take a look at our blog to learn how usecure could help you navigate regulations and standards around the world. Watch a demo to learn more about how our products can help you implement the strategies suggested by the ASD. Get in touch with us now and kick-start your 14-day free trial today!