Security Bytes

Over the last couple of years working with Australian customers and partners have given me the chance to evaluate and understand the ASD Essential 8 controls in Australia.

The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations protect themselves against various cyber threats. The most effective of these mitigation strategies are the Essential Eight.

The Essential Eight has been designed to protect organisations’ internet-connected information technology networks. While the principles behind the Essential Eight may be applied to enterprise mobility and operational technology networks, it was not designed for such purposes and alternative mitigation strategies may be more appropriate to defend against unique cyber threats to these environments.

Below is a gist of the controls or mitigation strategies. Essential 8 controls cover 8 areas for with increasing levels of maturity to harden operating systems and software that will improve the cyber defense of the organization.

• patch applications
• patch operating systems
• multi-factor authentication
• restrict administrative privileges
• application control
• restrict Microsoft Office macros
• user application hardening
• regular backups.

Implementation

To begin I must admit that most implementation strategies are very Microsoft centric. To aid organizations in implementing the Essential Eight, a framework has been devised that delineates four maturity levels, denoted as Maturity Level Zero through Maturity Level Three. These maturity levels, excluding Level Zero, are structured around the mitigation of escalating degrees of tradecraft, encompassing tools, tactics, techniques, and procedures. The nuanced discussion of these tradecraft levels follows below. The maturity levels account for varying levels of sophistication in malicious actors’ strategies, adapting to the dynamic nature of cyber threats.

Maturity Level Zero

Signifies there are no Essential 8 mitigation strategies in place and that the organization is easily exploitable.

Maturity Level One

The focus of this maturity level is malicious actors who are content to simply leverage commodity tradecraft that is widely available in order to gain access to, and likely control of, a system.

Maturity Level Two

The focus of this maturity level is malicious actors operating with a modest step-up in capability from the previous maturity level. These malicious actors are willing to invest more time in a target and, perhaps more importantly, in the effectiveness of their tools.

Maturity Level Three

The focus of this maturity level is malicious actors who are more adaptive and much less reliant on public tools and techniques. These malicious actors are able to exploit the opportunities provided by weaknesses in their target’s cyber security posture, such as the existence of older software or inadequate logging and monitoring.