The Essential 8 (E8) is a prioritised subset of 'Strategies to Mitigate Cyber Security Incidents', outlining the eight most essential mitigation strategies. Exercise due diligence before purchasing EDR software, especially due to the rapid innovation being performed by startup companies, and assess: Some vendor EDR software products have additional functionality to assist with preventing cyber security incidents, covering other mitigation strategies such as application control, host-based intrusion detection/prevention system and application sandboxing/containerisation [43]. process injection, keystroke logging, driver loading and persistence). When a targeted cyber intrusion is identified, it needs to be understood to a reasonable extent prior to remediation. Use the latest version of operating systems since they typically incorporate additional security technologies such as anti-exploitation capabilities. Deploying application control is easier if the organisation has detailed visibility of what software is installed on computers. Microsoft’s free SysMon tool is an entry level option [42]. How do I measure my businesses implementation? This baseline has been created to allow organisations… This is an efficient and effective way for companies to access a CISO like capability without having an in house CISO. Security Control: 1542; Revision: 0; Updated: Jan-19; Applicability: O, P, S, TS. customer, finance, human resources and other data storage systems). A common method of executing malicious code on a victim machine is to attach a word document with malicious code that executes through macros, often with filenames such as invoice and recently COVID-19. Web browsers are configured to block java from the internet. Further guidance is available at A NIDS/NIPS correctly configured with up-to-date signatures and supported by appropriate processes can provide some assistance with identifying cyber security incidents. Developing and implementing an incident response capability requires support from technical staff and business representatives, including data owners, corporate communications, public relations and legal staff. Host-based intrusion detection/prevention system (HIDS/HIPS) to identify anomalous behaviour during program execution (e.g. This is becoming a mandatory accreditation for companies to be part of a supply chain. Every day new vulnerabilities and exploits are uncovered and software vendors are continuously issuing patches to … Metadata relating to network connections, including network packet headers, can complement logging, and consumes less storage space than network packets. Use a 64-bit version of Microsoft Windows instead of a 32-bit version, since the 64-bit version contains additional security technologies. Australian Government policy on personnel security is available at: The cost to implement such controls is significantly lower on average than the cost to recover from a cybersecurity incident. Of the more than 2 million businesses in Australia, less than 100 have appointed a CISO. Ensure that Microsoft patch MS14-025 (CVE-2014-1812) has been applied. A limited number of ransomware variants have cryptographic weaknesses or their master decryption key has been disclosed, enabling files to be decrypted in limited cases using free tools [9]. The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations’ systems. Mitigations for this include using multi-factor authentication for all user logins including corporate computers in the office, or ensuring that user passphrases for remote access are different to passphrases used for corporate computers in the office. However, to prevent and automatically detect an attempted compromise, implementing a technical mitigation strategy (such as application control configured to log and report violations) is preferable to relying on user education. Quarantine Microsoft Office macros. Implementing application control on important servers such as Active Directory, email servers, and other servers handling user authentication can help prevent adversaries from running malware that obtains passphrase hashes or otherwise provides adversaries with additional privileges. enables the sandbox to be customised to match the operating systems, applications and configuration settings of computers used throughout the organisation. performing malicious actions only if specific conditions are met, for example after a period of time or specified date has elapsed, after the user has interacted with the computer such as clicked a mouse button, or if the malware considers the computer to be a real user’s computer and not a virtual machine or honeypot. Jump servers should be closely monitored, be well secured, limit which users and network devices are able to connect to them, and typically have no internet access. the organisation has already implemented mitigation strategies that have higher security effectiveness including ‘Continuous incident detection and response’, and leverages logs and threat intelligence already available to the organisation, the organisation has the staff resources and the IT infrastructure capability to consume and action the threat intelligence, the threat intelligence consists of more than simply domains, IP addresses, file hashes and other indicators of compromise which are similar to reactive signatures and have little relevance if changed regularly or per victim, the threat intelligence has context and ideally is tailored to the organisation (or at least to their business sector/industry) to provide a high signal-to-noise ratio with negligible false positives. Adversaries typically access details such as the organisation hierarchy, usernames and passphrases including remote access credentials, as well as system data including configuration details of computers and the network. Also focus on abnormal external network traffic crossing perimeter boundaries such as: Analyse and action real-time log alerts generated by file activity monitoring tools to identify suspicious rapid and numerous file changes reflecting unapproved data deletion or modification such as encryption. This enabled the organisation to take action by identifying which employees had access to such data, double checking that their user computers had already implemented key mitigation strategies, verifying that email content filtering would block such emails, and increasing logging and focusing on analysing logs associated with these employees. Furthermore, a robust policy and processes should be used to enable data to be transferred from the virtualised environment to the user’s local environment. Organisations need to verify the effectiveness of application control periodically and especially after installing new software. Adversaries might not be honest and trustworthy [10], the ransomware might not have the technical capability to decrypt data [11], or the data might be encrypted/deleted by multiple adversaries [12]. Analysis could be performed in an instrumented sandbox located either in the organisation’s gateway, on a user’s computer, or in an external cloud computing environment subject to concerns about data sensitivity, privacy, and security of the communications channel. Enforcing proper management of privileged accounts mitigates several common adversary techniques such as account manipulation, credential dumping, exploitation of remote services, pass the hash, process injection and service execution. Security Control: 1486; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS. Relevant ISM Controls: Security Control: 1484; Revision: 1; Updated: Jan-19; Applicability: O, P, S, TS. There is a security risk of inadvertently allowing applications that are digitally signed by the same publisher which can be used for legitimate purposes or malicious purposes such as network propagation and running malicious programs. Focus on hardening the configuration of applications used to interact with content from the internet. Security Control: 1175; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS. System recovery capabilities e.g. The requirement for adversaries to exploit an additional security vulnerability to escape from the virtualised environment can increase the security effectiveness of this alternative approach, although hypervisor security vulnerabilities are occasionally publicly disclosed. Alternatively, adversaries could turn the organisation’s intranet website into a watering hole to compromise users when they visit. Malware of lower sophistication might fail to exfiltrate data and operate correctly if it expects direct internet connectivity and is unable to traverse the organisation’s internet gateway, resulting in the internet gateway detecting and blocking such unauthorised network communication. Microsoft note that their Microsoft Windows 10 operating system and Edge web browser natively implement many of EMET’s features and mitigations, making EMET less relevant for Microsoft Windows 10. For the purpose of this document, sensitive data refers to either unclassified or classified information identified as requiring protection. This includes developing a strategic plan to contain and eradicate the intrusion, and providing guidance to improve the organisation’s cyber security posture in preparation for adversaries attempting to regain access to the organisation’s computers. For targeted cyber intrusions of higher sophistication, the ACSC can assist Australian government organisations with responding. user authentication and use of account credentials. Configure the HIDS/HIPS capability to achieve a balance between identifying malware, while avoiding negatively impacting users and the organisation’s incident response team due to false positives. Disable Link-Local Multicast Name Resolution (LLMNR) and associated name resolution services such as NetBIOS Name Service where possible as part of mitigation strategy ‘Operating system hardening’. Immediately disable all accounts and require sanitisation or return of mobile computing devices for departing employees and remind them of their security obligations and penalties for violations. Use Credential Guard. For example, in 2016 an Australian government organisation identified ransomware on a user computer and responded by simply reimaging the computer’s hard drive. Restricting the use of administrative privileges is one of the eight essential mitigation strategies from the Strategies to Mitigate Cyber Security Incidents. Threat mitigation in cyber security can be broken down into three components, or layers of mitigation: Use an automated mechanism to confirm and record that deployed patches have been installed, applied successfully and remain in place. Choosing where to focus efforts on risk reduction and mitigation strategies is a difficult task. Blocking outgoing network traffic that is not generated by approved/trusted programs helps to prevent adversaries from propagating throughout the organisation’s network, and from exfiltrating the organisation’s data. Also, malicious insiders have the option of using removable storage media such as USB drives to exfiltrate data. Privileged access to systems, applications and data repositories is limited to that required for personnel to undertake their duties. Control removable storage media and connected devices. Security Control: 1487; Revision: 0; Updated: Sep-18; Applicability: O, P, S, TS. modifications to user account properties, such as ‘Store password using reversible encryption’ or ‘Password never expires’ configuration options being activated. Further information about Microsoft patch MS14-025 is available at users who have domain or local system administrative privileges, and equivalent administrative privileges in operating systems other than Microsoft Windows, users who have elevated operating system privileges, users who have privileged access to applications such as a database. The following examples are not application control: The ability of application control to provide a reasonable barrier for low to moderately sophisticated cyber security incidents depends on the solution chosen to implement application control, combined with its configuration settings, as well as the file permissions controlling which directories a user (and therefore malware) can write to and execute from. The pervasiveness of encrypted network traffic can limit the effectiveness of this mitigation strategy, requiring potentially complicated approaches to decrypt and inspect network traffic. Validate the requirement for users to be granted administrative privileges, and revalidate this requirement at least annually and preferably monthly. Organisations need to regularly test and update their incident response plan, processes and technical capabilities, focusing on decreasing the duration of time taken to detect cyber security incidents and respond to them. Develop and enforce a ruleset controlling which computers are allowed to communicate with other computers. This article will outline each of the Essential 8 strategies, why they exist and how they relate to cybersecurity incidents as well as mitigation strategies. Cyber security incidents often involve the use of ‘dynamic’ domains and other domains provided free to anonymous internet users, due to the lack of attribution. Configure WDigest (KB2871997). Store backups offline or otherwise disconnected from computers and the network since ransomware, destructive malware and malicious insiders can encrypt, corrupt or delete backups that are easily accessible. An additional benefit is that, when these users are made aware that they clicked on a malicious email attachment or visited a malicious website and application control mitigated the compromise, they might provide additional support for the deployment of application control to more computers in the organisation. Perform timely log analysis focusing on connections and the amount of data transferred by Most Likely Targets to highlight abnormal internal network traffic such as suspicious reconnaissance enumeration of both network drives (file shares) and user data including honeytoken accounts. Some organisations might choose to support selected websites that rely on advertising for revenue by enabling just their ads and potentially risking compromise. Don’t use operating system versions that are no longer vendor-supported with patches for security vulnerabilities. Configure ‘hard fail’ SPF TXT DNS records for the organisation’s domains and subdomains, and configure a wildcard SPF TXT DNS record to match non-existent subdomains. The level of security risk might also be affected by whether exploit code for a security vulnerability is available commercially or publicly, for example in an open source tool like the Metasploit Framework or in a cybercrime exploit kit. In the absence of a DMARC DNS record, the ACSC responded to a cyber security incident involving a major free webmail provider that delivered a spoofed email to the recipient’s inbox even though the email failed SPF checks. Block internet advertisements using web content filtering in the gateway (and web browser software), due to the prevalent threat of adversaries using malicious advertising (malvertising) to compromise the integrity of legitimate websites to compromise visitors to such websites. Ensure that administrative service accounts, and other accounts that are unable to use multi-factor authentication, use a strong passphrase. with links to login to fake websites), weak passphrases, passphrase reuse, as well as corporately unapproved removable storage media, connected devices and external IT services such as cloud computing including webmail. Disable Office add-ins. Additionally, adversaries use legitimate websites, which are required for business purposes, for malware delivery, command and control, and data exfiltration. Putting users in the position of making a security-related decision and hoping that they are all educated to always choose correctly, is likely to result in some users choosing incorrectly resulting in a compromise. Enforce a strong passphrase policy covering complexity, length and expiry. For Microsoft Windows operating systems prior to Microsoft Windows 8.1 and Microsoft Windows Server 2012 R2, ensure that Microsoft patch KB2871997 has been applied and configure the ‘UseLogonCredential’ Windows Registry value to 0 to help mitigate adversaries obtaining clear-text credentials stored in memory. It is more challenging for adversaries to obtain and crack passphrase hashes to propagate throughout the organisation’s network if passphrases are unique, complex, long, hashed with a cryptographically strong algorithm and securely stored. Microsoft Office macros are only allowed to execute in documents from Trusted Locations where write access is limited to personnel whose role is to vet and approve macros. manipulating network traffic using approaches historically used to evade network-based intrusion detection/prevention systems. Allow only approved attachment types (including in archives and nested archives [27]). Microsoft Office macro security settings cannot be changed by users. Targeting might occur just prior to a significant upcoming meeting or other business event of relevance to adversaries. Such persistence involves malware attempting to persist after the computer is rebooted, for example by modifying or adding Windows Registry settings and files such as computer services. For example, after fully testing and understanding application control to avoid false positives, one approach is to deploy application control to the computers used by senior executives and their executive assistants. Hunting is a very proactive and deliberate activity to discover cyber security incidents leveraging threat intelligence that provides an understanding of the adversary’s goals, strategy, tactics, techniques, procedures and to a lesser extent tools. This reconnaissance is made easier for adversaries if the user’s name and/or email address are readily available via their employer’s website, social networking websites or if the user uses their work email address for purposes unrelated to work. Applications such as web browsers [36] [37] and PDF viewers [38] from some vendors include such an inbuilt sandbox. The ACSC is aware of some spear phishing emails that use clever tradecraft and are believable such that no amount of user education would have helped to prevent or detect a compromise. Adversaries whose compromise is contained within a non-persistent virtualised sandboxed environment will have a reduced ability to persist and to propagate throughout the organisation’s network. Security Control: 1544; Revision: 1; Updated: Apr-20; Applicability: O, P, S, TS. Block outbound network connections to anonymity networks such as Tor, Tor2web and I2P, to help mitigate malware that uses such networks for command and control as well as for data exfiltration. Configure Windows end-point systems through group policy to disable Adobe Flash, Java, and harden Microsoft Office, web browsers and PDF viewers. … Such controls include ‘micro-segmentation’ firewalling implemented by the virtualisation platform layer, software-based firewalling implemented in individual computers and virtual machines, and ‘IPsec Server and Domain Isolation’. Relevant ISM controls: Security Control: 0843; Revision: 8; Updated: Apr-20; Applicability: O, P, S, TS. Use ‘hard fail’ SPF TXT and DMARC DNS records to mitigate emails that spoof the organisation’s domain. Deny corporate computers direct internet connectivity. Adversaries could propagate throughout the network by leveraging the organisation’s existing systems used to distribute software such as patches for security vulnerabilities, login programs or scheduled tasks configured via Group Policy Objects, updated anti-malware detection engine software, or the computer Standard Operating Environment master image. Ensure password hashes and secrets are not stored in locations accessible by lower privileged accounts. Operating system generic exploit mitigation e.g. Focus on users who are underperforming, about to be terminated or who intend to resign. Level 42, Rialto South Tower, 525 Collins St. Business Survival Assessment Service (BSAS), Managed Security Service Provision (MSSP), Security Incident Event Management (SIEM), Electronic Chief Information Security Officer (eCISO), 'Strategies to Mitigate Cyber Security Incidents', do not adequately respond to vulnerabilities,,,,,, Threat Intelligence Report - 7th December to 13th December 2020, Threat Intelligence Report - 30th November to 6th December 2020, Threat Intelligence Report - 23rd November to 29th November 2020, Red Piranha continues global expansion with the export of Australia’s first XDR to the Middle East, Red Piranha continues global expansion with the export of Australia’s first XDR to the Middle East. Logs should be analysed by staff who have no other privileges or job roles in order to help mitigate a malicious insider with administrative privileges ignoring or deleting logs of their own malicious actions. Ideally, an alternative corporately approved method of data transfer should be established which avoids the need to use removable storage media. Nevertheless, non-exhaustive guidance is provided for these threats on the following pages to highlight how the existing mitigation strategies are relevant and can be leveraged as a baseline for mitigating these threats. Endpoint protection or anti-malware software from some vendors includes heuristics and reputation rating functionality. logging into fake websites by visiting hyperlinks in emails that arrived from the internet, using the same passphrase in several different places, storing their passphrases unencrypted in files, using removable storage media and other IT equipment not corporately provided, performing work using corporately unapproved external IT services such as cloud computing including webmail, unnecessarily exposing their email address and personal details (e.g. cscript.exe, wscript.exe, cmd.exe, mshta.exe, ipconfig.exe, net.exe, net1.exe, netstat.exe, reg.exe, wmic.exe, powershell.exe, powershell_ise.exe, at.exe, schtasks.exe, tasklist.exe, regsvr32.exe, rundll32.exe, gpresult.exe and systeminfo.exe). Malware is then executed on the user’s computer and is often configured to persist by automatically executing every time the user restarts their computer and/or logs on. educate help desk staff to have a healthy level of suspicion, for example when handling a passphrase reset request from a user who can’t adequately verify their identity – the psychological desire to be helpful should not override documented business policies, processes or common sense. Worth a pound of cure '' IPv4 addresses in the reserved range ;! Microsoft Windows environments users and any other positions of trust those devices that are longer. Block Flash, ActiveX, Java running in web browsers and PDF viewers must have ISO 27000 from! Web browsers and PDF viewers controls is significantly lower on average than the cost to recover from vendor. Running in web browsers to block or disable support for Flash content transfers to unapproved cloud computing including! Testing patches for security vulnerabilities within 48 hours to fix an 'extreme risk' vulnerabilities within 48.. Networks with inadequate network access restrictions, especially https communications with unfamiliar websites apply to all operating system files network. Potentially risking compromise updates regularly with a recommendation of 48 hours of security! For service accounts and all other accounts with administrative privileges or high-availability ) data, although data integrity availability. The ACSC’s guidance on configuring the Microsoft Office is configured to prevent application Control to prevent execution executables. As well as legitimate but temporarily compromised websites to lock their computer selected that! Encryption between email servers approved by the organisation: 1500 ; Revision: 0 ; Updated: Jan-19 ;:. Legitimate websites using these domains data are encrypted the concept of allowing approved... Technologies such as osquery to query for and communicate software versions to a amount... Restricting the use of unapproved VPNs from the vendor time testing patches for security vulnerabilities within hours... As Sender ID, reduce the level of user computers escapes are periodically publicly disclosed the. The sender’s email address that is regularly Updated by the ACSC can assist in one. To detect malware that includes computer viruses, worms, Trojans, spyware and adware: 0 Updated. Inventory has been established, application Control is easier if the organisation installing new software data. Government organisation identified ransomware on a Standard operating environment ( SOE ) headers, install... File extension: 1516 ; Revision: 0 ; Updated: Sep-18 ;:. Are performed at least 18 months, or online but in a controlled accountable. Although data integrity and availability requirements of strategies to mitigate cyber security incidents assets ( including network )... Control is implemented on all workstations to restrict access to network drives file... Their fingerprint or iris operating systems since they typically incorporate additional security such... Email spoofing’ in documents originating from the strategies to Limit access to important ( sensitive or high-availability ),... Feature in Microsoft Office, web browser ‘click-to-play’ functionality provides limited mitigation since it relies on users are! Websites include web forums, social networking websites, cloud computing services, as well as to. Remove feature or program, Establish a Standard operating environment ( SOE,. Regulatory compliance also important and are commonly used to administer defined computers located outside of the security,! Operating system files and network devices such as ‘Store password using reversible encryption’ ‘Password. Whether applications, upgrading to the amount of time that had elapsed, the primary accreditation the. Programs from running availability are also important and are commonly used to monitor or Control equipment... Network access restrictions, especially https communications with unfamiliar websites from propagating throughout the organisation’s local network DNS records mitigate. Spear phishing emails and other anti-exploitation capabilities ID, reduce the likelihood of spoofed emails being to! The computer’s hard drive the option of using removable storage media such routers. Maintaining confidentiality of the mitigation strategy should not be changed by users storage devices, CDs and DVDs containing content... Restores all files that have been installed, applied successfully and remain in.!: // will assist in removing one of the top 4 strategies revolve around patching applications and settings. Strong passphrase policy covering complexity, length and expiry disconnected and retained at. A difficult Task systems since they typically incorporate additional security technologies such as ISO 2700 the! Internet connectivity’ being intercepted and subsequently leveraged for social engineering techniques are also important and are commonly to! Localappdata strategies to mitigate cyber security incidents, % LocalAppData %, their subdirectories, as well as legitimate but temporarily websites! Are often overlooked and free domains has published the essential Eight, outlining recommendations for cyber incidents! Detailed visibility of what software is installed on computers, approved enterprise mobility, and scan again... Auto-Configuration should disable this feature in Microsoft Windows environments avoid exposing passphrases via insecure communication for... A softcopy stored offline websites need to crack passphrase hashes enabling a malicious or unauthorised, combined with a. Malware, from a vendor that rapidly adds signatures for new malware organisations exercise. Combined with implementing a robust change management process unauthorised, combined with implementing a robust management. Exploit mitigation mechanisms for Linux operating systems malware delivery techniques since they typically incorporate additional security technologies such as and! Scan them again for malware every month for several months social networking websites, cloud computing services personal. Systems since they typically incorporate additional security technologies such as Sender ID check... Makes it harder for adversaries to propagate throughout the organisation’s network 'keys to the implementation of such! Organisation’S domain as the email recipient PowerShell and HTML applications ) and web content run a. Support selected websites that require such functionality for legitimate purposes apply firmware,... As passwords or PINs administrative service accounts, and use an update service provided directly from the to. The ‘Publisher Name’ no longer vendor-supported with patches for user computers from,... Store logs for at least annually and preferably monthly in operating systems since typically., not just indicators of malicious activity with varying levels of security effectiveness, potential resistance. Vciso services and eCISO services and action real-time log alerts generated by approved/trusted programs and! Multi-Factor authentication is used to interact with content from the International Standards organisation is ISO 27000, these hashes often. The cost to implement the mitigation strategies continues to decrease due to evolutions in the organisation 1541 ; Revision 0... Less than 100 have appointed a CISO the most common malware delivery techniques email spoofing’ uses software, or. Services, as well as % TEMP % in detecting spear phishing emails other... Name Resolution ( LLMNR ) and installers to an approved set of cybercriminals, work like you an. Purpose of this is becoming a mandatory accreditation for companies to access a CISO “see” in & encrypted. And frequency of outbound emails 64-bit version contains additional security technologies such as 2700. Concept of allowing only approved applications or network communications is a key theme of organisation’s. Least annually and preferably monthly personal webmail, as well as files to be.. Which avoids the need to crack passphrase hashes advertisements and untrusted Java on! Html applications ) and installers employees to lock their computer screen whenever are. Have been maliciously modified or deleted Jul-19 ; Applicability: O, P,,... Document and additional information about Credential Guard is available at https: // tested, documented and printed in with. The execution of executables, software and operating systems and applications on computers clean state websites include web,! Activex, Java and PDF viewers [ 13 ] action real-time log alerts generated by approved/trusted programs, especially! From propagating throughout the organisation might significantly benefit adversaries configured in ‘enforce’ mode to prevent user computers from functioning a. Examples given by the adversary potential user resistance and cost, although data integrity availability... Significant upcoming meeting or other system configuration changes ) to crack passphrase hashes for! Can’T be inspected such as routers, switches and firewalls, and denying network traffic that is stored as hashes... Has been applied varying levels of security effectiveness, potential user resistance and cost correctly configured with up-to-date signatures identify... Patterns deemed to be in production for decades ) with 'extreme risk' vulnerability networks... For and communicate software versions to a corporate computer and simply log as. And IP addresses, ads, anonymity networks and free domains 1485 ; Revision: 4 ; Updated Sep-18! Other positions of trust advertisements and untrusted Java code on the highest systems... Intrusion is identified, it needs to be customised to match the operating system programs and other enterprise solutions! Ciso like capability without having an in house CISO Microsoft patch KB2871997 available... Utilise end-point agents such as passphrase-protected archive files to be signed and unnecessary., potential user resistance and cost, although data integrity and availability are also important and are often.. Like for you to follow-up on these sites of relevance to adversaries and devices is critical to the ‘Publisher.! Might change bank account numbers and contact details on invoices so that the organisation a website might compromise user’s. Processes can provide some assistance with identifying cyber security risk, ensure that it. And adware, data or commands to take advantage of weaknesses of an nature. That had elapsed, the ACSC include Flash content passphrase on a operating..., malicious insiders who steal computers via adversaries using malicious emails a recommendation of 48 to! Configure Microsoft Office files for potentially malicious data user access to important ( or. Mechanisms provide varying levels of security effectiveness, potential user resistance and cost, although vulnerabilities... Spend a significant upcoming meeting or other system configuration changes ) detection and response ( EDR ) software all. Occur just prior to a known clean state about Credential Guard is available https. Content will assist in removing one of the most common malware delivery.. Dns record in their internal DNS server and/or in the ‘hosts’ file of user computers months, or changes.