Moving from the Top 4 to the Essential Eight

By: Chris Bolan and Tony Campbell

The Australian Cyber Security Centre’s (ACSC) threat report, released late last year, highlighted the evolution of cyber threats across Australia, from the relatively inept ransomware attacks in 2015/2016 to the more evasive and insidious attacks in 2016/2017.

This includes the meteoric rise of targeted attacks that leverage the context gained from their target’s openly available social media profile. This new wave of targeted, bespoke attacks has led to a surge in the number of security incidents across every industry sector and government department.

Will the new ‘Essential Eight’, set of security controls, published by the Australian Signals Directorate (ASD) help organisations stay out of the headlines? Let’s take a look.

For several years, the ASD has been promoting four main mitigation strategies to combat targeted cyber intrusions. They assert, by implementing all of the top 4 controls, that organisations will block as much as 85% of targeted cyber-attacks.

Yet, the ACSC’s report shows that the threat landscape has dramatically changed since ASD first published this guidance in 2010, as has the speed in which cyber threats are monetized and deployed.

The original Top 4 mitigation strategies

1. Application Whitelisting
   Application whitelisting has occupied the number one spot for a while now, due to its effectiveness in preventing a range of exploits. The software prevents non-authorised applications running on a system by actively blocking any application not explicitly allowed.
2. Patch Applications
   Most software applications companies now release a constant stream of patches to identified vulnerabilities. While there is always a gap between when a vulnerability is identified and when a patch is available, in almost all cases significant breaches still occur long after a patch was released due to failure to maintain and support a regulated patching cycle.
3. Patch Operating Systems
   As with applications, there is a constant stream of operating system patches in response to identified vulnerabilities. Such patches often have greater urgency as the wide applicability of the vulnerabilities make them highly desirable for untargeted attacks.
4. Restrict Administrative Privileges
   All too often users and systems administrators request and retain unnecessary privilege access to applications and operating systems. By restricting the privilege level of most accounts we lessen the risk that compromised user credentials will have a significant impact.

New additions to form the ‘Essential Eight’

While there is no doubt that the ‘Top 4’ strategies provide a solid foundation to mitigate cyber-attack, the emergence of the ‘Essential Eight’ illustrates how our understanding of the risks and modern attack methods are evolving. Therefore, the Essential Eight controls build on the original Top 4, but also seek to address the threats ACSC has seen in recent years.

1. Disable untrusted Microsoft Office macros
   While dropping from the radar for a while due to decreased prevalence, macros are once again in vogue as an infection vector for ransomware. Disabling office macros significantly lowers the risk of items such as Word documents leading to a security incident.
2. User application hardening<
   One of the largest challenges facing system administrators is the use of legacy internet technologies such as Flash and Java. These are known to have significant vulnerabilities but are difficult to remove due to legacy applications and websites who still rely on such technology to operate. Removing or blocking the use of these legacy items significantly reduces or eliminates the vulnerability to a range of web based attacks.
3. Multifactor authentication
   News of leaked user credentials (usernames & passwords) is now almost a weekly occurrence with a range of high profile examples in the last year.
   A long overdue entrant to the essential list, multi factor authentication significantly reduces the impact of leaked credentials as the addition of a physical token or biometric control renders stolen credentials unusable.
4. Daily backup of important data
   When a ransomware or other breach does occur the fastest way to recover is often to restore the system from a recent backup. By ensuring offline daily backs of important data, organisations can minimise the impact of any data loss resulting from such attacks.

Practical steps for a changing world

The release of the ‘Essential Eight’ is a clear acknowledgement of the realities of the current threat landscape. In particular, the recommendation for daily backups as an essential control illustrates that even with the tightest active cyber security countermeasures, preventing every breach is unrealistic.

When viewing these changes it’s important to remember:

• Your security controls need to focus on both prevention and recovery, so you’ll be able to reduce the impact of a successful attack that can cause lasting harm.
• It is essential that common sense and a risk-first approach is adopted. Too often organisations react to risk by jumping into complex technical transformation programmes or buying more security gadgetry.
• Every new technology or change to your enterprise may also have a negative impact on your organisation, so it’s important to analyse each for cost (operational and financial) vs benefit before proceeding.