ASD Essential Eight Mitigation Strategies to Detect Cyber Security Incidents and Respond
The Australian Cyber Security Centre (ACSC) has developed The Essential Eight which are mitigation strategies that organisation's can use to produce a modern risk profile and response plan for todays cyber threats.
My post will help you align these best practices to your solution as a baseline making it much harder for adversaries to compromise your systems.
Preperation
Before implementing any of the mitigation strategies, you should consider the following;
Identify which systems require protection
Which systems store, process, or communicate sensitive information or other information with a high availability requirement.
These Systems are usually in-scope for compliance to a standard such as ISO, PCI, or other regulatory obligations such as those in health care or insurance.
Identify which adversaries are most likely to target their systems
This is your typical Threat Matrix used in any Risk Assessment For Australian Agency or organisation that interacts with Agencies, it's likely you're already conducting Assessments these for compliance to the Privacy Act, APRA, or iRAP. If you've yet to complete a Threat Matrix or Risk Assessment I highly encourage you to now, as it will get you thinking about threats unique to your organisation.
Identify what level of protection is required
Selecting mitigation strategies to implement based on the risks to business activities from specific cyber threats. This is at a high level rather than the actual controls that need to be implemented.
The Essential Eight will provide you the controls necessary, however the strategy to implement these will differ for each organisation, and may even change over time as your risk appetite changes and your security posture matures.
Essential Eight Explained
The Essential Eight are application whitelisting, patching applications, configuring macro settings, application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and daily backups.
Mitigation strategies to prevent malware delivery and execution
Computer programs designed to infiltrate and damage computers without the users consent. Malware is the general term covering all the different types of threats to your computer safety such as viruses, spyware, worms, trojans, and rootkits to name a few.
THe following controls from The Essential Eight are designed to protect your organisation from Malware.
Application Whitelisting
With this control all non-approved applications (including malicious code) are prevented from executing.
Approved application whitelisting of trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
Patching Applications
Use the latest version of applications.
Security vulnerabilities in applications can be used to execute malicious code on systems.
Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with extreme risk vulnerabilities within 48 hours.
Configuring macro settings
Microsoft Office macros can be used to deliver and execute malicious code on systems.
Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in trusted locations with limited write access or digitally signed with a trusted certificate.
Application Hardening
Flash, ads and Java are popular ways to deliver and execute malicious code on systems.
Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
Mitigation strategies to limit the extent of cyber security incidents
Constantly evolving cyber attacks challenge your organization to keep up with quickly emerging security gaps that leave you exposed to bad actors despite the safeguards and mitigation measures you may have in place.
The following controls are designed to minimise the impacts after an incident, and reduce the likelihood you are at risk of further threats.
Restricting Administrative Privileges
Admin accounts are the keys to the kingdom. Adversaries use these accounts to gain full access to information and systems.
Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don't use privileged accounts for reading email and web browsing.
Patching Operating Systems
Security vulnerabilities in operating systems can be used to further the compromise of systems.
Patch operating systems to mitigate vulnerabilities within computers, including network devices with extreme risk.
Use the latest operating system version. Don't use unsupported versions.
Multi-factor Authentication
Stronger user authentication makes it harder for adversaries to access sensitive information and systems.
Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important, sensitive, high-availability data repository.
Mitigation strategies to recover data and system availability
While you may have a mature Business Continuity Plan (BCP), when your systems are compromised this may work against you. When compromised systems are identified you'll want to have a well practiced Disaster Recovery (DR) strategy and follow an incident response plan.
If you are not yet familiar with incident response and you have an immediate need to implement one, here are the basics;
- Do not power down compromised systems, you will lose forensic evidence.
- Immediately segregate the effected system
- Start taking impromptu backups of any data, files, disks, that were accessible to the effected system and follow steps 1 & 2 for each system as they are identified.
- Take a memory dump of each system
After you've completed these steps effected systems may be powered off, however if you've segregated these successfully they pose no further risk and you may find later that you had them running still.
In AWS EC2 it's a good idea to Tag these to let other know they are compromised, use the Name tag for best effect and notify all AWS users of the incident. Remove any associated IAM role, Security Group, and assign a new subnet specifically created to isolate the instance (it has no routes in or out).
Daily Backups
To ensure information can be accessed again following a cyber security incident (e.g. after a successful ransomware incident).
Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.
This is a baseline, your own DR strategy may require more granular approach.
Can your organisation answer these questions?
Event Logging
Have we configured workstations to log events to a central server? Could we provide, at a minimum, the last three months’ worth of these logs to incident response analysts?
Providing logging data will assist incident response analysts to establish the cause, extent and duration of the compromise.
-
Workstation logs
Application whitelisting logs
Event logs
Anti-virus logs
Firewall logs
Authentication logs -
Network logs
Proxy logs
DHCP logs
DNS logs
VPN logs
Firewall logs
Network device logs -
Server logs
Mail server logs
Authentication server
Web server access
Remote access servers
Roles and responsibilities
Have we documented incident response policies and procedures for cyber security incident response?
Defining your policies and procedures, and making staff aware of them, will give you the best chance of a rapid and coordinated response.
Do our staff understand their incident response roles and responsibilities?
What good is having an incident response plan if it is not practiced and staff are aware of their responsibilities int he event of a breach.
Does our service provider understand its roles and responsibilities in the event of an incident?
This is usually identified during Due Diligence or a Vendor Risk Assessment. When an incident occurs within the service provider outside of your own visibility, you have a mandatory obligation to complete a data breach notification (Privacy Act) for which the service provider must adhere to and assist you. If you do not already have this agreement in place and you are concerned that you'll be unable to meet your obligations due to a non-Australian service provider being unprepared to provide support to your organisation in the event of a data breach, now is the time to address your contract and urge them to agree to appropriate notification and forensic investigation support.
Contact details for your organisation
Does our organisation have a current OnSecure account with correct contact details for our Information Technology Security Adviser?
Providing up-to-date details will allow ASD to quickly contact the right person in your organisation. Furthermore, OnSecure is where ASD posts and publishes Alerts on significant threats as well as Protect publications and advice that your organisation will need to keep up to date with in order to respond to some cyber security incidents.
Initial incident treatment
How quickly can we identify, physically locate and isolate an infected machine on our network? Do we know what our baseline network traffic looks like? Do we have the ability to recognise and assess anomalies in network traffic? Would we pull all plugs on the identified machine, or ensure capture of volatile information for investigation?
A good understanding and sound documentation of your network and all workstations will assist when particular workstations need to be identified quickly. Understanding your network traffic, along with any anomalies when asked, will assist ASD to tailor incident response to your needs. Your organisation may choose to contain the identified machine. In this case, it is important to configure the machine for hibernation and then hibernate rather than fully shutting down the machine. This will preserve valuable volatile artefacts that will be used in investigation of the incident.
Assisting with investigations
Once identified, can our organisation effectively and safely isolate malware and provide it to the Cyber Security Operations Centre (CSOC)?
Malware provided to CSOC is used to prevent the reoccurrence of similar cyber security incidents across government. If you have not setup a CSOC you might need to augment your current capability with outside support, which is an opportunity to develop some repeatable processes you can implement yourself.
Conclusion
Once you have implemented the desired mitigation strategies to your organisation at an initial level, the next steps are to focus on increasing the maturity of the implementation such that you aim to eventually reach full alignment with the intent of each mitigation strategy.
If you're an Amazon Web Services customer there is a great post here to help you take this 1 step further and implement sane controls in your AWS accounts.