What is the Essential Eight?
"The EEC" is a set of approaches for ensuring cyber privacy. This updated outline was released by the ASD in 2017 and improved upon the previous set of 4 privacy criteria. In order to construct the eight controls that are proposed to defend Australian firms against malware attacks in the present day, The EEC proposed and enforced four additional measures.
The EEC tactics can be broadly categorized into attack prevention, ambush vindication, and information obtainability.
EEC has been fragmented into four maturity stages to aid in the implementation process (Stage Zero through to Stage Three). With the exception of Stage Zero, each subsequent phase is predicated on the ability to counter progressively cultured enemy tradecraft (i.e., gears, maneuvers, practices, and procedures) and targeting. There can be wide variations in an adversary's tradecraft performance across operations and targets, depending on their overall capacity. A foe that is skilled in both basic and advanced tradecraft might, for instance, employ the former against one target while using the latter against a third. Thus, businesses should think about the sophistication of the tradecraft and targeting they need to employ rather than the specific threats they're trying to counteract.
Businesses should think about how their appeal to cybercriminals affects the risk of being attacked, and how their need for info confidentiality, data accessibility, and facts integrity affects the implications of a cyber privacy event. In addition to the descriptions of the numerous phases, this can be used to zero in on a specific level to pursue.
Last but not least, Phase Three is useless oppose to enemies who are ready, eager, and able to spend the necessary time, money, and energy to compromise their target. For this reason, businesses should also take into account the remaining measures detailed in the ISM and the Policies for Mitigation Cyber Privacy Occasions.
At this point, the company's approach to cyber security is still lacking. These vulnerabilities, as outlined in the tradecraft and targeting of Maturity Stage One, pose a threat to the privacy, integrity, and availability of their systems and data if they are ever exploited.
Focusing on adversaries who are content to use freely available "commodity tradecraft" to gain access and, most likely, control of systems is the main goal of this maturity tier. For instance, adversaries might randomly utilize a publicly-available hack for a security vulnerability in an internet-facing service that had not been patched, or they might use compromised, reused, brute-forced, or guessed credentials to log into an internet-facing service.
Typically, attackers aren't targeting specific people, but rather are hunting for easy prey, therefore they'll look for generic vulnerabilities in a large number of targets rather than putting in a significant struggle to breach one in particular. Common social engineering tactics are used by adversaries to deceive users into opening security holes in a system and running malicious software, such as Microsoft Office macros. An attacker will try to use a compromised account's privileges if they exist. An adversary's motivation for deleting information (including backups).
Focusing on enemies with a moderate increase in capabilities from the previous maturity level is the main goal of this tier. These foes are prepared to devote greater resources to studying a target and, more crucially, perfecting their methods. For instance, these foes will most likely make use of well-known tradecraft in a struggle to circumvent the security measures put in place to protect the target and avoid detection. For example, an attacker could phish for credentials or use social engineering to defeat multi-factor authentication if it was too weak.
Enemies are likely to be more discerning in whom they choose to target, but they will likely still spend only a modest number of resources on a single objective. Threat actors are anticipated to spend significant effort perfecting their phishing efforts and employing standard social engineering approaches to convince users to compromise their defenses and unleash malware (for example, through Microsoft Office macros). If the compromised account has elevated permissions, the attacker will try to use them. The adversary may also delete all data (including backups) that may be accessed by a high-level account if that is their goal.
In this stage of development, sophisticated threats are prioritized over those that rely heavily on publicly available information, tools, and tactics. These foes are able to capitalize on openings created by flaws in the cyber defenses of their targets, such as the use of outdated software or a lack of proper logging and monitoring. Once adversaries obtain access to a target, they will use this to not only stay hidden but also to further entrench themselves there. When an exploit is released to the public, adversaries jump on the opportunity to use it, just as they do with other tradecraft that can increase their chances of success.
In general, attackers may be more targeted in their efforts, and they may also be ready and able to put in some extra work to find and exploit weaknesses in the unique set of policies and technical safety management put in place to protect their intended victims. This involves, for instance, tricking a user into opening a malicious document and, unwittingly, helping the hacker circumvent security measures. This can also involve obtaining authentication token values in order to impersonate a user, thereby avoiding more stringent MFA. Having acquired credentials to a system, an adversary's next steps will be to obtain privileged credentials or password hashes, pivot to other sections of a network, and conceal their traces. In addition, attackers could wipe out everything you have stored if they really wanted to (including backups).
It is a safety technique used to deter viruses from running on computers. When executed appropriately, it restricts program performance to only authorized files.
It helps identify efforts by an antagonist to perform adversarial code, in addition to prohibiting the enactment of unapproved apps. To accomplish this, app management must be set up to record events for both successful and unsuccessful execution attempts. Any such logs should preferably record details like the file's name, the time and date it was attempted to be performed, and the user's username.
The primary goal of such a management app is to prevent hostile or negative code from operating, but it can also stop individuals from downloading malicious apps.
- Application Whitelist and Its Implementation
It is a security command that prevents a program from running on a device if it is not authorized. Since it only permits authorized programs to begin and forbids others from doing so, the system is effective. The goal is to deter antagonistic programs from downloading or activating on the network.
A thorough explanation of the implementation procedure is provided below:
- Finding the software necessary for the device or network to operate normally is the first step.
- Next, connect and locate the solution, which may be hardware- or software-based.
- The list of approved apps must be regularly updated. This includes eliminating outdated requests that are no longer in use and introducing new software as it becomes essential.
- The final stage is to run the recognized programs on the list by designing the solution to prevent the execution of any other software. This is accomplished by monitoring the execution of the code and comparing it to the list of authorized requests.
The practice of permissioning, as its name suggests, restricts access to files that have particular names. It is not recommended to make use of this characteristic due to the fact that filenames of this type will still be allowed to execute even after the software has been corrupted.
If it really must be implemented, the technical mess functionality should be combined with filename firewall..
- File Path
It limits apps to a path. There are two versions:
- The permitted file types and locations are restricted to those specified in the authorized list. If the C:WindowsProgram Files folder, for instance, is allowlisted, all of the files and programs included within it will be accessible and usable.
- Simply itemized archives are permitted due to the complete whitelisting of file paths. If the package's name and location remain ambiguous, such as C:/Windows/ProgramFiles/example.exe, only that package will be able to execute.
Having a complete list of approved file paths is critical for safety. If you can't access the whole file path attribute, just use directory-based whitelisting.
Type of File
The goal of a file-size-based "Allowlist" is to make malicious software take up less space than its lawful counterpart. This is false since malicious actors can simply create fakes with identical visual characteristics and even the same file size.
This attribute can't hold its own and is too weak to be relied upon in any significant way. Whitelisting is most effective when used in conjunction with other measures.
Key Exchange with a Data encryption Algorithm
- The directory-based authorized list allows files in specific directories and subdivisions.
For instance, if the C:/Windows/Program Files folder is allowlisted, all files and apps within it will be able to function.
- Complete file path whitelisting allows just itemized archives.
If C:/Windows/ProgramFiles/example.exe is allowlist, only that package can execute if its name and location stay blurry.
Whole file path authorized list ensures security. Only operate directory-based whitelisting if the whole file path attribute is not accessible.
- File Size
The idea behind “Allowlist" files based on their size is that spiteful software will have a smaller footprint than the legitimate equivalent. This is erroneous since malevolent actors can easily produce fakes that look identical in every manner, including file size.
Because of its inherent feebleness, this quality should never stand on its own. It should be used in conjunction with other whitelisting characteristics.
- Cryptographic Hash
Whatever their filename or location, only hashed plans are permissible to launch with this property enabled. Although this feature is very safe, it might be difficult to keep up to date when apps are changed and new cryptographic hashes are produced.
Then, the whitelist must be updated each time a patch is organized or a package is upgraded.
Whitelisted applications should also be subject to regular audits to guarantee their cryptographic hashes are not being used by malicious actors.
- Digital Signature
A digital name is a one-of-a-kind accessory that is built into the program itself. In this way, they guarantee that a malicious copy of an app isn't trying to load.
A publisher’s uniqueness is another way to sign something. Application retailers often put their names on the programs they distribute to show that they created them.
This whitelisting method, though, has two drawbacks.
A trusted publisher and a verified identity attribute don't necessarily mean an app is safe for usage. The theft of SolarWinds' supply chain shows how commonly reputable technology can be compromised by a third party.
Another reason to be weary of relying only on this feature is that it will permit potentially insecure legacy software to continue functioning.
This feature ensures that only the necessary processes are allowed to run an approved package. All other methods are out of the question. Whitelisting is a method of regulating which programs can access which freebies.
Even approved processes can be exploited to gain unauthorized access to the software, thus while this restriction is helpful, it shouldn't be relied on completely.
Strong context-based clearance choices must be made available alongside this feature. A more trustworthy firewall restriction control doesn't exist.
Ensuring compliance with the requirements of the Essential Eight Application Control
You must regularly monitor your EEC maturity to comply with all security requirements. Remember, the EEC is simply the baseline for cybersecurity; thus, data security solutions should be deployed to achieve and maintain maturity level 3.
The Australian Signals Directorate (ASD) endorses these controls for application privacy agreements:
- Whitelisting all workplaces and endpoints, including remote ones.
- The deployment of a firewall solution on all servers.
- The implementation of Microsoft's most recent block restrictions.
It refers to the process of updating software programs with security fixes, bug fixes, and new features. The goal of patching is to improve the stability, security, and performance of the software, and to address recognized susceptibilities that attackers could exploit. Patching is an essential part of software upkeep, and it should be done often to keep programs secure and up-to-date. Fixes can be deployed automatically or manually, but either way, they should be tested before being applied in a live production setting.
The ASD system classifies application vulnerabilities into four risk levels and makes update suggestions accordingly:
- Extreme Risk
- Unauthorized remote access vulnerabilities
- Vulnerabilities affecting critical business systems
- Vulnerabilities in the public domain
- No mitigation controls and internet-connected
- High Risk
- Unauthorized distant entree susceptibilities
- Vulnerabilities affecting grave commercial schemes
- Exposures in the civic sphere
- Protected by security measures within a secure environment
- Moderate Risk
- Remote entree exposures allow fake user impersonation
- Vulnerabilities exposing remote access controls to untrusted users
- Remote access gateway protected by two-factor authentication
- The remote access gateway does not allow elevated privileges
- Low Risk
- Vulnerabilities exploitable via SQL injection by authenticated users
- No sensitive data in public-facing resources
- Mitigation measures make exploitation unlikely or difficult
Ensuring compliance with the requirements of the Essential Eight Patching Applications Control
The ASD suggests the following techniques for ensuring that software updates are applied as intended:
- Within 48 hours of discovering a serious vulnerability, security updates must be deployed.
- Update verification enhancements are currently in development.
- Verifying that all in-house applications can talk to the most recent vendor software.
Application shielding is the practice of bolstering the security of web-based applications against cyberattacks. Methods include keeping software up-to-date with patches and implementing new safety measures.
The goal is to restrict dangerous code from being introduced into internal networks through externally facing applications. Programs written before the 1990s are common targets of these attacks since they can't detect or stop infiltration attempts.
Setting up application hardening rules is an important part of any cybersecurity framework's phase dedicated to preventing cyber attacks. They ensure that no unauthorized individuals are able to access private networks.
Application Hardening Methods
The following are the seven common methods of application hardening:
- Performing checks and validations on all inputs, such as those provided by users or data obtained from other sources, to verify that they are legitimate and do not contain any dangerous code.
- Putting in place access controls to ensure that only authorized users can access sensitive data or functionality ensures that only those users can access the data or functionality.
- Protecting against data theft by encrypting sensitive information both while it is in transit and while it is stored.
- Using secure coding standards, such as error handling, to make it more difficult for attackers to exploit weaknesses in the program is one way to strengthen application security.
- Maintaining the application's most recent version with the most recent security patches and updates to correct any vulnerabilities that are already known about.
- Monitoring the program for potentially malicious behavior and logging events for the purposes of later investigation and problem-solving.
- Conducting an analysis of the application to determine the existence of potential dangers and risks and putting into action preventative measures to cut down on the attack surface.
Ensuring compliance with the requirements of the Essential Eight Application Hardening Control
Regarding complying with application hardening controls, ASD suggests the following methods.
- Turn off or completely disable Flash in all browsers. The good news is that Adobe will stop supporting Flash in 2020.
- Turn off support for Flash in Microsoft Office.
- You can disable Object Linking and Embedding packages in Microsoft Office by changing the settings.
- All browsers should be set up to filter out online ads.
- Set up a blanket ban on Java-enabled sites across all browsers.
- Also know about System Hardening
Restrict Administrative Privileges
In an association, the most influential managerial accounts have unhindered entree to all of the company's most sensitive data. As a result, if cybercriminals get access to a system, their first priority is to locate these accounts and steal the money.
There are 4 main tenets that hold up PAM:
- Find and keep tabs on all accounts with elevated permissions
- Protect all access-restricted accounts
- Keep close tabs on any and all privileged access actions
- Adjust access privileges by automating the process.
This type of account should be minimized as a portion of PAM security measures. A ruthless audit of all existing privileged report is the initial stage, with the intention of removing as many of them as possible.
Ensuring compliance with the requirements of the Essential Eight Restrict Administrative Privileges Control
When it comes to complying with administrative privilege restriction controls, ASD suggests the following methods.
- The verification of authorized access to programs and servers at the time of first use and at regular intervals (annually, or ideally, more often).
- The number of people with distinct rights should be kept to a minimum.
- Lock down access to email, the web, and cloud storage to stop privileged individuals from reading or downloading anything they want.
Configure Microsoft Office Macros
Microsoft Office Macros are scripts written in Microsoft Office to automate repetitive activities, thereby reducing waste and maximizing productivity. If a macro is compromised, malicious actors may gain unauthorized access to private data.
Although disabling all macros in Microsoft Office is the safest course of action, this may not always be possible, especially if certain macros are essential to achieving certain business goals.
Therefore, a middle ground must be found between allowing absolutely necessary macros and allowing the absolute minimum that will have any kind of effect on privacy.
The following inquiries might help narrow down the options:
- How important is this macro to achieving corporate goals?
- Is there any method to achieve these goals?
- Was a reliable source used to create this macro?
- Is there proof that this macro has been verified as secure by an authorized source?
Ensuring compliance with the requirements of the Essential Eight Configure Microsoft Office Macros Control
To deliver the maximum level of privacy, and to prevent users from tampering with macro settings, the Australian Signals Directorate suggests turning off all macros in Microsoft Office.
The following controls should be applied to all required macros:
- Macros created in Microsoft Office should only be enabled in files downloaded through Secure Sources.
- Only those who have approval authority over macros should be able to write to them.
- Macros embedded in Microsoft Office files downloaded from the internet must be disabled.
After entering their credentials, users of MFA will be met with an additional security prompt. The idea is to verify the identity of every user who logs in, making it far more difficult for fraudsters to gain access to protected systems.
The risk of data breaches can be greatly reduced by using MFA, despite the fact that it is one of the easiest security controls to deploy. This is due to the fact that compromising network access becomes exponentially more difficult with each additional authentication layer.
In addition to being an effective safeguard against phishing and other forms of account takeover, it is also a solid way to prevent unauthorized access.
However, not all MFA safeguards are equivalent. To be sure, some have better safety measures in place than others. Securest authentication procedures are ones that require a step taken away from the actual login device.
Ensuring compliance with the requirements of the Essential Eight Multi-Factor Authentication control
Multiple forms of authentication should be used to safeguard any remote devices. Given the nature of today's workforce, which must now accommodate remote work, this is more crucial than ever.
Two of the following authentication methods must be used for maximum security:
- Minimum 6-character passwords
- The use of U2F (Universal 2nd Factor) security keys
- Tokens that can generate unique passwords on the spot
Also, the Australian Signals Directorate suggests the following multi-factor authentication controls:
- Apply multi-factor authentication to all high-access accounts
- Required multi-factor authentication for all requests to access strategic assets
This is the eighth and last control in the Essential Eight, as well as the last line of defense in the lifecycle of a cyber attack. Even if an attacker is successful in penetrating all seven other controls, the damage they cause may still be mitigated provided a clean backup copy of every compromised file can be restored in a timely way.
Businesses in Australia ought to put in place a policy for the digital preservation of data that includes daily backups. backups as well as restrictions that prevent backups from being altered in an unauthorized manner.
Ensuring compliance with the requirements of the Essential Eight Daily Backups Control
In the case that a cyber threat penetrates all other 7 controls, the Australian Signals Directorate advises the following controls to ensure that Australian enterprises have a persistent and uncorrupted backup of all valuable data.
- It is necessary to create and implement digital preservation policies.
- It has been decided to establish not one but two separate data backup procedures.
- A primary and secondary data restoration process needs to be put into place.
- At the absolute least, data restoration procedures should be evaluated before going live, and then again whenever there are significant alterations to the IT infrastructure.
- Initiating a test of the entire partial backup restoration process at least once every three months is recommended.
- Daily backups are required, especially for data and settings that can't be lost.
- There should be several copies of backups in different locations to reduce the likelihood of a single point of failure.
- All data backups should have a minimum retention period of three months.
How Wallarm Can Help Match These Strategies?
When it comes to protecting APIs and apps, Wallarm is a top choice. Wallarm is an attack surface monitoring tool that gives Australian organizations a fighting chance against data breaches and leaks on this essential eight compliance. Wallarm provides ongoing security and technical support to all subscription customers, ensuring that your API security program performs efficiently and keeps pace with the constantly expanding threat landscape. A highly specialized SOC staffed by knowledgeable API security experts provides around-the-clock support for their products and services. All of the clients have access to their threat hunting, security monitoring, and incident analysis and response teams.