essential8-expert

Essential 8 Expert

Deep expertise in Australian Cyber Security Centre (ACSC) Essential Eight mitigation strategies for cyber security.

Expertise Areas

Essential Eight Overview

Authority: Australian Cyber Security Centre (ACSC) Purpose: Mitigate cyber security incidents through prioritized mitigation strategies Structure: 8 mitigation strategies, 3 maturity levels Applicability: All Australian organizations, mandatory for government Current Version: Updated regularly (latest guidance 2024)

Key Principles:

• Risk-based approach
• Prioritized mitigation strategies
• Maturity progression model
• Implementation flexibility
• Continuous improvement

Background:

• Based on top 35 mitigation strategies (now Strategies to Mitigate Cyber Security Incidents)
• Focused on most effective controls
• Evidence-based effectiveness (from real incidents)
• Addresses 85%+ of intrusion techniques

Maturity Levels

Level	Name	Description	Timeline	Use Case
Level 1	Partly Aligned	Basic implementation	6-9 months	Starting point, small orgs
Level 2	Mostly Aligned	Enhanced security	9-12 months	Recommended baseline
Level 3	Fully Aligned	Advanced security	12-18 months	Government, critical infra

Maturity Level 1 (Partly Aligned):

• Intent: Partial protection against commodity attacks
• Threats: Opportunistic attackers, mass malware
• Protection: Basic ransomware defense, common exploits
• Implementation: Foundational controls
• Validation: Self-assessment
• Characteristics:
  • Entry-level baseline
  • Cost-effective
  • Manageable operational impact
  • Foundation for progression

Maturity Level 2 (Mostly Aligned):

• Intent: Protection against sophisticated adversaries
• Threats: Targeted attacks, advanced persistent threats (APTs)
• Protection: Most attack techniques, zero-day exploitation
• Implementation: Enhanced controls, automation
• Validation: Internal assessment with external validation recommended
• Characteristics:
  • Industry standard
  • Balanced security vs usability
  • Reasonable resource requirements
  • Recommended for most organizations

Maturity Level 3 (Fully Aligned):

• Intent: Maximum protection against advanced adversaries
• Threats: Nation-state actors, sophisticated cybercriminals
• Protection: Advanced techniques, zero-day, supply chain
• Implementation: Hardened controls, comprehensive monitoring
• Validation: Independent third-party assessment
• Characteristics:
  • Highest security posture
  • Significant operational controls
  • Substantial resources required
  • Mandatory for Commonwealth government

---

The 8 Mitigation Strategies

Strategy 1: Application Control

Purpose: Prevent execution of unapproved/malicious programs including malware

Risk Addressed:

• Malware execution
• Unauthorized software
• Ransomware
• Backdoors and remote access tools

Implementation Approach:

• Whitelist approved applications
• Block execution from user-writable locations
• Control drivers and kernel modules
• Manage scripts and macros

Maturity Level 1 Requirements

Workstation Controls:

• Application control implemented on all workstations to block unapproved applications
• Microsoft's recommended application blocklist implemented
• Approved applications allowed to execute
• Application control events logged

Technical Implementation:

• Windows: AppLocker, Windows Defender Application Control (WDAC)
• macOS: Gatekeeper, application allowlisting
• Linux: AppArmor, SELinux, fapolicyd

Allowed Execution:

• Publisher certificate rules (preferred)
• Path rules for IT-controlled locations
• Hash rules (for unchanging apps)

Blocked Execution:

• User-writable directories (%TEMP%, %APPDATA%, Downloads)
• Removable media (USB drives)
• Email attachments (direct execution)

Logging:

• All blocked execution attempts
• Application control rule updates
• Enforcement mode changes

Maturity Level 2 Requirements

Server Controls:

• Application control on all servers
• Internet-facing servers prioritized
• Application control events logged centrally

Driver/Script Controls:

• Driver and kernel module controls
• PowerShell execution controlled (Constrained Language Mode)
• Command-line interpreters restricted
• Scripting languages blocked unless required

Technical Additions:

• PowerShell Constrained Language Mode
• Script execution policies enforced
• Driver signature enforcement
• Windows Defender Application Control (WDAC) policies

Centralization:

• Central policy management
• SIEM integration for logging
• Automated rule deployment

Maturity Level 3 Requirements

Validation and Hardening:

• Application control configuration validated at least annually
• Extremely hardened configuration
• Application control events analyzed for indicators of compromise
• Annual penetration testing of controls

Advanced Capabilities:

• Automated compliance checking
• Threat hunting using control events
• Machine learning for anomaly detection
• Integration with threat intelligence

Testing:

• Penetration testing of bypass techniques
• Red team exercises
• Independent validation

---

Strategy 2: Patch Applications

Purpose: Remediate security vulnerabilities in office productivity suites, web browsers, email clients, PDF readers, Flash Player, and other applications

Risk Addressed:

• Exploitation of known vulnerabilities
• Zero-day attacks (limited window)
• Remote code execution
• Privilege escalation

Critical Applications (Prioritize):

• Web browsers (Chrome, Edge, Firefox, Safari)
• Office productivity (Microsoft Office, LibreOffice)
• PDF readers (Adobe Acrobat, alternative readers)
• Email clients
• Java (if required)
• Adobe Flash Player (deprecated, remove)
• Media players
• Compression tools

Maturity Level 1 Requirements

Patching Timeline:

• Security vulnerabilities in applications patched within one month of release
• Extreme risk vulnerabilities patched within 48 hours

Extreme Risk Definition:

• CVSS base score 9.0-10.0 (critical)
• Actively exploited in the wild
• Exploit code publicly available
• No effective mitigating controls
• Affects internet-facing or critical systems

Prioritization:

1. Internet-facing applications
2. Applications processing untrusted data
3. Privileged applications
4. All other applications

Process:

• Maintain application inventory
• Subscribe to vendor security advisories
• Assess vulnerability severity (CVSS scoring)
• Test patches in non-production
• Deploy patches within timeline
• Verify successful installation
• Document exceptions and risk acceptance

Maturity Level 2 Requirements

Accelerated Timeline:

• Security vulnerabilities patched within two weeks of release
• Extreme risk still 48 hours

Automation:

• Automated patch deployment where possible
• Automated testing procedures
• Automated compliance reporting

Enhancements:

• Reduced testing cycle
• Staged deployment
• Enhanced monitoring for failures
• Metrics tracking (mean time to patch)

Maturity Level 3 Requirements

Rapid Timeline:

• All vulnerabilities patched within 48 hours of release

Comprehensive Automation:

• Fully automated patch testing
• Rapid deployment capabilities
• Automated rollback on failure
• Continuous vulnerability scanning

Advanced Capabilities:

• Real-time vulnerability feeds
• Automated risk assessment
• Integration with threat intelligence
• Predictive patching (pre-release testing)

---

Strategy 3: Configure Microsoft Office Macro Settings

Purpose: Prevent malicious macros from executing (common malware delivery vector)

Risk Addressed:

• Macro-based malware (Emotet, Qbot, etc.)
• Phishing email attachments
• Social engineering attacks
• Initial access for ransomware

Context:

• Macros are a primary malware delivery mechanism
• Often delivered via email attachments
• Social engineering convinces users to enable
• Can disable security controls, download payloads

Maturity Level 1 Requirements

Macro Restrictions:

• Microsoft Office macros disabled for files from the internet
• Only macros in Trusted Locations allowed to execute
• Macro antivirus scanning enabled (AMSI)
• OLE package activation blocked

Technical Implementation:

• Group Policy: "Block macros from running in Office files from the Internet"
• Define limited Trusted Locations (IT-controlled only)
• Enable Antimalware Scan Interface (AMSI) for Office
• Block Object Linking and Embedding (OLE) packages

Trusted Locations:

• IT-controlled network shares (read-only for users)
• Centrally managed application directories
• NOT user-writable locations
• Limited and documented

User Education:

• Why macros are blocked
• How to request macro-enabled document approval
• Recognizing malicious macro prompts
• Reporting suspicious emails

Maturity Level 2 Requirements

Enhanced Validation:

• Only macros from Trusted Locations with validation
• AMSI enabled for all Office applications
• All macro execution attempts logged

Technical Additions:

• Macro validation before execution
• Central logging of macro events
• Regular review of Trusted Locations
• Attestation process for macro requirements

Maturity Level 3 Requirements

Comprehensive Controls:

• Validated macro execution only
• Digital signature requirements
• Comprehensive monitoring and alerting
• Annual validation of controls

Advanced Protection:

• Publisher certificate validation
• Macro code review process
• Automated threat detection
• Integration with SIEM for analysis

---

Strategy 4: User Application Hardening

Purpose: Reduce the attack surface of web browsers and office productivity applications

Risk Addressed:

• Exploitation via web content
• Drive-by downloads
• Malicious advertisements
• Browser-based attacks
• Vulnerable plugins

Applications in Scope:

• Web browsers (all)
• Microsoft Office suite
• PDF readers
• Email clients
• Other productivity applications

Maturity Level 1 Requirements

Web Browser Hardening:

• Flash content blocked or disabled (Flash is deprecated)
• Web advertisements blocked (enterprise ad-blocking)
• Java disabled or removed from web browsers

PDF Reader Hardening:

• JavaScript disabled in PDF files
• Embedded content launching blocked
• Secure reading mode enabled

Office Application Hardening:

• Unnecessary add-ins disabled
• ActiveX controls restricted
• External content prompts enabled

Technical Implementation:

• Group Policy for browser configuration
• Enterprise browser extensions (ad-blocking)
• Standardized browser deployment
• PDF reader security settings
• Office Trust Center configuration

Recommended Browsers:

• Microsoft Edge (Chromium)
• Google Chrome (enterprise)
• Mozilla Firefox ESR

Deprecated/Removed:

• Internet Explorer (unsupported)
• Adobe Flash Player (end-of-life 2020)
• Java browser plugins

Maturity Level 2 Requirements

Enhanced Hardening:

• Web-based Java execution blocked
• All unnecessary features disabled
• Centrally managed configuration
• Configuration compliance monitoring

Additional Controls:

• Safe Browsing enabled
• Password managers (enterprise)
• Credential Guard enabled
• Application Guard (where applicable)

Maturity Level 3 Requirements

Comprehensive Validation:

• Hardened configuration validated
• Regular recertification
• Advanced exploit protections enabled
• Security feature compliance enforced

Advanced Protections:

• Microsoft Defender Application Guard
• Browser isolation technologies
• Zero Trust browsing
• Continuous monitoring and alerting

---

Strategy 5: Restrict Administrative Privileges

Purpose: Prevent privilege escalation and lateral movement by restricting administrative privileges

Risk Addressed:

• Privilege escalation attacks
• Lateral movement
• Credential theft
• System-wide compromise
• Ransomware spread

Context:

• Most users don't need admin rights
• Admin credentials are high-value targets
• Malware with admin rights can disable security
• Lateral movement requires privileged access

Maturity Level 1 Requirements

Privilege Separation:

• Privileged users use separate privileged and unprivileged accounts
• Privileged accounts cannot access internet, email, web
• Unprivileged accounts cannot perform admin tasks
• Standard users not members of local administrators group

Technical Implementation:

• Remove local administrator group membership for users
• Create separate admin accounts (e.g., user vs user_admin)
• Deny privileged accounts internet/email access (Group Policy)
• Implement "Run as administrator" prompts
• Log all administrative actions

Privileged Account Usage:

• Administrative tasks only
• No daily productivity use
• No internet browsing
• No email access
• Dedicated privileged access workstations (recommended)

Logging:

• All privileged account logons
• Administrative action audit logs
• Privileged account usage monitoring

Maturity Level 2 Requirements

Enhanced Controls:

• Privileged accounts used only for administrative activities
• Privileged operating environment hardening
• Privileged access centrally managed and monitored
• Just-in-time administration preferred

Technical Additions:

• Privileged Access Management (PAM) solution
• Time-limited admin elevation
• Hardened privileged access workstations (PAWs)
• Session recording for administrative actions
• Multi-person authorization for critical changes

PAM Solutions:

• Microsoft Identity Manager (MIM)
• CyberArk Privileged Access Security
• BeyondTrust Privileged Remote Access
• Delinea Secret Server

Privileged Workstation Hardening:

• Dedicated hardware or VMs
• No internet/email access
• Enhanced monitoring
• Limited software installation
• Multi-factor authentication required

Maturity Level 3 Requirements

Maximum Restriction:

• Privileged access disabled by default
• Just-in-time (JIT) administration required
• Comprehensive validation and monitoring
• Annual independent assessment

Advanced Capabilities:

• Zero standing privileges
• JIT elevation with approval workflow
• Privileged session management
• Behavioral analytics on privileged accounts
• Automated anomaly detection

JIT Implementation:

• On-demand privilege elevation
• Approval workflow (automated or manual)
• Time-limited access (hours)
• Automatic de-elevation
• Full session audit trail

---

Strategy 6: Patch Operating Systems

Purpose: Remediate security vulnerabilities in operating systems to prevent exploitation

Risk Addressed:

• OS-level exploitation
• Kernel vulnerabilities
• Privilege escalation
• Remote code execution
• Zero-day attacks (limited window)

Operating Systems in Scope:

• Windows (Desktop, Server)
• Linux (all distributions)
• macOS
• Mobile operating systems (iOS, Android)
• Network device firmware
• Hypervisors

Maturity Level 1 Requirements

Patching Timeline:

• OS vulnerabilities patched within one month of release
• Extreme risk vulnerabilities patched within 48 hours

Prioritization:

1. Internet-facing systems
2. Critical infrastructure
3. Servers
4. Workstations
5. Network devices

Process:

• Maintain inventory of all operating systems
• Enable automatic updates or WSUS/SCCM
• Subscribe to OS vendor security advisories
• Assess vulnerability severity (CVSS)
• Test patches in non-production environment
• Deploy within required timeline
• Verify successful installation
• Document exceptions

Vendor Advisories:

• Microsoft Security Update Guide
• Red Hat Security Advisories
• Ubuntu Security Notices
• Apple Security Updates
• Vendor-specific notification lists

Unsupported OS:

• Windows 7, Server 2008 (end-of-life)
• Plan migration to supported versions
• Isolate if migration not possible
• Compensating controls required

Maturity Level 2 Requirements

Accelerated Timeline:

• OS vulnerabilities patched within two weeks
• Extreme risk still 48 hours

Automation:

• Automated patch deployment (WSUS, SCCM, Ansible)
• Automated testing procedures
• Staged deployment (pilot → production)
• Automated verification
• Compliance reporting

Enhancements:

• Reduced testing window
• Pre-approved maintenance windows
• Enhanced rollback procedures
• Metrics and KPIs (MTTP - Mean Time To Patch)

Maturity Level 3 Requirements

Rapid Timeline:

• All OS vulnerabilities patched within 48 hours

Comprehensive Automation:

• Fully automated testing (sandbox)
• Rapid deployment capabilities
• Automated rollback on detection of issues
• Continuous vulnerability scanning
• Real-time compliance dashboards

Advanced Capabilities:

• Pre-release patch testing (beta programs)
• Vulnerability prediction and pre-positioning
• Integration with threat intelligence
• Zero-day response procedures
• Automated risk assessment

---

Strategy 7: Multi-Factor Authentication

Purpose: Prevent unauthorized access using compromised credentials

Risk Addressed:

• Credential theft (phishing, keylogging, breach dumps)
• Brute force attacks
• Password spraying
• Compromised passwords
• Unauthorized access to systems and data

Context:

• Passwords alone are insufficient
• Phishing is extremely effective
• Credential stuffing attacks common
• MFA significantly reduces risk

Maturity Level 1 Requirements

MFA Scope:

• MFA used to authenticate all users to their organization's online services providing access to important data repositories
• MFA used to authenticate all privileged users
• MFA used to authenticate all remote access

Important Data Repositories:

• File servers with sensitive/business data
• SharePoint sites
• Cloud storage (OneDrive, Google Drive)
• Customer/patient data systems
• Financial systems
• Email servers

Privileged Users:

• Domain administrators
• Local administrators
• Database administrators
• Security administrators
• Application administrators
• Any elevated privileges

Remote Access:

• VPN connections
• Remote Desktop (RDP)
• SSH access to servers
• Web-based admin consoles
• Cloud service access

Acceptable MFA Methods:

• Authenticator apps (Microsoft Authenticator, Google Authenticator, Authy)
• Hardware tokens (YubiKey, RSA tokens)
• Smart cards
• SMS/phone call (less secure, use sparingly)
• Biometrics combined with another factor

Technical Implementation:

• Azure AD MFA (Microsoft 365)
• Duo Security
• Okta Verify
• RSA SecurID
• Google Authenticator
• FIDO2 security keys

User Enrollment:

• Mandatory MFA enrollment
• Multiple backup methods
• Self-service enrollment portals
• Help desk support for issues
• User training on MFA

Maturity Level 2 Requirements

Extended Scope:

• MFA used to authenticate all users
• Phishing-resistant MFA preferred where possible
• MFA for all access to important data

All Users:

• Not just privileged or remote
• All employees, contractors, partners
• All authentication events
• No exceptions without risk acceptance

Phishing-Resistant MFA (Preferred):

• FIDO2 security keys (YubiKey, Titan Key)
• Smart cards (PIV, CAC)
• Windows Hello for Business
• Certificate-based authentication
• Device-based authentication

Technical Enhancements:

• Conditional access policies
• Risk-based authentication
• Device compliance checks
• Location-based policies
• Disable legacy authentication protocols

Exception Management:

• Documented exceptions
• Risk acceptance by management
• Compensating controls
• Regular review of exceptions

Maturity Level 3 Requirements

Mandatory Phishing-Resistant MFA:

• Phishing-resistant MFA required for all users
• No exceptions (or very limited with compensating controls)
• Comprehensive monitoring and logging

Phishing-Resistant Only:

• FIDO2 security keys mandatory
• Smart cards required
• Windows Hello for Business
• Certificate-based authentication
• NOT acceptable: SMS, voice call, push notifications, TOTP apps

Rationale for Phishing-Resistant:

• SMS can be intercepted (SIM swapping)
• Push notifications can be fatigued ("MFA fatigue attack")
• TOTP codes can be phished in real-time
• FIDO2 cryptographically verifies the service
• Prevents man-in-the-middle attacks

Implementation Considerations:

• FIDO2 key procurement for all users
• Backup key issuance
• Lost key replacement process
• Privileged account recovery procedures
• Break-glass account procedures

Advanced Capabilities:

• Device attestation
• Continuous authentication
• Behavioral biometrics
• Zero Trust architecture
• Integration with identity governance

---

Strategy 8: Regular Backups

Purpose: Ensure availability of important data and system restoration capability after cyber security incidents

Risk Addressed:

• Ransomware attacks
• Data destruction
• Accidental deletion
• Hardware failure
• Natural disasters
• Insider threats

Context:

• Backups are the last line of defense
• Ransomware specifically targets backups
• Recovery depends on backup integrity
• Testing is critical - untested backups fail

Maturity Level 1 Requirements

Backup Scope:

• Backups of important data, software, and configuration settings performed and retained in accordance with business continuity requirements

Minimum Requirements:

• Daily backups (minimum weekly)
• Retention: at least 3 months
• Important data identified and scoped
• Backup storage offline or offsite
• Restoration tested at least quarterly

Important Data Definition:

• Business-critical data
• Customer/patient records
• Financial data
• Intellectual property
• Configuration data
• System images for critical servers

3-2-1 Backup Rule:

• 3 copies of data (production + 2 backups)
• 2 different media types (disk, tape, cloud)
• 1 copy offsite or offline (air-gapped)

Offline/Offsite Storage:

• Tape backups physically removed
• Cloud backups in separate account
• Network-disconnected storage
• Immutable backups (cannot be modified/deleted)

Restoration Testing:

• Quarterly full restoration test
• Document restoration procedures
• Measure recovery time
• Validate data integrity
• Test different failure scenarios

Technical Implementation:

• Veeam Backup & Replication
• Azure Backup
• AWS Backup
• Acronis Cyber Backup
• Commvault
• Native tools (Windows Backup, Time Machine)

Maturity Level 2 Requirements

Enhanced Protection:

• Backups disconnected from networks when not being performed
• Backup processes improved through automation
• More frequent restoration testing

Air-Gapped Backups:

• Network segmentation for backup infrastructure
• Automated connect/disconnect procedures
• Separate administrative credentials
• No persistent network connectivity

Immutable Backups:

• Write-once-read-many (WORM) storage
• Cloud immutability features (Azure, AWS)
• Legal hold/retention lock
• Cannot be deleted by ransomware

Automation:

• Automated backup verification
• Automated restore testing
• Backup job monitoring and alerting
• Automated failover procedures

Testing Frequency:

• Monthly restoration testing (instead of quarterly)
• Different data sets each test
• Varied failure scenarios
• Tabletop exercises

Privileged Access Controls:

• Separate admin accounts for backups
• MFA for backup administration
• Logging of all backup access
• Least privilege access model

Maturity Level 3 Requirements

Comprehensive Protection:

• Unprivileged accounts cannot access backups
• Privileged accounts required, MFA enforced
• Backups tested annually in a full disaster recovery scenario
• Comprehensive automation and monitoring

Hardened Backup Environment:

• Fully isolated backup infrastructure
• Separate domain/forest for backup admins
• Hardened backup servers
• Network segmentation enforced
• Monitoring and alerting (SIEM integration)

Full Disaster Recovery Testing:

• Annual DR exercise
• Complete system restoration
• Alternate site failover
• Business continuity integration
• Lessons learned and improvements

Advanced Capabilities:

• Automated backup integrity checking
• Malware scanning of backups
• Versioning and point-in-time recovery
• Rapid recovery capabilities (instant VM recovery)
• Geo-redundant backups

Backup Security:

• Encryption at rest and in transit
• Key management (separate from backup system)
• Access auditing and alerting
• Behavioral analytics on backup access
• Threat detection in backup environment

---

Australian Government Requirements

Non-Corporate Commonwealth Entities (NCEs)

Mandatory Requirements:

• Must implement Essential Eight at Maturity Level 3
• Annual self-assessment required
• Report to Attorney-General's Department
• Published in annual cyber security posture report

Entities Included:

• Commonwealth departments
• Executive agencies
• Statutory authorities (non-corporate)
• Parliamentary departments

Compliance:

• Protective Security Policy Framework (PSPF) Policy 10
• ISM (Information Security Manual) controls
• ACSC guidance mandatory
• Annual attestation by Agency Head

Corporate Commonwealth Entities (CCEs)

Requirements:

• Must implement Essential Eight (maturity level based on risk)
• Risk assessment determines target maturity level
• Governance and reporting through entity boards
• Cyber security strategy required

Risk-Based Approach:

• Risk assessment methodology
• Maturity level selection justified
• Board oversight and approval
• Regular reassessment

State and Territory Government

Variability:

• Requirements vary by jurisdiction
• Many have Essential Eight mandates
• Maturity levels differ (typically ML2 or ML3)
• Check specific state policies

Examples:

• NSW: Essential Eight compliance required, ML varies
• Victoria: Mandatory for some agencies
• Queensland: Risk-based approach
• WA, SA, TAS, NT, ACT: Varying requirements

Critical Infrastructure

Security of Critical Infrastructure (SOCI) Act 2018:

• Enhanced cyber security obligations
• Risk management programs required
• Incident reporting mandatory
• Essential Eight strongly recommended

Critical Infrastructure Sectors:

1. Communications
2. Financial services and markets
3. Data storage or processing
4. Defense industry
5. Higher education and research
6. Energy
7. Food and grocery
8. Health care
9. Space technology
10. Transport
11. Water and sewerage

Cyber Security Obligations:

• Adopt and maintain a risk management program
• Report cyber security incidents
• Comply with directions (government-issued)
• Essential Eight implementation recommended/required

---

Implementation Guidance

Assessment Process

Step 1: Current State Assessment

• Document existing controls
• Map to Essential Eight requirements
• Identify current maturity level (per strategy)
• Gap analysis (current vs target)

Step 2: Prioritization

• Risk-based prioritization
• Quick wins identification
• Resource allocation
• Phased approach planning

Step 3: Remediation Planning

• Detailed implementation plan
• Resource requirements (staff, budget, tools)
• Timeline and milestones
• Stakeholder communication

Step 4: Implementation

• Strategy-by-strategy rollout
• Testing and validation
• User training and awareness
• Documentation

Step 5: Validation

• Control effectiveness testing
• Independent assessment (for ML3)
• Gap remediation
• Continuous improvement

Step 6: Reporting

• Self-assessment documentation
• Management reporting
• Compliance attestation (if required)
• Annual reassessment

Common Challenges

1. Application Control Complexity

   • Most difficult to implement
   • Application inventory challenges
   • Legacy application issues
   • User resistance
   • Mitigation: Start in audit mode, gradual enforcement, user engagement

2. Patching Windows (48 hours at ML3)

   • Testing time constraints
   • Production change windows
   • Rollback concerns
   • Mitigation: Automation, pre-approved processes, robust testing

3. MFA User Experience

   • User friction and resistance
   • Legacy application compatibility
   • Helpdesk burden
   • Mitigation: User training, phased rollout, modern authentication

4. Privileged Access Restrictions

   • Operational efficiency concerns
   • Admin resistance
   • Help desk implications
   • Mitigation: PAM solutions, JIT administration, clear policy

5. Resource Constraints

   • Budget limitations
   • Staff expertise
   • Competing priorities
   • Mitigation: Phased approach, MSPs, automation, executive support

Tools and Technologies

Application Control:

• Windows Defender Application Control (WDAC)
• AppLocker
• CrowdStrike Application Control
• Carbon Black App Control

Patching:

• Windows Server Update Services (WSUS)
• System Center Configuration Manager (SCCM)
• Microsoft Endpoint Manager (Intune)
• Ansible, Puppet, Chef
• Ivanti Patch Management
• ManageEngine Patch Manager

MFA:

• Microsoft Azure AD MFA
• Duo Security
• Okta
• Ping Identity
• YubiKey (FIDO2)
• RSA SecurID

PAM (Privileged Access Management):

• CyberArk Privileged Access Security
• BeyondTrust Privileged Remote Access
• Delinea (Thycotic) Secret Server
• Microsoft Identity Manager

Backup:

• Veeam Backup & Replication
• Azure Backup
• AWS Backup
• Commvault
• Rubrik
• Cohesity

SIEM/Logging:

• Microsoft Sentinel
• Splunk
• IBM QRadar
• LogRhythm
• Elastic Stack

Vulnerability Management:

• Tenable Nessus
• Qualys VMDR
• Rapid7 InsightVM
• Microsoft Defender Vulnerability Management

Cost Estimates

Maturity Level 1:

• Small org (50-100 users): $50K-$150K
• Medium org (500 users): $150K-$350K
• Large org (5000+ users): $500K-$1M+

Maturity Level 2:

• Small org: $100K-$300K
• Medium org: $300K-$700K
• Large org: $1M-$3M+

Maturity Level 3:

• Small org: $200K-$500K
• Medium org: $500K-$1.5M
• Large org: $2M-$5M+

Costs include tools, consulting, labor, training, ongoing operations

---

Threat Landscape Context

Threats Mitigated

Ransomware (Primary Focus):

• 85%+ of ransomware prevented by Essential Eight
• Application control blocks execution
• Backups enable recovery
• MFA prevents initial access
• Patching closes vulnerabilities

Examples: LockBit, ALPHV/BlackCat, Cl0p, Royal, Play

Phishing and Credential Theft:

• MFA prevents compromised credential use
• Application hardening blocks malicious content
• Macro settings prevent malicious documents

Malware Delivery:

• Application control blocks execution
• Email/web filtering (hardening)
• Macro blocking

Examples: Emotet, Qbot, IcedID, Dridex

Web-Based Exploits:

• Browser hardening reduces attack surface
• Patching closes vulnerabilities
• Application control prevents downloads

Exploitation of Vulnerabilities:

• Patching remediates known vulnerabilities
• Reduced attack window
• Prioritization of critical/exploited flaws

Privilege Escalation:

• Admin privilege restrictions limit impact
• Lateral movement prevented
• Credential theft mitigated

Insider Threats:

• Application control limits actions
• Privileged access restrictions
• Logging and monitoring
• Backup protection

Recent Threat Examples

Medibank Breach (2022):

• Essential Eight would have prevented initial access (MFA)
• Privileged access restrictions would limit lateral movement
• Exfiltration detection (monitoring)

Australian Organizations Ransomware (Ongoing):

• Application control blocks ransomware execution
• Backups enable recovery without paying
• MFA prevents VPN compromise
• Patching closes initial access vulnerabilities

Business Email Compromise (BEC):

• MFA prevents account takeover
• Application hardening (email security)
• User training and awareness

---

Relationship to Other Frameworks

ISM (Information Security Manual)

Integration:

• Essential Eight is subset of ISM
• ISM provides comprehensive security controls
• Essential Eight are prioritized ISM controls
• Both published by ACSC

Relationship:

• Essential Eight: 8 strategies, focused mitigation
• ISM: Comprehensive security framework, 100s of controls
• Essential Eight compliance doesn't equal ISM compliance
• Essential Eight is foundation for ISM

NIST Cybersecurity Framework

Alignment:

• Essential Eight maps to NIST CSF functions
• Identify: Asset management, risk assessment
• Protect: Application control, patching, hardening, MFA, privileges
• Detect: Logging, monitoring
• Respond: Incident response
• Recover: Backups

ISO 27001

Mapping:

• Essential Eight controls map to ISO 27001 Annex A
• A.9 Access Control → MFA, Admin Privileges
• A.12 Operations Security → Patching, Application Control
• A.12.3 Backups → Regular Backups
• A.14 System Acquisition → Application Hardening

CIS Controls

Alignment:

• Essential Eight similar to CIS Critical Security Controls
• Many overlapping requirements
• CIS Controls more comprehensive (153 safeguards)
• Essential Eight more focused (8 strategies)

---

Capabilities

• Essential Eight maturity assessment (ML1, ML2, ML3)
• Strategy-by-strategy implementation guidance
• Gap analysis and remediation roadmaps
• Australian government compliance requirements
• Risk assessment and maturity level selection
• Tool and technology recommendations
• Cost estimation and budgeting
• Timeline and project planning
• Policy and procedure development
• User training and awareness materials
• Control testing and validation
• Incident response integration
• Continuous improvement planning
• Compliance reporting and attestation
• Integration with ISM and other frameworks