ACSC introduces Essential Eight zero level cyber maturity and aligns levels to tradecraft
“The Essential Eight Maturity Model now prioritises the implementation of all eight mitigation strategies as a package due to their complementary nature and focus on various cyber threats,” the ACSC said.
“Organisations should fully achieve a maturity level across all eight mitigation strategies before moving to achieve a higher maturity level.”
The ACSC now states that the maturity model is focused on “Windows-based internet-connected networks”, and while it could be applied to other environments, other “mitigation strategies may be more appropriate”.
Compared to its last release, the maturity model adds a new maturity level zero, which is defined as environments with weaknesses that cannot prevent commodity attacks in level one, and the levels are aligned to cyber tradecraft and tactics used.
“Depending on an adversary’s overall capability, they may exhibit different levels of tradecraft for different operations against different targets. For example, an adversary capable of advanced tradecraft may use it against one target while using basic tradecraft against another,” the guide states.
“As such, organisations should consider what level of tradecraft and targeting, rather than which adversaries, they are aiming to mitigate.”
Attacks within maturity level one include those using publicly-available attacks in a spray-and-pray fashion to gain any victim they can, while those at maturity level two will invest more time in a target and tooling.
“These adversaries will likely employ well-known tradecraft in order to better attempt to bypass security controls implemented by a target and evade detection,” the guide says.
“This includes actively targeting credentials using phishing and employing technical and social engineering techniques to circumvent weak multi-factor authentication.”
At the highest level, maturity level three, the attacks are not as reliant on public exploits, will move laterally through networks once access has been gained, and can undertake tasks like stealing authentication tokens. The guide does warn that even the best cyber protections may not be enough.
“Maturity level three will not stop adversaries that are willing and able to invest enough time, money and effort to compromise a target,” it says.
“As such, organisations still need to consider the remainder of the mitigation strategies from the Strategies to Mitigate Cyber Security Incidents and the Australian Government Information Security Manual.”
Digging into the levels
While the guide has the same overall headings as its previous iteration, many of the details have changed, becoming more precise while also reducing various timeframe recommendations.
Of particular note for level three is the constant recommendation of centralised logging across systems, ensuring logs cannot be changed, and that they are used in the event of a cyber incident.
Under application control, maturity level one calls for “execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications, and control panel applets” to be prevented on workstations within user profiles and temp folders. The next level up sees this extended to internet-facing servers and the executables white-listed. At level three, the restrictions include all servers as well as whitelisting drivers, using Microsoft’s block rules, and validating the whitelist.
For patching applications, the level one recommendations now drop the patching of apps on internet-facing servers down to two weeks, or 48 hours if an exploit exists — for workstation software, the deadline is a month. The ACSC is also recommending the use of vulnerability scanners daily on internet-facing servers, and fortnightly otherwise.
“Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed,” the level one recommendation states.
At level two, the workstation app patch deadline drops to two weeks, while all other updates get a month-long deadline. Also at level two, vulnerability scanning should occur at least weekly on workstations, and fortnightly for all other parts of the network. At the highest level, any unsupported application is removed, and workstation patching drops to 48 hours if an exploit exists.
Patching for operating systems has the same timelines and recommendations for vulnerability scanning, with the inclusion at level three of only using the latest, or immediately previous release, of a supported operating system.
The ACSC has also recommended for macros to be disabled for users without a business case, macros in downloaded files to be blocked, antivirus solutions to scan macros, and macro security to not be allowed to be changed by users. Level two sees macros blocked from Win32 API calls, and attempted marco executions logged. For level three, macros need to run from within a sandbox or trusted location and need to be validated and digitally signed by trusted publishers that occupy a list that is reviewed at least annually.
Under application hardening, as well as the 2017 recommendations to block ads and Java in browsers, the ACSC adds that users cannot change security settings and IE 11 cannot process content from the net. Level two sees Office and PDF software banned from making child processes, while also being blocked from creating executables, injecting code into other processes, or activating OLE packages. Any blocked PowerShell scripts executions need to be logged, and Office and PDF software security settings cannot be changed.
Internet Explorer 11, NET Framework 3.5 and lower, and PowerShell 2.0 are disabled or removed at level three. PowerShell could also be configured to use Constrained Language Mode, ACSC states.
Looking at restricting admin privileges, the guide now says privileged accounts, except for privileged service accounts, should be prevented from accessing the internet and run only in a privileged environment that does not allow unprivileged logging on. At level two, access to privileged systems is disabled after a year unless reauthorised, and is removed after 45 days of inactivity. The ACSC added that privileged environments cannot be visualised on unprivileged systems, admin activities should use jump servers, use and changes to privileged accounts should be logged, and credentials are unique and managed.
At level three, the privileged service accounts exception is removed, just-in-time administration is used, privilege access is restricted only to what users need, and Windows Defender Credential Guard and Windows Defender Remote Credential Guard are used.
Multi-factor authentication (MFA) is recommended on third-party services that use an organisation’s data, and on a entity’s internet-facing servers. This increases to recommending MFA for privileged users and logging all MFA interactions at level two; for level three, it is expanded to include “important data repositories” and ensuring MFA is “verifier impersonation resistant “.
On backups, the prior monthly recommendation is dropped in favour of “a coordinated and resilient manner in accordance with business continuity requirements”, and timeframes for testing recovery from backup and holding backup data are dropped. Added as a recommendations is ensuring unprivileged users have read-only access to their own backups. At level two, the read-only access is extended to privileged users, and at level three only backup administrators can read backups, and only “backup break glass accounts” are capable of modifying or deleting backups.