The Australian Cyber ​​Security Center (ACSC) has updated the Essential Eight Implementation Guide. It turns out that all of the Essential Eight strategies are essential.

Due to its complementary nature and focus on various cyber threats, the Essential Eight Maturity Model prioritizes implementing all eight mitigation strategies as a package.

Organizations must fully achieve maturity levels across all eight mitigation strategies before making the transition to achieve higher maturity levels.

ACSC currently states that the maturity model is focused on “Windows-based Internet connectivity networks” and can be applied to other environments, but other “mitigation strategies may be more appropriate.” .. To do.

Compared to previous releases, the maturity model adds a new maturity level 0. This is defined as an environment with weaknesses that cannot prevent merchandise attacks at level 1, and the level is tailored to the cyber trade craft and tactics used.

“Depending on the enemy’s overall ability, different operations may display different levels of tradecraft against different targets. For example, an enemy with advanced tradecraft is hostile to the target. We may use it and use basic trade crafts against a variety of targets, “says the guide.

“Therefore, organizations need to consider what level of trade crafting and targeting, rather than mitigating which enemies.”

Maturity level 1 attacks include attacks that use publicly available attacks in a spray-and-play manner to acquire victims, and maturity level 2 attacks include more targets and tools. It will be. Spend time.

“These enemies may use the well-known tradecraft to circumvent the security controls implemented by the target and evade detection,” the guide said.

“This involves actively targeting credentials using phishing and adopting technical and social engineering techniques to avoid weak multi-factor authentication.”

At the highest level of maturity level 3, attacks are less dependent on public exploits and can perform tasks such as traversing the network laterally and stealing authentication tokens once access is gained. The guide warns that even the best cyber protection may not be enough.

Maturity level 3 is willing to spend enough time, money, and effort to endanger the target and cannot stop the enemies who can invest, he says.

Therefore, organizations should consider remaining mitigation strategies, such as strategies for mitigating cybersecurity incidents and the Australian Government’s Information Security Manual.

Delve into the level

The overall heading of the guide is the same as in the previous iteration, but many of the details have changed to be more accurate and have fewer recommendations for different time frames.

Of particular note at Level 3 is the constant recommendation for centralized logging between systems. This makes it impossible to modify the system and allows logging to be used in the event of a cyber incident.

Under application control, maturity level 1 allows “Run Executables, Software Libraries, Scripts, Installers, Compiled HTML, HTML Applications, and Control Panel Applets” on workstations in user profiles and temporary folders. Prevent You need to do that. At the next level, it extends to servers that are directly connected to the Internet and whitelists executables. At Level 3, limits include all servers, whitelist drivers, use of Microsoft block rules, and whitelist validation.

When patching an application, Level 1 recommendations reduce the patching of an app on an internet-connected server to 2 weeks, or 48 hours if an exploit exists. For workstation software, the deadline is one month. ACSC recommends using the vulnerability scanner daily on servers connected to the Internet, or every other week otherwise.

“Internet services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by the vendor will be removed,” said Level 1 recommendations. I will. I.

At Level 2, the workstation app patch has a two-week deadline, but all other updates have a one-month deadline. Also, at Level 2, vulnerability scans should be performed at least weekly on workstations and biweekly on all other parts of the network. At the highest level, all unsupported applications are removed and workstation patching is reduced to 48 hours in the presence of exploits.

Operating system patching has the same timeline and recommendations for vulnerability scanning and is included in Level 3 to use only the latest or earlier releases of supported operating systems.

ACSC disables macros for users without business cases, blocks macros in downloaded files, antivirus solutions for scanning macros, and prevents users from changing the security of macros. We also recommend that you do it. At level 2, macros are blocked from Win32 API calls and attempts to run marco are logged. For Level 3, macros must be run from a sandbox or trusted location and must be validated and digitally signed by a trusted publisher that occupies a list that is reviewed at least annually.

ACSC added that the 2017 recommendation to block ads and Java in the browser with application enhancements does not allow users to change security settings and IE11 cannot process content from the net. At Level 2, Office and PDF software are prohibited from creating child processes, but they also block the creation of executable files, the insertion of code into other processes, or the activation of OLE packages. Blocked PowerShell script executions must be logged and Office and PDF software security settings cannot be changed.

According to ACSC, Internet Explorer 11, .NET Framework 3.5 and below, and PowerShell 2.0 have been disabled or removed at level 3. PowerShell can also be configured to use constrained language mode.

Regarding restricting administrator privileges, the guide states that privileged accounts, except privileged service accounts, should only be run in privileged environments that prohibit access to the Internet and do not allow unprivileged logons. At Level 2, access to the privileged system will be disabled after one year unless re-authorized and will be removed after 45 days of inactivity. According to ACSC, privileged environments cannot be visualized on unprivileged systems, administrator activities must use the jump server, privileged account usage and changes must be logged, and credentials are It is managed uniquely. I added that it is necessary.

Level 3 removes privileged service account exceptions, uses just-in-time management, restricts privileged access to what the user needs, and uses Windows Defender Credential Guard and Windows Defender Remote Credential Guard.

Multi-factor authentication (MFA) is recommended for third-party services that use your organization’s data, and for your entity’s Internet connection server. This recommends MFA for privileged users and logs all MFA interactions at level 2. Level 3 has been enhanced to include “Important Data Repositories”, ensuring that MFA is “resistant to verifier spoofing”.

Backup removes previous monthly recommendations, tests recovery from backups, retains backup data, and prioritizes “a resilient method that meets business continuity requirements.” Time frame is deleted. Recommendations have been added to allow unprivileged users read-only access to backups. Level 2 extends read-only access to privileged users, Level 3 allows only backup administrators to read backups, and only “backup breakglass accounts” to modify or delete backups. I will.

