loader

Essential 8 Explainer

Introduction

The Australian Cyber Security Centre (ACSC) developed the Essential Eight Maturity Model, known widely as the Essential 8. These eight strategies are part of a more extensive list called the Strategies to Mitigate Cyber Security Incidents. These specific eight strategies were singled out because they are most effective.

The strategies primarily focus on Microsoft Windows networks, as they are commonplace and represent a large collective attack surface that is commonly exploited. Although some strategies are Microsoft-specific, most strategies can be applied to other kinds of networks.

They describe a minimum set of strategies, so stronger or more stringent parameters could be used, but the Essential 8 provides a baseline security posture. These recommendations are also not intended to be implemented in isolation. They should be adjacent to other security policies and implementations in an organisation.

The Essential 8 is not a certification, like, for example, ISO27001. However, the Government can request an assesment of Government organisations or organisations dealing with the Government, against Essential 8 criteria. 

To implement the Essential 8 Model properly, an organisation should implement it in all eight areas. Of course, if an organisation does not have a Windows Network, it cannot be considered “Essential 8 compliant”, but arguably such an assessment is not relevant. The Australian Government is now implementing the Essential 8 as mandatory across all 98 Non-corporate Government bodies.

The model has Maturity Levels that describe the level of mitigation applied to increasingly stronger adversaries. So which Maturity Level should an organisation choose?  The maturity level that an organisation should implement is based on two main considerations:

  1. how “attractive” it is to attack; and
  2. the classification of data that is vulnerable.

Target Attractiveness. There is no hard, fixed guideline on what makes a target attractive to attack, but high-profile organisations are frequently targeted and lower-profile organisations suffer fewer attempts at compromise. Businesses that publicly claim to be secure and those in the security industry (such as banks and cybersecurity firms) often come under attack.

Classified data. Sensitive data itself will elicit more adverse responses. Nonetheless, even a very low-profile organisation protecting highly valuable information should consider strong mitigation strategies. This is particularly true of government departments and higher education institutions.

The Government mandates the precise level of compliance for its own organisations, but other organisations should strive for the highest Maturity Level that is feasible. These strategies have been developed with an important underlying premise: how an organisation is targeted is much more relevant to security than who is targeting it.

Data security: CIA

Data security is often described as a “triad” of Confidentiality, Integrity and Availability, or the “CIA Triad”.

Confidentiality is keeping information secret, except to those authorised to use it.

Integrity is ensuring that information is accurate and complete.

Availability ensures that the information is ready for use when it is needed and authorised.

The Maturity Levels of the Essential 8 are designed around protecting these three facets of Information Security.

Maturity levels

This model has four Maturity Levels, ranging from zero (the weakest) to three, the strongest.

Maturity Level Zero is the weakest security posture. It applies to any organisation that does not meet or exceed Maturity Level One.

Maturity Level One focuses on mitigating casual attacks from opportunistic attackers, often using publicly available automated hacking tools. As well as affecting the CIA Triad, these attackers may destroy data.

Maturity Level Two focuses on those attackers that may take more time to attack a target. They are still opportunistic and still use publicly available tools, but may choose to spend more effort on a target they believe they can compromise.

Maturity Level Three is concerned with mitigating attacks from adversaries who focus on specific targets and will spend significant time attempting to compromise them. These attackers are more sophisticated and may use custom tools and procedures. They will also be more likely to hide their tracks and try to establish a long-term presence in a network.

Areas of interest

Essential 8 covers the following (eight!) areas of client (workstation) and server security:

  1. Application control
  2. Patching
  3. MS Office macro settings
  4. Other user application hardening
  5. Administration Privilege restriction
  6. Operating system patching
  7. Multi-factor Authentication
  8. Backups

The areas are summarised below. This is only a guide and for a definitive list, please refer to the Essential Eight Maturity Model.

1. Application control

Level 1

Use of standard user profiles to control which executables, libraries, scripts (etc) and control panel items are allowed to be executed.

Level 2

The application controls are also carried out on internet-facing servers, and internally they are managed in workstation groups. Logging is carried out for executions, both allowed and blocked, for internet-facing servers as well as workstations.

Level 3

All servers are now included in execution prevention. Microsoft’s “recommended block rules” for both executables and drivers are employed. Rulesets for application control are validated regularly, at least annually. All logging is centrally stored, protected from tampering, constantly monitored for compromise, and when security events are detected, they are acted upon swiftly.

2. Applying Patches

Patches should be applied to systems to give them the most recent level of protection against compromise.

Patch timing table

The following table describes the time between a patch being released and when it is applied and the kind of software involved.

Notes:

  • “patches” here can refer to actual patches, vendor updates or security mitigations.
  • “scans” are vulnerability scanners designed to discover missing patches.
  • “Productivity software” means Microsoft Office suite, Web Browsers and associated extensions, Email clients, and PDF software.
  • “Lag time” is the time between a patch being released and it being applied
  • “Removed” means that the software/application/service is shut down and no longer used.
Level 1Level 2Level 3
Internet-facing servicesVulnerability patch lag time2 weeks2 weeks2 weeks
Vulnerability patch lag time if exploit exists48 hours48 hours48 hours
Missing patch scan frequencydailydailydaily
Out of supportremovedremovedremoved
Productivity softwareVulnerability patch lag time1 month2 weeks2 weeks
Vulnerability patch lag time if exploit exists1 month2 weeks48 hours
Missing patch scan frequency2 weeksweeklyweekly
Out of supportremovedremovedremoved
All other

applications

Vulnerability patch lag time (exploit or not)1 month1 month
Missing patch scan frequency2 weeks2 weeks
Out of supportremoved

 

3. MS Office Macro Settings

Level 1

  • Only enable Office Macros for those who need it
  • No Office Macros in files originating from the internet are permitted
  • Virus scanning of Macros
  • Users cannot alter macro security settings

Level 2

Includes all of Level 1, and in addition:

  • Macros cannot make Win32 API calls
  • Logging of all macro executions, including those that are blocked and allowed

Level 3

Includes all of Level 2, and in addition:

  • Restrict macro execution to the following environments:
    • A sandboxed environment
    • A Trusted Location
    • A digitally signed macro from a trusted publisher
  • Trusted Locations for macros are administered only by privileged users
  • No macros from an untrusted publisher can be enabled manually
  • Publishers are validated at least annually if not more often
  • Logs of macro executions are protected from modification and deletion and are monitored for compromise and if adverse events are detected, they are actioned upon

4. Other User Application Hardening

Level 1

  • Web browsers do not run internet-based java
  • Web advertisements are blocked in browsers
  • IE 11 does not process (i.e. be connected to) the internet
  • Web browser security settings cannot be changed by the user

Level 2

Includes all of Level 1, plus:

  • MS Office is prevented from creating child processes, from creating executable files, from injecting code into other processes and cannot activate Object Linking and Embedding (OLE) packages.
  • PDF software cannot create child processes
  • Guidance from the ACSC or Vendors regarding web browsers, MS Office and PDF software is implemented
  • PDF software settings cannot be changed by the user
  • Any attempts to run blocked PowerShell scripts are logged

Level 3

Includes all of Level 2, plus:

  • Removal or disabling of the following:
    • IE 11
    • .NET framework versions 2.0, 3.0 and 3.5
    • PowerShell 2.0
  • PowerShell must be configured to use Constrained Language Mode
  • Blocked PowerShell script executions are logged, the logs are protected and restricted, and action is taken if a cyber security event is detected

5. Administration Privilege Restriction

Level 1

  • All privileged system and application requests are validated when first requested
  • Privileged accounts cannot access the internet (exception: privileged service accounts)
  • Privileged users have a separate unprivileged account for their internet, email and web services
  • Privileged operating environments can only be accessed by privileged accounts
  • Unprivileged environments cannot be logged into by Privileged accounts (exception: local administrator accounts)

Level 2

Includes all of Level 1, plus:

  • Privileged access is for 12 months at a time before being disabled. Privilege must be revalidated to avoid the privilege being disabled.
  • Privileged access to systems and apps is disabled after 45 days of inactivity
  • Privileged operating environments should not exist in virtualized environments that are themselves not privileged.
  • Administrative activities must be done through jump hosts
  • For local admin accounts, credentials must be secure, unique and unpredictable
  • All privileged access is logged
  • Changes to privileged accounts are logged

Level 3

Includes all of Level 2, plus:

  • Privileges are assigned on a needs-only basis.
  • All privileged accounts, including service accounts, cannot access the internet
  • Just-in-time administration is used to administer privileges for systems and applications
  • Both of the following Windows Defender services are enabled:
    • Credential Guard
    • Remote Credential Guard
  • Privilege access attempts are logged, the logs are protected and restricted, and action is taken if a cyber security event is detected
  • Changes to privileged accounts are centrally logged, protected, monitored, and action if cyber security events occur.

6. Operating System Patching

Level 1

  • Patches, updates and vendor mitigations for security vulnerabilities:
    • For internet-facing operating systems are applied within 2 weeks of release, or 48 hours in the case of an exploited vulnerability
    • For workstation operating systems, servers and network devices are applied within one month from release
  • Vulnerability scanners are used:
    • at least daily to find missing patches in operating systems of internet-facing services
    • At least fortnightly to find missing patches for workstations, servers and network devices
  • Replace all operating systems not supported by vendors

Level 2

Includes all of Level 1, plus:

  • Patches, updates and vendor mitigations for security vulnerabilities for workstation operating systems, servers and network devices are applied within two weeks from release
  • Vulnerability scanners are used at least weekly to find missing patches for workstations, servers and network devices.

Level 3

Includes all of Level 2, plus:

  • Patches, updates and vendor mitigations for security vulnerabilities for workstation operating systems, servers and network devices are applied within two weeks from release, or 48 hours if an exploit exists
  • The latest release, or the previous release of operating systems are used for workstation operating systems, servers and network devices

7. Multi-factor authentication

Level 1

  • MFA is used by users if they authenticate to their organisation’s internet-facing services
  • MFA is used by organisations if their organisation’s sensitive data is stored on 3rd-party services
  • MFA is used by organisations, if possible, if their organisation’s non-sensitive data is stored on 3rd-party services
  • MFA is enabled by default for non-organisational users if they use an organisation’s internet-facing services. These users may opt-out.

Level 2

Includes all of Level 1, plus:

  • MFA is used to authenticate all privileged users
  • MFA uses the security system of either:
    • Something users have and something they know (e.g. password and token); or
    • Something users have, unlocked by something they know or are (e.g. a USB token unlocked by a PIN or fingerprint)
  • All MFA access attempts, successful or not, are logged

Level 3

Includes all of Level 2, plus:

  • MFA is used to access important data repositories
  • MFA security systems are verifier impersonation resistant
  • All authentication attempts by MFA systems are centrally logged, protected, and monitored and if adverse cybersecurity events occur, they are actioned.

8. Backups

Level 1

  • All important data is backed up, and is retained in a resilient manner that implements business continuity requirements
  • Restoring of backed up services is regularly tested in a coordinated manner when performing disaster recovery exercises
  • Unprivileged accounts can only access their own backups
  • Unprivileged accounts cannot modify or delete any backups

Level 2

Includes all of Level 1, plus:

  • Privileged accounts can only access their own backups, with the exception of Backup Administrators.
  • Privileged accounts cannot modify or delete any backups, with the exception of Backup Administrators.

Level 3

Includes all of Level 2, plus:

  • Unprivileged accounts cannot access backups
  • Backup Administrators cannot access any backups without emergency authorisation.

References

  1. Essential 8 Maturity Model
  2. Govt to mandate Essential Eight Cyber Security Controls
  3. Strategies to Mitigate Cyber Security Incidents

Author: Damian Wernert