Exploring the Origins and Significance of the Essential 8

The Australian Signals Directorate (ASD) The Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) Strategies to Mitigate Cyber Security Incidents The Essential 8 ISM and Essential 8 Essential 8 Updates

The Australian Signals Directorate (ASD)

The Australian Signals Directorate (ASD) is a government agency with a rich history dating back to 1947, when it was established as the Defence Signals Bureau. Over the years, the agency has undergone several name changes to reflect its evolving role, including the Defence Signals Directorate (DSD) in 1977 and the Australian Signals Directorate (ASD) in 2013. Today, the agency plays a critical role in supporting Australia's national security by providing signals intelligence, cybersecurity, and information security services to the armed services and government departments. In 2018, ASD became a statutory agency within the Defence portfolio, further solidifying its position as a leader in the field of national security.

Australian Signals Directorate (ASD) logo

The ASD's primary role is to collect, analyse, and disseminate foreign signals intelligence to support the Australian government and defence forces. This includes gathering intelligence on the capabilities, intentions, and activities of other countries and non-state actors, as well as protecting Australia's own communications and information systems from cyber threats. The ASD also provides advice and assistance to other government agencies and industry partners on cybersecurity and information security matters.

ASD’s stated purpose is to “defend Australia from global threats and help advance Australia's national interests. We do this by mastering technology to inform, protect and disrupt.”

The Australian Cyber Security Centre (ACSC)

Part of the ASD, is the Australian Cyber Security Centre (ACSC). The ACSC is a whole-of-government organisation that was established in 2014 as an evolution of the Cyber Security Operations Centre (CSOC). CSOC was a Defence-based capability that hosted liaison staff from other government agencies. ACSC saw the collocation of all contributing agencies' cyber security capabilities.

Before the establishment of the ACSC, the Australian government had a number of different agencies and organisations that were responsible for different aspects of cyber security. In 2010, the Defence Signals Directorate (DSD) established the Cyber Security Operations Centre (CSOC) to develop a comprehensive understanding of ICT security threats to critical Australian systems and to coordinate a response to those threats across government and industry.

In 2017, the Prime Minister at the time Malcolm Turnbull, released the unclassified version of the 2017 Independent Intelligence Review, which made recommendations for the reorganisation of intelligence agencies in Australia. One of the recommendations was that the ACSC should become part of ASD. This recommendation was implemented through the Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Bill 2018, which was passed into law in April 2018. As a result, the ACSC is now part of ASD and the two agencies work closely together to protect Australia's cyber security interests.

Information Security Manual (ISM)

Developed by the ACSC, the Information Security Manual (ISM) is a document that provides guidance and standards for the protection of information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction.

The ISM is intended for Chief Information Security Officers (CISOs), Chief Information Officers, cyber security professionals, and information technology managers.

The ISM is based on industry standards and best practices and is intended to be used in conjunction with an organisation's risk management framework. It is organised into four key activities:

Govern
Protect
Detect
Respond

It provides guidance on governance, physical security, personnel security, and information and communications technology security topics.

The ISM is not required by law, unless specifically mandated by legislation or other lawful authority. If the ISM conflicts with legislation or law, the latter takes precedence. The ISM does not provide a comprehensive consideration of legislative and legal considerations, and organisations are encouraged to familiarise themselves with relevant legislation, such as the Archives Act 1983, Privacy Act 1988, and Telecommunications (Interception and Access) Act 1979.

Strategies to Mitigate Cyber Security Incidents

Introduced in 2010 and last updated in 2017, the ACSC released a set of prioritised strategies to help organisations mitigate and protect against various types of cyber threats. These strategies were developed based on the ACSC's experience responding to cyber security incidents, conducting vulnerability assessments, and performing penetration testing on Australian government organisations. The ACSC's strategies are designed to address a range of cyber threats, including:

Targeted cyber intrusions, also known as advanced persistent threats, which are executed by external adversaries who steal data
Ransomware attacks and other external adversaries who destroy data and prevent computers/networks from functioning
Malicious insiders who steal data, such as customer information or intellectual property
Malicious insiders who destroy data and prevent computers/networks from functioning

The ACSC's strategies can be divided into five categories:

Strategies to prevent malware delivery and execution: These strategies are designed to stop malware from being delivered to and executed on an organisation's systems.
Strategies to limit the extent of cyber security incidents: These strategies are intended to minimise the impact of a cyber security incident once it has occurred.
Strategies to detect cyber security incidents and respond: These strategies are aimed at identifying a cyber security incident as quickly as possible and taking appropriate action to contain and mitigate the incident.
Strategies to recover data and system availability: These strategies are focused on restoring data and system functionality following a cyber security incident.
Strategies specific to preventing malicious insiders: These strategies are designed to prevent malicious insiders from causing harm to an organisation's systems and data.

The ACSC's strategies are further classified into five relative security effectiveness ratings:

Essential
Excellent
Very good
Good
Limited

The ACSC considers the strategies with an "essential" rating to be the minimum baseline for all organisations to follow in order to effectively protect against cyber threats. The ACSC has also released additional guidance on implementing these strategies and on measuring the maturity of their implementation.

Relative Security Effectiveness Rating	Mitigation Strategy
Mitigation Strategies to Prevent Malware Delivery and Execution:
Essential	Application whitelisting of approved/trusted programs to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
Essential	Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with “extreme risk”¹vulnerabilities within 48 hours. Use the latest version of applications.
Essential	Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in “trusted locations” with limited write access or digitally signed with a trusted certificate.
Essential	User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the Internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
Excellent	Automated dynamic analysis of email and web content run in a sandbox, blocked if suspicious behaviour is identified e.g. network traffic, new or modified files, or other system configuration changes.
Excellent	Email content filtering. Whitelist allowed attachment types (including in archives and nested archives). Analyse/sanitise hyperlinks, PDF and Microsoft Office attachments. Quarantine Microsoft Office macros.
Excellent	Web content filtering. Whitelist allowed types of web content and websites with good reputation ratings. Block access to malicious domains and IP addresses, ads, anonymity networks and free domains.
Excellent	Deny corporate computers direct Internet connectivity. Use a gateway firewall to require use of a split DNS server, an email server, and an authenticated web proxy server for outbound web connections.
Excellent	Operating system generic exploit mitigation e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET).
Very Good	Server application hardening especially Internet-accessible web applications (sanitise input and use TLS not SSL) and databases, as well as applications that access important (sensitive/high-availability) data.
Very Good	Operating system hardening (including for network devices) based on a Standard Operating Environment, disabling unneeded functionality e.g. RDP, AutoRun, LanMan, SMB/NetBIOS, LLMNR and WPAD.
Very Good	Antivirus software using heuristics and reputation ratings to check a file’s prevalence and digital signature prior to execution. Use antivirus software from different vendors for gateways versus computers.
Very Good	Control removable storage media and connected devices. Block unapproved CD/DVD/USB storage media. Block connectivity with unapproved smartphones, tablets and Bluetooth/Wi-Fi/3G/4G devices.
Very Good	Block spoofed emails. Use Sender Policy Framework (SPF) or Sender ID to check incoming emails. Use “hard fail” SPF TXT and DMARC DNS records to mitigate emails that spoof the organisation’s domain.
Good	User education. Avoid phishing emails (e.g. with links to login to fake websites), weak passphrases, passphrase reuse, as well as unapproved: removable storage media, connected devices and cloud services.
Limited	Antivirus software with up-to-date signatures to identify malware, from a vendor that rapidly adds signatures for new malware. Use antivirus software from different vendors for gateways versus computers.
Limited	TLS encryption between email servers to help prevent legitimate emails being intercepted and subsequently leveraged for social engineering. Perform content scanning after email traffic is decrypted.
Mitigation Strategies to Limit the Extent of Cyber Security Incidents:
Essential	Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
Essential	Patch operating systems. Patch/mitigate computers (including network devices) with “extreme risk”¹vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
Essential	Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
Excellent	Disable local administrator accounts or assign passphrases that are random and unique for each computer’s local administrator account to prevent propagation using shared local administrator credentials.
Excellent	Network segmentation. Deny traffic between computers unless required. Constrain devices with low assurance e.g. BYOD and IoT. Restrict access to network drives and data repositories based on user duties.
Excellent	Protect authentication credentials. Remove CPassword values (MS14-025). Configure WDigest (KB2871997). Use Credential Guard. Change default passphrases. Require long complex passphrases.
Very Good	Non-persistent virtualised sandboxed environment, denying access to important (sensitive/high-availability) data, for risky activities e.g. web browsing, and viewing untrusted Microsoft Office and PDF files.
Very Good	Software-based application firewall, blocking incoming network traffic that is malicious/unauthorised, and denying network traffic by default e.g. unneeded/unauthorised RDP and SMB/NetBIOS traffic.
Very Good	Software-based application firewall, blocking outgoing network traffic that is not generated by approved/trusted programs, and denying network traffic by default.
Very Good	Outbound web and email data loss prevention. Block unapproved cloud computing services. Log recipient, size and frequency of outbound emails. Block and log emails with sensitive words or data patterns.
Mitigation Strategies to Detect Cyber Security Incidents and Respond:
Excellent	Continuous incident detection and response with automated immediate analysis of centralised time-synchronised logs of permitted and denied: computer events, authentication, file access, network activity.
Very Good	Host-based intrusion detection/prevention system to identify anomalous behaviour during program execution e.g. process injection, keystroke logging, driver loading and persistence.
Very Good	Endpoint detection and response software on all computers to centrally log system behaviour and facilitate incident response. Microsoft’s free SysMon tool is an entry level option.
Very Good	Hunt to discover incidents based on knowledge of adversary tradecraft. Leverage threat intelligence consisting of analysed threat data with context enabling mitigating action, not just indicators of compromise.
Limited	Network-based intrusion detection/prevention system using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries.
Limited	Capture network traffic to and from corporate computers storing important data or considered as critical assets, and network traffic traversing the network perimeter, to perform incident detection and analysis.
Mitigation Strategies to Recover Data and System Availability:
Essential	Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.
Very Good	Business continuity and disaster recovery plans which are tested, documented and printed in hardcopy with a softcopy stored offline. Focus on the highest priority systems and data to recover.
Very Good	System recovery capabilities e.g. virtualisation with snapshot backups, remotely installing operating systems and applications on computers, approved enterprise mobility, and onsite vendor support contracts.
Mitigation Strategy Specific to Preventing Malicious Insiders:
Very Good	Personnel management e.g. ongoing vetting especially for users with privileged access, immediately disable all accounts of departing users, and remind users of their security obligations and penalties.

Source: Australian Cyber Security Centre.

The Essential 8

The Essential 8 is the 'essential' minimum baseline security for organisations and is a subset of the Strategies to Mitigate Cyber Security Incidents. It provides practical guidance to organisations on how to protect their systems and data from cyber threats, how to implement mitigation strategies in a phased approach and how to measure the maturity of implementation.

The Essential Eight strategies are focused on Microsoft Windows-based internet-connected networks and are designed to complement each other in order to provide coverage against a range of cyber threats. While the principles behind the Essential Eight can be applied to other systems, such as cloud services and enterprise mobility, alternative guidance may be more appropriate for these environments.

The Essential 8 consists of eight mitigation strategies, including:

Application control: only allowing approved applications to run on a system.
Patching applications: applying updates and patches to software to fix vulnerabilities.
Configuring Microsoft Office macro settings: applying least privileges to Microsoft Office macros
User application hardening: disabling, removing, restricting and monitoring applications to limit ability for compromise
Restricting administrative privileges: limiting the number of users with administrative privileges on a system.
Patching operating systems: applying updates and patches to the operating system to fix vulnerabilities.
Multi-factor authentication: requiring more than one form of authentication to access systems or data.
Regular backups: regularly backing up important data to protect against data loss.

The Essential 8 adds upon the Strategies to Mitigate Cyber Security Incidents by introducing 4 implementation maturity levels. These maturity levels are designed based on the level of adversary tradecraft (tools, tactics, techniques, and procedures) and targeting that an organisation is aiming to mitigate.

Maturity level zero signifies that there are weaknesses in an organisation's cyber security posture that could be exploited by adversaries.
Maturity level one focuses on adversaries who use widely available tools and techniques to gain access to systems.
Maturity level two focuses on adversaries who are willing to invest more time and effort in their attacks and use more advanced tools and techniques to bypass security controls and evade detection.
Maturity level three focuses on adversaries with advanced capabilities who are willing to invest significant time, money, and effort in their attacks and may use customised tools and techniques to compromise a target.

	Maturity Level One	Maturity Level Two	Maturity Level Three
Adversary capability	Adversaries using widely available tools and techniques to gain access to systems.	Adversaries using advanced tools and techniques to bypass security controls and evade detection.	Adversaries with advanced capabilities, using customized tools and techniques to compromise a target.
Adversary intent	Opportunistic, looking for any victim.	Selective targeting.	Focused on particular targets.
Adversary time investment	Not willing to invest heavily to any specific target.	They are willing to invest more time and effort in their attacks, including ensuring their phishing is effective.	Willing to invest significant time and effort in attacks.
Adversary techniques	Common social engineering techniques to trick users and launch malicious applications.	Common social engineering techniques to trick users and launch malicious applications.	Social engineering techniques to trick users into opening malicious documents and unknowingly assist in bypassing security controls.
Adversary techniques			May also bypass stronger multi-factor authentication by stealing authentication token values to impersonate a user.
Adversary action	If they can compromise an account with special privileges, they will try to exploit it.	If they can compromise an account with special privileges, they will try to exploit it.	Once they have gained a foothold on a system, they will seek to gain privileged credentials or password hashes, pivot to other parts of a network, and cover their tracks.
Adversary action	They may also destroy data, including backups.	They may also destroy data, including backups.	They may also destroy data, including backups.

Maturity levels can only be achieved once all mitigation strategies for a maturity level have been implemented.

These mitigation strategies increase in complexity with each maturity level and organisations can determine a target maturity level and follow guidance from ACSC for implementation. Detailed descriptions for each maturity level and its mitigation strategy can be found in Appendix A: Maturity Level One, Appendix B: Maturity Level Two and Appendix C: Maturity Level Three of the Essential 8 maturity model. These mitigation strategies increase in complexity with each maturity level.

ISM and Essential 8

The Essential 8 is a subset of the Strategies to Mitigate Cyber Security Incidents and ISM's mandatory security controls. Therefore, it can be considered a stepping stone towards increasing your organisation's security posture with future compliance with ISM. This is evident as Essential 8 controls can be directly mapped to ISM.

Essential 8 Updates

Since the creation of the Essential 8, there have been several updates and modifications to the strategies. For example, in 2020, the ACSC released updated guidance on the Essential 8, including additional recommendations for implementing the strategies. In addition, the ACSC has released new guidance on specific aspects of the Essential 8, such as applying the strategies to cloud environments and implementing multi-factor authentication.

It's important to note that the Essential 8 is not a static set of mitigation strategies and may continue to evolve over time as the cybersecurity landscape changes. It's recommended that organisations regularly review and update their implementation of the Essential 8 to ensure that they are effectively protecting against cyber threats.

A full change log of all Essential 8 updates can be found on ACSC’s FAQ. The most recent updates include:

Change Date	Change Description
November 2022	Organisations are recommended to use an automated method of asset discovery at least fortnightly to detect what assets reside on their network (to assist with follow-on vulnerability scanning activities). Organisations are recommended to ensure their vulnerability scanners are using an up-to-date vulnerability database before conducting vulnerability scanning activities. Minor grammar amendments were made throughout for increased clarity (these changes have not changed the intent of existing requirements).
October 2021	Redefining the number of maturity levels and what they represent. This update focused on using the maturity levels to counter the sophistication of different levels of adversary tradecraft and targeting rather than being aligned to the intent of a mitigation strategy. Moving to a stronger risk-based approach to implementation. There will be circumstances (such as legacy systems and technical debt) that may prevent immediate or full implementation of requirements within the Essential Eight Maturity Model. In such cases, risk management processes may adequately address this. Implementing the mitigation strategies as a package. Organisations previously implemented each of the mitigation strategies individually. This approach was seen as leading to an imbalanced cyber security posture when resources were used implementing a few mitigation strategies to higher maturity levels while other mitigation strategies were not addressed, or addressed at a lower maturity level. Achieving a maturity level as a package will provide a more secure baseline than achieving higher maturity levels in a few mitigation strategies to the detriment of others. This is due to the Essential Eight being designed to complement each other and to provide broad coverage of various cyber threats. Organisations are now advised to achieve a consistent maturity level across all eight mitigation strategies before moving onto a higher maturity level.

Source: Australian Cyber Security Centre (ACSC).

This guide to understanding the Essential 8 article provides a detailed insight into the Essential 8. To learn more, take a deep dive into our Essential 8 series.

Learn More About Essential 8

Overview:

Exploring the Origins and Significance of the Essential 8

8 Essential Mitigation Strategies:

Adoption:

Navigating Cybersecurity Excellence: The Essential Eight Meets Prosci's OCM Approach

Looking to accelerate your Essential Eight implementation?

Learn about our Essential 8 Accelerator or simply contact a CyberOxide specialist to find how we can help you.

Resources

Australian Signals Directorate (ASD), by Australian Signals Directorate (ASD).
Australian Cyber Security Centre (ACSC), by Australian Cyber Security Centre (ACSC).
"Information Security Manual (ISM)", by Australian Cyber Security Centre (ACSC).
"Strategies to Mitigate Cyber Security Incidents", by the Australian Cyber Security Centre (ACSC).
"The Essential 8", by the Australian Cyber Security Centre (ACSC).
"The Essential 8 FAQ", by the Australian Cyber Security Centre (ACSC).
"Essential 8 Maturity Models", by The Australian Cyber Security Centre (ASCS).
"Intelligence community reforms", by Cat Barker, Foreign Affairs, Defence and Security, Parliament of Australia.