How to protect your organization using Essential Eight mitigation strategy?
Australia Signal Directorate (ASD) and Australia Cyber Security Centre (ACSC) has defined a strategy called Essential Eight to help organizations mitigate threats and adversaries. These eight strategies are baselines and can be used as a starting point for organizations and then strengthen up the defense. In this post, I have explained the eight strategies and recommended the best practices to achieve it using some of the open source and freemium tools available in the market.
Strategies to mitigate malware delivery and execution
1. Application Control
Maintain application whitelist to control the execution of unapproved/malicious programs and scripts.
- Block script execution by default in Powershell
- Block unapproved executable and scripts.
- Enable auditing for new programs installation.
- Implement least privilege model
Applocker comes with Windows workstations and server editions. It has advance software, programs including DLL execution control and helps you to implement the strategy to all machines using a group policy. So it’s easy to implement and maintain.
Application Control Plus from ManageEngine is free for up to 25 machines. This tool can discover the list of tools installed, group them based on rules and then associate them to appropriate users.
If you have macOS, try Santa which is an open source binary authorization tool for macOS.
2. Patch Applications
Patch the critical severity vulnerabilities within 48 hours. Have a documented patch management process and change control to patch critical vulnerabilities to reduce the attack surface.
PDQDeploy allows you to patch Windows applications automatically.
3. User Application Hardening
Disable features which are not required in applications like Microsoft office, browsers and PDF viewers. Configured browsers to block ads, disable flash and Java.
Qualys Browser Check – Free tool, helps to perform multiple security checks including Top 4 Security controls in a browser.
Avira Browser Safety Free addon which protects the privacy and secures browser.
Malwarebytes Browser Guard Free addon, filters out annoying ads and scams while blocking trackers.
4. Configure MS Office Macro Settings
Phishing is still the No.1 cause of data breaches. It all requires a single click to get infected. Controlling MS Office Macro settings is very crucial and recommended as a part of Essentials Eight model.
- Disable macros from the internet by default.
- Enable only digitally signed or vetted macros.
From office 2016 you can create a GPO to disable macros from the internet.
- Open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
- In the Group Policy Management Editor, go to User configuration.
- Click Administrative templates > Microsoft Word 2016 > Word options > Security > Trust Center.
- Open the Block macros from running in Office files from the Internet setting to configure and enable it.
More details from MS blog here
Mitigation Strategies to Limit the Extent of Cyber Security Incidents
5. Restrict Administrative Privileges
Follow least privilege strategy. Enable only the required privileges to accounts.
- Do not use a privileged account to perform tasks like web browsing, reading emails.
- Monitor changes to privilege accounts and permissions using logs or IAM tools.
OpenIAM – Community edition without any restrictions. It has multiple useful features like
- Single Sign-On – SAML 2, OpenID Connect
- Self-service portal – Profile Management, Forgot password
- Automated provisioning to many applications (AD, Google, Office365)
- User and Group Management
- Flexible Authentication / Authorization
WSO2 Identify Server – Another fantastic open source IAM tool which supports SSO, self service portal, Adaptive Authentication, Identity federation and more.
Glu – Feature rich and scalable IAM tool which also has enterprise edition.
6. Patch Operating Systems
Patch operating systems with critical vulnerabilities in 48 hours of the report. Vulnerable OS is an easy target for hackers. Manage desktops/endpoint using the following tools.
Open_AudIT An opensource inventory and audit program. It has features like software licensing, configuration changes, non-authorized devices, capacity utilization and hardware warranty status reports.
Spiceworks – Spiceworks has a well established completely free inventory and desktop management tool. Using Spiceworks you can manage assets, update software and track tickets in help desk.
7. Multi-factor Authentication
Can’t stress more about the importance of MFA. Implement MFA everywhere like Email, VPN, RDP, SSH, to all users. Use U2F hardware tokens than text messages as there are several incidents of hacking text based OTPs using SIM swapping.
PrivacyIdea – Can be used in existing applications like PAM, Windows authentication, VPN, RDP, SSH and more.
OpenOTP – It has freemium edition to support up to 40 OTP users.
Dynalogin – Open source solution, supports two-factor authentication on the web, Intranet, VPN and Linux/UNIX
Mitigation Strategies to Recover Data and System Availability
8. Daily Backups
Configure daily backups of critical systems and applications. Backup on both physical and cloud. Retain the data for at least 3 months. These practices come handy during a highly evolving ransomware incident.Configure daily backups of critical systems and applications. Backup on both physical and cloud. Retain the data for at least 3 months. These practices come handy during a highly evolving ransomware incident.
- Automate the backup process.
- Test and validate the backup recovery and make it as a data breach exercise.
Following tools help you to backup your data.
Borgbackup – Supports MAC OS, Linux and BSD
URBackup – Supports incremental backup and can support Windows, Linux, MAC
Syncthing – Encrypts and secure backups between two ore more computers. Supports MacOS, Windows, Linux, FreeBSD, Solaris, and OpenBSD.
If you are using or recommending any other tools which are not part of his post, feel free to add it in the comments.
Leave a Reply