Almost all government agencies have been mandated to utilise the Essential 8 security controls. This mandate does not extend to all enterprises in Australia however, so for many organisations, you are not forced to comply with these directives if they do not suit your specific security requirements. Internet 2.0 will always work with you to achieve your security needs, and are specialists when it comes to secretive and specialist requirements. We bring this expertise to all our clients and work with the best in the industry to ensure that if you are seeking to improve your Essential 8 maturity, you can start today.
Do the following sound familiar? Application control, patching applications, configuration of Microsoft Office Macro Settings (Or your suite of choice), user application hardening, restricted privileges as needed, patching of software and operating systems, Multi-Factor Authentication & regular backups. These are the Essential 8 and they have been updated in October 2021 to emphasise maturity, not just tactics.
We are confident you are thinking already beyond these requirements alone, after all, Cyber Hygiene Improvement Programs (CHIPs) as well as uplift programs run regularly in the backdrop of the push to defend against persistent cyber threats. According to government reports, the adoption of the Essential 8 still requires further improvement, especially as there are a number of obsolete and unsupported technologies in place and technology modernisation continues to outpace security patching. If you already have security intelligence or some insight into your cyber security situation, or have experienced a cyber attack, you will already know that there is a great deal of complexity involved.
Then does this mean that they are only applicable for agencies and organisation that work in critical infrastructure? The commonsense answer would be that it does apply to all entities wishing to conduct business in Australia – or at the very least, awareness of them and the ability to have comparable security standard if there is a regulatory or contractual compliance requirement involved. This is an increasing trend, especially in the awarding of government-based contracts and tenders.
To assist Australian enterprise, the government has had many successful initiatives to promote cyber security, awareness, and technical defences with the Essential 8 as a hallmark for cyber security benchmarking. If your organisation does not leverage the Essential 8, or has experience with other frameworks, such as the UK’s cyber readiness, or the globally renowned CIS controls, then you may still be in alignment with the maturity levels of the Essential 8. Need to know more? Speak with the team at Internet 2.0 for guidance on how to determine your cyber security posture, threat situation and gain relentless security over your infrastructure and operations today.
Maturity levels
There are four maturity levels to the Essential 8, and these have been updated in 2021. If you are not familiar with the Essential Eight, they are the top eight security controls that are considered by the ACSC as the most effective controls when it comes to mitigating cyber security incidents. These eight are derived from the ACSC’s experience of observing the tradecraft of a wide and varying range of bad actors and are plucked from a much larger set of 37 recommendations in the publication ‘Strategies to Mitigate Cyber Security Incidents’. – Mark Anderson, Chief Security Officer, Microsoft According to a statement by the Australian Cyber Security Centre (ACSC) it is recommended, “As such, organisations should consider what level of tradecraft and targeting, rather than which adversaries, they are aiming to mitigate.” This is where Internet 2.0 comes into your security equation. As we are relentless in our undertaking to monitor, detect, respond and shape the cyber security situation to our advantage, your organisation will be correcting any security deficiencies if any are discovered. The maturity levels essentially map across to the type of threat environment, or conditions that your organisation is facing. If you do not know what your threat level is, then you must attain this information. Whilst in an ideal world, we would be striving to implement security controls to meet and exceed maturity level 3, sometimes this simply is not feasible nor prudent for the strategic direction of the organisation. According to the ACSC the maturity levels are as follows:
Level 0
This maturity level signifies that there are weaknesses in an organisation’s overall cyber security posture. When exploited, these weaknesses could facilitate the compromise of the confidentiality of their data, or the integrity or availability of their systems and data, as described by the tradecraft and targeting in Maturity Level One below.
Level 1
The focus of this maturity level is adversaries who are content to simply leverage commodity tradecraft that is widely available in order to gain access to, and likely control of, systems. For example, adversaries opportunistically using a publicly-available exploit for a security vulnerability in an internet-facing service which had not been patched, or authenticating to an internet-facing service using credentials that were stolen, reused, brute forced or guessed. Generally, adversaries are looking for any victim rather than a specific victim and will opportunistically seek common weaknesses in many targets rather than investing heavily in gaining access to a specific target. Adversaries will employ common social engineering techniques to trick users into weakening the security of a system and launch malicious applications, for example via Microsoft Office macros. If the account that an adversary compromises has special privileges they will seek to exploit it. Depending on their intent, adversaries may also destroy data (including backups).
Level 2
The focus of this maturity level is adversaries operating with a modest step-up in capability from the previous maturity level. These adversaries are willing to invest more time in a target and, perhaps more importantly, in the effectiveness of their tools. For example, these adversaries will likely employ well-known tradecraft in order to better attempt to bypass security controls implemented by a target and evade detection. This includes actively targeting credentials using phishing and employing technical and social engineering techniques to circumvent weak multi-factor authentication. Generally, adversaries are likely to be more selective in their targeting but still somewhat conservative in the time, money and effort they may invest in a target. Adversaries will likely invest time to ensure their phishing is effective and employ common social engineering techniques to trick users to weaken the security of a system and launch malicious applications, for example via Microsoft Office macros. If the account that an adversary compromises has special privileges they will seek to exploit it, otherwise they will seek accounts with special privileges. Depending on their intent, adversaries may also destroy all data (including backups) accessible to an account with special privileges.
Level 3
The focus of this maturity level is adversaries who are more adaptive and much less reliant on public tools and techniques. These adversaries are able to exploit the opportunities provided by weaknesses in their target’s cyber security posture, such as the existence of older software or inadequate logging and monitoring. Adversaries do this to not only extend their access once initial access has been gained to a target, but to evade detection and solidify their presence. Adversaries make swift use of exploits when they become publicly available as well as other tradecraft that can improve their chance of success.Generally, adversaries may be more focused on particular targets and, more importantly, are willing and able to invest some effort into circumventing the idiosyncrasies and particular policy and technical security controls implemented by their targets. For example, this includes social engineering a user to not only open a document but also to unknowingly assist in bypassing security controls. This can also include circumventing stronger multi-factor authentication by stealing authentication token values to impersonate a user. Once a foothold is gained on a system, adversaries will seek to gain privileged credentials or password hashes, pivot to other parts of a network, and cover their tracks. Depending on their intent, adversaries may also destroy all data (including backups).
Need More Information?
Do you need to understand how exactly to draw a connection, plan and achieve the outcomes to improve your security maturity level to fend off threats that you’re facing? We suggest three simple steps, each will form part of your organisation’s cyber security strategy.
- Determine your threat, yes, we can help you with that today
- Determine your attack surface (infrastructure and resources) and map them to controls as per the Essential 8, or your security framework of choice. For example, the Australian Information Security Manuel, NIST Frameworks, or CIS benchmarks.
- Go beyond and leverage the Relentless Security offerings that Internet 2.0 offer, such as monitoring, threat hunting, training, and incident response.