Mapping the ASD Essential 8 to the Mitre ATT&CK™ framework

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

Australian Signals Directorate Essential 8

The Australian Signals Directorate (ASD) has published what it calls the “Essential 8”: a set of fundamental mitigation strategies as a baseline for securing an organization. It is intended to be a pragmatic set of mitigation strategies designed to address the most common adversary behaviors. They are:

 

  1. Application whitelisting. This ensures that only approved programs can run, and is intended to prevent the execution of not only binaries (.exes, etc.) but also scripts
  2. Patch applications. This is to prevent exploitation of vulnerable software
  3. Configure Microsoft Office macro settings to block macros from the Internet. Attackers still often use Microsoft Office macros to trick users into installing malware
  4. User application hardening. Many features are often unnecessary and pose a security risk; for example, OLE object embedding in Microsoft Office documents
  5. Restrict administrative privileges. Invoking the principle of least privilege, so only users who require administrative privileges for their work should have them
  6. Patch operating systems. Operating system vulnerabilities are often exploited by attackers to elevate their privileges
  7. Multi-factor authentication. Remote access services such as Virtual Private Networks (VPNs) require multi-factor authentication to prevent credential reuse attacks
  8. Daily backups. When confronted with ransomware attacks, backups become part of an organization’s cyber security program

 

There is often a feeling of “security nihilism” when it comes to reporting around intrusions, especially those conducted by nation-states or other types of APT threat actor groups. However, pragmatic approaches such as the Essential 8 framework go a long way to mitigating many typical adversary behaviors. That is, it increases the costs for an attacker to attack a particular organization. This is the name of the game. In order to demonstrate this, we took our recent work on the Mitre ATT&CK framework and various indictments of cyber criminals and nation state actors and mapped them to the Essential 8 framework:

 

 

Lessons learned

The mapping exercise was very instructive and yielded a number of key insights:

  1. Prevention only gets you so far. There are multiple gaps in the ATT&CK framework that cannot easily be addressed by prevention and therefore require detection mechanisms to be in place in order to catch adversary behavior, particularly in the later stages of the attack lifecycle.
  2. Essential 8 addresses many common adversary techniques present in the middle of the attack lifecycle. For example, how the attackers gain code execution, how they persist in the target environment, how they escalate privileges, and how they gain code execution.
  3. Essential 8, by virtue of necessity, does not address to the same extent the work done by the attackers before they attempt code execution. Spear phishing is a TTP used by the four threat actors we looked at, but the Essential 8 doesn’t contain any preventative measures against it. Prevention is focused on stopping malicious code from being executed when it arrives at the user’s endpoint.
  4. Essential 8 maps very well to the Enterprise ATT&CK framework. There are, however, still missing mitigation strategies for the PRE-ATT&CK framework. This is something that Digital Shadows wishes to address in 2019.

 

Essential 8 is an excellent framework for mitigating many common adversary behaviors. By mapping some well-known adversaries to the ATT&CK framework we can see how, by using Essential 8, an organization can significantly obstruct adversaries. However, Essential 8 is just the beginning of a cyber security program. As the above mapping clearly demonstrates, detection is an important part of a cyber security program, especially at the earlier and later stages of the attack lifecycle.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
3 Followers
About Digital Shadows
Digital Shadows monitors and manages an organization’s digital risk, providing relevant threat intelligence across the widest range of data sources within the open, deep, and dark web to protect their brand, and reputation. The Digital Shadows SearchLight™ service combines scalable data analytics with human data analysts to manage and mitigate risks of an organization’s brand exposure, VIP exposure, cyber threat, data exposure, infrastructure exposure, physical threat, and third party risk, and create an up-to-the minute view of an organization’s digital risk with tailored threat intelligence.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel