Mapping the ASD Essential 8 to the Mitre ATT&CK™ framework

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Australian Signals Directorate Essential 8

The Australian Signals Directorate (ASD) has published what it calls the “Essential 8”: a set of fundamental mitigation strategies as a baseline for securing an organization. It is intended to be a pragmatic set of mitigation strategies designed to address the most common adversary behaviors. They are:


  1. Application whitelisting. This ensures that only approved programs can run, and is intended to prevent the execution of not only binaries (.exes, etc.) but also scripts
  2. Patch applications. This is to prevent exploitation of vulnerable software
  3. Configure Microsoft Office macro settings to block macros from the Internet. Attackers still often use Microsoft Office macros to trick users into installing malware
  4. User application hardening. Many features are often unnecessary and pose a security risk; for example, OLE object embedding in Microsoft Office documents
  5. Restrict administrative privileges. Invoking the principle of least privilege, so only users who require administrative privileges for their work should have them
  6. Patch operating systems. Operating system vulnerabilities are often exploited by attackers to elevate their privileges
  7. Multi-factor authentication. Remote access services such as Virtual Private Networks (VPNs) require multi-factor authentication to prevent credential reuse attacks
  8. Daily backups. When confronted with ransomware attacks, backups become part of an organization’s cyber security program


There is often a feeling of “security nihilism” when it comes to reporting around intrusions, especially those conducted by nation-states or other types of APT threat actor groups. However, pragmatic approaches such as the Essential 8 framework go a long way to mitigating many typical adversary behaviors. That is, it increases the costs for an attacker to attack a particular organization. This is the name of the game. In order to demonstrate this, we took our recent work on the Mitre ATT&CK framework and various indictments of cyber criminals and nation state actors and mapped them to the Essential 8 framework:



Lessons learned

The mapping exercise was very instructive and yielded a number of key insights:

  1. Prevention only gets you so far. There are multiple gaps in the ATT&CK framework that cannot easily be addressed by prevention and therefore require detection mechanisms to be in place in order to catch adversary behavior, particularly in the later stages of the attack lifecycle.
  2. Essential 8 addresses many common adversary techniques present in the middle of the attack lifecycle. For example, how the attackers gain code execution, how they persist in the target environment, how they escalate privileges, and how they gain code execution.
  3. Essential 8, by virtue of necessity, does not address to the same extent the work done by the attackers before they attempt code execution. Spear phishing is a TTP used by the four threat actors we looked at, but the Essential 8 doesn’t contain any preventative measures against it. Prevention is focused on stopping malicious code from being executed when it arrives at the user’s endpoint.
  4. Essential 8 maps very well to the Enterprise ATT&CK framework. There are, however, still missing mitigation strategies for the PRE-ATT&CK framework. This is something that Digital Shadows wishes to address in 2019.


Essential 8 is an excellent framework for mitigating many common adversary behaviors. By mapping some well-known adversaries to the ATT&CK framework we can see how, by using Essential 8, an organization can significantly obstruct adversaries. However, Essential 8 is just the beginning of a cyber security program. As the above mapping clearly demonstrates, detection is an important part of a cyber security program, especially at the earlier and later stages of the attack lifecycle.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Digital Shadows
Digital Shadows is the leader in Digital Risk Protection. Digital Shadows minimizes digital risk by identifying unwanted exposure and protecting against external threats. Organizations can suffer regulatory fines, loss of intellectual property, and reputational damage when digital risk is left unmanaged. Digital Shadows SearchLight™ helps you minimize these risks by detecting data loss, securing your online brand, and reducing your attack surface. To learn more and get free access to SearchLight, visit
Promoted Content
A Practical Guide to Reducing Digital Risk - Tools and Approaches for Security, Intelligence, and Fraud Teams
For those working to secure organizations, life isn't getting any easier. As businesses continue to invest in technology, the environment that must be secured has become more complex and challenging. This guide is written for people whose role it is to deal with this complexity: the practitioners. It provides advice to help understand how to identify critical business assets, understand the threat, monitor for exposure, and take action.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?