Mapping the ASD Essential 8 to the Mitre ATT&CK™ framework
November 27, 2018
Australian Signals Directorate Essential 8
The Australian Signals Directorate (ASD) has published what it calls the “Essential 8”: a set of fundamental mitigation strategies as a baseline for securing an organization. It is intended to be a pragmatic set of mitigation strategies designed to address the most common adversary behaviors. They are:
- Application whitelisting. This ensures that only approved programs can run, and is intended to prevent the execution of not only binaries (.exes, etc.) but also scripts
- Patch applications. This is to prevent exploitation of vulnerable software
- Configure Microsoft Office macro settings to block macros from the Internet. Attackers still often use Microsoft Office macros to trick users into installing malware
- User application hardening. Many features are often unnecessary and pose a security risk; for example, OLE object embedding in Microsoft Office documents
- Restrict administrative privileges. Invoking the principle of least privilege, so only users who require administrative privileges for their work should have them
- Patch operating systems. Operating system vulnerabilities are often exploited by attackers to elevate their privileges
- Multi-factor authentication. Remote access services such as Virtual Private Networks (VPNs) require multi-factor authentication to prevent credential reuse attacks
- Daily backups. When confronted with ransomware attacks, backups become part of an organization’s cyber security program
There is often a feeling of “security nihilism” when it comes to reporting around intrusions, especially those conducted by nation-states or other types of APT threat actor groups. However, pragmatic approaches such as the Essential 8 framework go a long way to mitigating many typical adversary behaviors. That is, it increases the costs for an attacker to attack a particular organization. This is the name of the game. In order to demonstrate this, we took our recent work on the Mitre ATT&CK framework and various indictments of cyber criminals and nation state actors and mapped them to the Essential 8 framework:
The mapping exercise was very instructive and yielded a number of key insights:
- Prevention only gets you so far. There are multiple gaps in the ATT&CK framework that cannot easily be addressed by prevention and therefore require detection mechanisms to be in place in order to catch adversary behavior, particularly in the later stages of the attack lifecycle.
- Essential 8 addresses many common adversary techniques present in the middle of the attack lifecycle. For example, how the attackers gain code execution, how they persist in the target environment, how they escalate privileges, and how they gain code execution.
- Essential 8, by virtue of necessity, does not address to the same extent the work done by the attackers before they attempt code execution. Spear phishing is a TTP used by the four threat actors we looked at, but the Essential 8 doesn’t contain any preventative measures against it. Prevention is focused on stopping malicious code from being executed when it arrives at the user’s endpoint.
- Essential 8 maps very well to the Enterprise ATT&CK framework. There are, however, still missing mitigation strategies for the PRE-ATT&CK framework. This is something that Digital Shadows wishes to address in 2019.
Essential 8 is an excellent framework for mitigating many common adversary behaviors. By mapping some well-known adversaries to the ATT&CK framework we can see how, by using Essential 8, an organization can significantly obstruct adversaries. However, Essential 8 is just the beginning of a cyber security program. As the above mapping clearly demonstrates, detection is an important part of a cyber security program, especially at the earlier and later stages of the attack lifecycle.