The Essential Eight represents fundamental cybersecurity strategies every organization should implement to reduce attack surfaces and strengthen defences. However, organisations often struggle with prioritising which controls to implement first and how to optimize them against real-world threats.
Cyber Threat Intelligence (CTI) can provide the needed visibility to guide Essential Eight adoption. CTI identifies active threats and targeted vulnerabilities, allowing organisations to focus mitigations on plugging security gaps that threat actors exploit in the wild.
My humble attempt with this article is to provide an overview of the current Essential Eight framework, discuss how CTI can inform and improve Essential Eight implementations to enhance risk posture and map Essential Eight defences tailored to mitigating the high-impact CL0P ransomware threat.
So what’s Essential Eight Framework
The Essential Eight is a set of cybersecurity strategies developed by the Australian Cyber Security Centre (ACSC) to help organisations protect themselves against cyber threats. These strategies are based on extensive research and analysis of past cyber attacks and vulnerabilities. The Essential Eight framework provides a prioritized list of strategies organisations should implement to mitigate the most common and damaging cyber threats.
- Application control
- Patch applications
- Configure Microsoft Office macro settings
- User Application Hardening
- Restrict Administrative Privileges
- Patch Operating Systems
- multi-factor authentication
- regular backups.
It is a simple and fundamental strategy; however, there’s a flip side. Critics argue that the Essential Eight might not be sufficient to address all advanced persistent threats and evolving cyber-attack techniques. While it’s a strong starting point, some believe organisations with larger digital footprints or more sensitive data might require a deeper, more nuanced strategy.
However, I think the Essential Eight framework is a practical way for organisations to strengthen their cybersecurity. It provides a checklist of best practices, and the framework prioritises key strategies to address the most significant risks. This standardised guidance allows organisations to allocate resources effectively without starting from scratch. While it doesn’t eliminate all threats, the Essential Eight significantly reduces vulnerabilities by promoting essential cyber hygiene.
My Opinion on the role that CTI plays in enhancing Essential Eight Implementation
This is where Cyber Threat Intelligence (CTI) plays a crucial role in supporting the implementation of the Essential Eight, in my opinion. CTI provides organisations with up-to-date, actionable intelligence about potential cyber threats. By analysing this intelligence, organisations can better understand their specific threats and tailor their Essential Eight implementation accordingly. This allows organisations to focus their resources on the most critical areas and stay one step ahead of cybercriminals.
Here is a hypothetical case study on how the Essential Eight cybersecurity strategies can leverage cyber threat intelligence (CTI) to improve an organisation’s risk posture:
| Essential Eight strategies | CTI Insights | Implementation | Risk Posture Improvement |
|---|---|---|---|
| Application Whitelisting | CTI identifies new malware strains attempting to execute. | Whitelisting prevents new malware from running even with zero-day exploits. | Stops execution of unknown malware before damage can occur. |
| Patch Applications | CTI identifies campaigns distributing malicious macro docs. | Prevents infection through macro mallocs, a common threat vector. | Closes avenues of attack via patching known and relevant exploited vulnerabilities. |
| Configure Microsoft Office Macro Settings | Hardening golden image and unauthorized access. | Patches get prioritised for high and critical vulnerabilities that are being exploited. | Prevents infection through macro mal docs, a common threat vector. |
| User Application Hardening | CTI can provide information on malicious websites, advertisements running malicious scripts and exploiting vulnerabilities in unsupported software are leveraged. | CTI can provide information on malicious websites, advertisements running malicious scripts and exploiting vulnerabilities in unsupported software are leveraged. | Prevents infection through macro mallocs, a common threat vector. |
| Restrict Administrative Privileges | CTI reports ransomware and threats using stolen admin rights. | Implements least privilege model and Just-in-Time admin rights. | Limits lateral movement and damage from threats leveraging admin rights. |
| Patch Operating Systems | CTI monitors for exploits of unpatched OS bugs in the wild. | Patches are applied on an expedited schedule for exposed OS vulnerabilities. | Removes OS bugs cybercriminals are actively exploiting in attacks. |
| Multi-factor Authentication | CTI observes threats abusing stolen credentials. | Stolen passwords are ineffective without additional factors stopping breaches. | Stolen passwords are ineffective without additional factors to stop breaches. |
| Daily Backups | CTI detects ransomware and destructive attacks disrupting operations. | Tested air-gapped backups allow recovery after incidents. | Ensures business continuity and avoids paying ransoms after backup-defeating threats. |
NOTE: Implementation points can be multiple, so please consider this a starting point.
This demonstrates how relevant, timely CTI can guide and prioritize Essential Eight implementations that target current in-the-wild threats to substantially improve overall security posture.
Now let’s try to map these to our beloved ransomware family CL0P.
Essential Eight VS CL0P Ransomware
| Mitigation Strategy | CL0P TTPS | Mitigations |
|---|---|---|
| Application Whitelisting | CL0P ransomware leverages exploit and stolen credentials to spread. | Whitelist only approved apps and block executables from temp folders used by CL0P. |
| Patch Applications | CL0P targets vulnerable apps like Oracle WebLogic to move laterally. | Rapidly patch apps, servers, and network devices to remove CL0P entry points. |
| Configure Microsoft Office Macro Settings | CL0P uses macro-laden Office docs as an initial infection vector. | Block Office macros from the internet and enforce vetted macro settings. |
| User Application Hardening | CL0P harvests passwords from browsers to propagate. | Harden browsers and enforce MFA to limit credential theft. |
| Restrict Administrative Privileges | Wide admin rights allowed the quick spread of CL0P across networks. | Follow the least privilege and remove local admin rights to limit lateral movement. |
| Patch Operating Systems | Unpatched Windows systems were compromised by CL0P. | Prioritize OS patching to eliminate EternalBlue vulnerability used by CL0P. |
| Multi-factor Authentication | CL0P leverages stolen credentials to access networks. | Require MFA for VPNs, email, and internal applications to prevent access via stolen creds. |
| Daily Backups | CL0P encrypts files and disrupts business operations. | Maintain offline backups to retain data and enable recovery after a CL0P attack. |
NOTE: Not all techniques have been mentioned; however, I tried to map with Essential Eight.
Yes, Yes I know, MITRE is important as well. So here is a quick attempt to map both frameworks for CL0P Ransomware.
| Essential Eight | MITRE ATTACK Tactic | CL0P Technique | Mitigation |
|---|---|---|---|
| Application Whitelisting | Execution | Malicious PowerShell scripts. | Implement the least privilege access model. |
| Patch Applications | Execution | Exploits like EternalBlue. | Rapidly patch vulnerabilities in apps and Windows OS. |
| Configure Office Macro Settings | Initial Access | Maldocs with macros. | Block Office macros from the internet. |
| User Application Hardening | Credential Access | Password scraping from browsers. | Enforce strong browser security settings. |
| Restrict Admin Privileges | Privilege Escalation | Pass-the-hash, stolen admin tokens. | Whitelist approved PowerShell code and blocked unsigned scripts. |
| Patch Operating Systems | Execution | Windows exploits like EternalBlue. | Prioritize patching known exploited Windows vulnerabilities. |
| Multi-factor Authentication | Whitelist approved PowerShell code and blocked unsigned scripts. | Reuse of stolen credentials. | Require MFA for user and admin access. |
| Daily Backups | Impact | Deleting backup. | Maintain regular offline backups to enable quick recovery. |
NOTE: Not all techniques have been mentioned; however, I tried to map with Essential Eight.
This shows how mapping defences to MITRE ATT&CK can help validate how Essential Eight controls can practically mitigate real-world attacks like CL0P ransomware campaigns, and focusing implementations on current attack techniques improves risk reduction.
The Maturity Levels
Image taken from Adobe Stock
Four maturity levels have been defined to assist organisations with their implementation of Essential Eight (Maturity Level Zero through to Maturity Level Three). Except for Maturity Level Zero, the maturity levels are based on mitigating increasing levels of tradecraft (i.e. tools, tactics, techniques and procedures) and targeting, which are discussed in more detail below. The following table shows how organisations can achieve maturity in implementing the Essential Eight cybersecurity mitigation strategies.
NOTE: Maturity Level 0 is not mentioned as organisations start at 0, and the table gives recommendations on how to reach Level 1 and so on.
| Mitigation Strategy | Maturity Level 1 | Maturity Level 2 | Maturity Level 3 |
|---|---|---|---|
| Application Whitelisting | Draft whitelisting policies and procedures. | Pilot whitelisting on non-critical systems. | Broad whitelisting deployment covering all systems. |
| Patch Applications | Patch critical apps monthly. | Patch critical apps fortnightly. | Automate patching across environments and weekly scans. |
| Configure Microsoft Office Macro Settings | Block Office macros from the internet. | Enable vetted macros only after code review. | Enable MFA for all remote access to a network. |
| User Application Hardening | Set secure browser settings per corporate policy. | Test and enforce hardened browser settings via group policy. | Automate patching across environments and weekly scans. |
| Restrict Administrative Privileges | Document admin privileges for systems and users. | Require MFA for internal access to email and financial systems. | Automate patching across environments and weekly scans. |
| Patch Operating Systems | Monthly OS patching for critical infrastructure. | Fully automate OS patching with exception handling, and monitor results. | Test and audit existing backups and upgrade backup systems as needed. |
| Multi-factor Authentication | Enable MFA for all remote access to a network. | Expand regular OS patching to all systems and test patches before deployment. | Implement MFA policies across all user accounts and systems. |
| Daily Backups | Document backup requirements and procedures. | Test and audit existing backups and upgrade backup systems as needed. | Enforce the least privilege access model across all systems and users. |
Organisations can systematically improve their cyber risk posture over time by progressively implementing these cybersecurity controls and increasing maturity in each area. The higher maturity levels build on lower levels to provide comprehensive, optimized protection aligned to business needs.
Final words
Overall, Essential Eight offers a robust base and should be considered a stepping stone and a great starting point for most cyber scenarios.
Additionally, by leveraging CTI insights to optimize Essential Eight adoption, organisations can move from theoretical security to threat-centric defence. It allows Essential Eight to evolve from a static checklist into an adaptive cybersecurity strategy powered by real-time threat awareness.
Feel free to reach out if you have any questions or would like further assistance with your cybersecurity strategy.
STAY SAFE! STAY VIGILANT!
Header image taken from Adobe Stock images
