The Essential Eight – Everything you need to know!

The Essential Eight are a set of cyber security mitigation strategies recommended by the Australian Cyber Security Centre (ACSC) to help organisations protect themselves against various cyber threats. They are based on the ACSC’s experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organisations to implement the Essential Eight.

The Essential Eight consist of three key areas: prevention, limitation and recovery.

Here is a brief summary of how to be compliant for each of the Essential Eight:

• Application Control: This strategy involves allowing only approved applications to run on a system and blocking everything else. It can prevent malware, ransomware, and other cyber threats from being executed through unsecure applications. Application whitelisting can be implemented using different attributes, such as file path, file name, cryptographic hash, file size, digital signature, or process control. To achieve application control compliance, implement a whitelisting solution across all workstations, endpoints, and servers. Use secure whitelisting attributes and maintain a change management program.
• Patch applications: This strategy involves applying security updates to applications as soon as they are available, or within 48 hours for extreme risk vulnerabilities. It can reduce the chances of attackers exploiting known flaws in software to compromise systems. Patching should be done for both internal and third-party applications and should be supported by vulnerability discovery and assessment tools. To achieve patch application compliance, identify and prioritize vulnerabilities in your applications and apply security patches within the recommended time frames. Ensure compatibility with internal applications and vendor software.
• Configure Microsoft Office macro settings: This strategy involves disabling or restricting Microsoft Office macros, which are scripts that can automate tasks but also be used to deliver malware. Macros should only be allowed from trusted sources or locations, and users should not be able to change macro settings. Macro write access should also be limited to authorized users . To achieve Microsoft Office macro settings compliance, disable all Microsoft Office macros unless they are essential and have passed security validation. Use group policy settings to control macro execution and block macros from the internet.
• User application hardening: This strategy involves configuring web browsers and Microsoft Office to block or disable features that are commonly used by attackers, such as Flash, Java, OLE packages, and web ads. It can prevent malicious code from being executed through these features and reduce the attack surface of systems. To achieve user application hardening compliance, configure web browsers to block or disable Flash, Java, and OLE packages. Use code obfuscation, anti-debugging, integrity checkers, and other techniques to protect applications from reverse engineering and tampering.
• Restrict administrative privileges: This strategy involves limiting the number of users who have administrative access to systems and networks, and ensuring they only use these privileges for authorized tasks. It can prevent attackers from gaining full control of systems or networks if they compromise a user account. Administrative privileges should be validated regularly and revoked when no longer needed. To achieve administrative privilege restriction compliance, validate and limit the number of privileged accounts and implement technical controls to prevent them from accessing emails, web browsers, and online services. Review privileges regularly and revoke them when no longer needed.
• Patch operating systems: This strategy involves applying security updates to operating systems as soon as they are available, or within 48 hours for extreme risk vulnerabilities. It can reduce the chances of attackers exploiting known flaws in operating systems to compromise systems. Patching should be done for both servers and workstations, including remote devices. To achieve patch operating system compliance, identify and prioritize vulnerabilities in your operating systems and apply security patches within the recommended time frames. Ensure compatibility with internal applications and vendor software.
• Multi-factor authentication: This strategy involves requiring users to provide at least two pieces of evidence to prove their identity when logging into systems or networks, such as a password and a code sent to their phone. It can prevent attackers from accessing systems or networks with stolen or guessed credentials. Multi-factor authentication should be implemented for all remote access services and privileged accounts. To achieve multi-factor authentication compliance, implement MFA for all remote access, VPNs, privileged accounts, and sensitive data repositories. Use secure authentication methods such as tokens, smart cards, or biometrics. Avoid SMS or email-based verification codes.
• Daily backups: This strategy involves making copies of essential data and configuration settings on a daily basis and storing them securely in multiple locations. It can help organizations recover from data loss or corruption caused by cyberattacks, natural disasters, or human errors. Backups should be tested regularly and protected from unauthorized modification or deletion. To achieve daily backup compliance, implement a digital preservation policy that involves daily backups of critical data and configuration settings. Test backup and restoration processes regularly and store backups in multiple locations. Protect backups from unauthorized modification or deletion.

The Essential Eight Maturity Model is a tool that supports the implementation of the Essential Eight. It defines four maturity levels (Maturity Level Zero to Maturity Level Three) that are based on mitigating increasing levels of adversary tradecraft and targeting. The maturity levels describe the requirements for each mitigation strategy and help organisations plan and assess their implementation.

• Maturity Level One Partially aligned with mitigation strategy objectives.
• Maturity Level Two Mostly aligned with mitigation strategy objectives.
• Maturity Level Three Fully aligned with mitigation strategy objectives.

Organisations should identify and plan for a target maturity level suitable for their environment and progressively implement each maturity level until that target is achieved. The ACSC provides guidance and tools to assist organisations with their implementation of the Essential Eight, such as the Essential Eight Assessment Process Guide, Essential Eight Maturity Model FAQ, Essential Eight Assessment Report Template and Essential Eight assessment toolkit.