Executive Overview

Last updated: February 06, 2025

The Australian Cyber Security Centre (ACSC) under the Australian Signals Directorate (ASD) provides helpful information when relating to cybersecurity within the Australian landscape. The ASD provides this guidance to address targeted cybersecurity intrusion. This guidance is called the Strategies to Mitigate Cyber Security Incidents. These strategies are given a Relative Security Effectiveness Rating: Essential, Excellent, Very Good, Good, or Limited. The Essential Eight describes only a minimum set of preventative cyber security measures and therefore organisations should use the Essential Eight in conjunction with the ASD’s Information Security Manual (ISM) controls. This Cyber Exposure study will focus on what the ASD calls the Essential Eight and their associated ISM controls. The ISM is a cybersecurity framework that all organisations should apply to ensure the confidentiality, integrity, and availability of their information technology and operational technology systems.

The Essential Eight

The Essential Eight are considered by the ACSC to be the most effective security risk mitigation strategies within the Strategies to Mitigate Cyber Security Incidents. While the Essential Eight are focused on Microsoft Windows networks, the strategies can be equally applied to Linux, Cloud and other networks or infrastructure that supports them.

The Essential Eight is comprised of:

  1. Patch Applications

  2. Patch Operating Systems

  3. Multi-factor Authentication

  4. Restrict Administrative Privileges

  5. Application Control

  6. Restrict Microsoft Office Macros

  7. User Application Hardening

  8. Regular Backups

The Essential Eight strategies are designed to be self-assessed and/or externally assessed against a maturity model (E8MM). The model consists of four maturity levels, Maturity Level 0 to Maturity Level 3, that are clearly articulated for each of the Essential Eight Strategies. As you progress through the Maturity Levels (Excluding Maturity Level 0) the strategies adjust to cover increasing levels of adversary threats.

  • Maturity Level 0 signifies when there are overall flaws within the organisation's cyber security posture.

  • Maturity Level One describes an instance where a threat actor utilises publicly available exploits or vulnerabilities to gain access to a system. In Maturity Level One, the target tends to also be less selective and the threat actor may just target any system or user that is vulnerable.

  • Maturity Level Two further increases the level of effort as well as more specific targeting. With Maturity Level Two, a Threat Actor will invest more time and effort in a specific target; the threat actor may employ more sophisticated tradecraft to bypass security measures. Maturity Level Two also acts as the baseline for what organisations should strive for.

  • Maturity Level Three describes instances when the Threat Actor will employ lesser known tools and techniques when attempting to breach security measures. Within Maturity Level Three the threat actor will target specific users and attempt to bypass Multi-factor authentication by stealing tokens values to impersonate the user. Once the user is compromised the threat actor will attempt to pivot to other parts of the network and actively try to cover their tracks to avoid detection.

When trying to establish an efficient Cyber Security posture an organisation may have several goals that the ACSC suggests; Reducing the impact of malware by preventing the delivery and execution of malware; Limiting the extent of cyber security incidents; and time to recovery and other disaster recovery planning. The ACSC suggests applying the Essential Eight strategies in this specific order.

Reducing the impact of malware by preventing delivery and execution of malware involves ensuring patches go out in a timely manner. The targets of these patches should be both operating systems and applications. Additional to patching operating systems and applications, the security team is also able to implement Application Control and Hardening strategies. Application control and hardening strategies include having a blacklist of applications that should not be installed or used on any asset. The Essential Eight strategies related to reducing the impact of malware by preventing delivery and execution of malware are:

  • Application Control

  • Patch Applications

  • Restrict Microsoft Office Macro Settings

  • User Application Hardening

After reducing the impact of malware a security team is going to want to implement strategies that will limit security incidents. Limiting security incidents can involve ensuring the organisation practises principles like Least Privilege, ensuring Multi-Factor Authentication (MFA) is enabled, and operating systems are patched. Using Tenable’s Asset Criticality Rating (ACR) in tandem with Tenable’s Vulnerability Priority Rating (VPR) enables an organisation to effectively prioritise which assets require attention first. The Essential Strategies related to limiting security incidents are:

  • Restrict Administrative Privileges

  • Patch Operating Systems

  • Multi-Factor Authentication

Having a sense of Time to recovery and other disaster recovery planning involves being able to recover data and establish good system availability. Having an adequate system in place where assets’ data is backed up is imperative to ensure not only data recovery is possible but that downtime is minimised. The Essential Strategy related to Recover Data and System Availability is:

  • Regular Backups

There are two additional Mitigation goals that the ACSC suggests, Mitigation Strategy specific to preventing malicious insiders and Mitigation Strategy to Detect Cyber Security Incidents and Respond, but they do not include essential strategies and this cyber exposure study will only focus on the Essential Eight.