Common issues with the ACSC 37 Strategies to Mitigate Cyber Security Incidents
The ACSC publication, Strategies To Mitigate Cyber Security Incidents is a key Australian Government issued framework that encompasses the more well know ASD Essential 8. The original Top 4 Mitigations were released in 2010 then expanded into the Essential Eight in 2017, along with the broader, all-encompassing 37 mitigation strategies. At the time of release, the Top 4 mitigations were believed capable of reducing security incidents by 85%. While these mitigations have withstood the test of time, we do believe this list deserves a 2023 refresh.
Cythera responds to cyber incidents daily and we see the control posture of the organisations we investigate. We see many incidents which we could have been prevented if these controls were properly implemented and many organisations seemingly struggle to know where to make their investments with respect to compensating security controls. When considering today’s threat landscape with the lens of the Strategies To Mitigate Cyber Incidents publication, there are some controls that we believe should have a higher priority on the list than they do at present. There are some controls which feel a little outdated. There are also some controls which we often see poorly implemented – if at all!
This article is written with the intent to shine a light on the controls we see as being crucial in preventing data breaches and as a compliment to the ACSC 37 “Strategies to Mitigate Cyber Security Incdents” publication. We focus on the thematic grouping of the top three sets of controls to address specific threats:
Preventing Account Takeovers
- Multi-factor Authentication
This is an Essential Eight control we wholeheartedly support. Unfortunately, despite its placement in the Essential Eight, this is a control that not enough organisations have applied robustly. It rates a mention here because we typically find deployments where MFA has not been applied at all, or it has been applied inconsistently (e.g. some privileged accounts, not standard user accounts). We also see that not enough organisations are making use of Conditional Access policies or similar making use of features such as geoblocking, let alone ensuring all their third-party applications leverage their MFA solution.
The most common objection we encounter when discussing MFA deployments is the dreaded fear of “making lives harder for users”. We’ve even seen MFA exceptions created specifically for senior stakeholders in an organisation who find it “difficult” despite the fact they are more likely to be targeted! We have even heard arguments that MFA bypass attacks (far less common) diminish the value of the control.
These arguments do very little to reduce risk to an organisation – and in fact, they openly magnify it.
It is imperative to understand that to a threat actor, any account is a useful account. However, some accounts are far more valuable – e.g. accounts with privileged access, those belonging to senior stakeholders or staff in elevated positions of trust (e.g. finance, procurement) are particularly ripe for targeting and abuse.
There are many methods in which account takeovers can occur. Even if your organisation is not breached directly, your staff may register accounts on third-party websites which wind up being compromised through no fault of the organisation or the end user. Threat actors can then take compromised sets of credentials from one data breach and reuse them against multiple websites to determine if the user re-uses their password. This attack is called a credential stuffing attack.
Alternatively, threat actors can also conduct brute force attacks – attempting every password combination possible for a known username. If there is no MFA challenge presented or depending upon the configuration of an account lockout feature, then it may be possible for a threat actor to have near-unlimited attempts depending upon the configuration. Even if one password is known from a previous data breach, a skilled threat actor may readily infer possible passwords and refine their brute force attempts to a limited selection of passwords more likely to be successful.
Account takeovers are increasingly essential and often the first step of a larger data breach. So do not become a victim - implement MFA for your organisation as an urgent priority. As a complementary control, we also recommend reputation monitoring on the dark web to determine what information on the Internet is out there that could be leveraged by threat actors. This goes double for organisations and even individual staff members impacted by data breaches in the past.
Endpoint Security
- Endpoint detection and response software
- Host-based intrusion detection/prevention system
- Hunt to discover incidents
- Continuous incident detection and response
Most of the incidents we respond to involving an endpoint compromise would likely have been detected if the above controls are in place. Many organisations will run with a cheap anti-virus (AV) solution thinking they are protected. However, these solutions typically lack endpoint detection & response (EDR), host-based intrusion prevention system (HIPS) capabilities or others listed above. This leaves organisations with a false sense of security.
The logs generated by these tools will be going … somewhere, but they are typically not monitored proactively; Either by automation or security personnel, nor are alerts for serious events generated. Essentially, security logs go into a singular location for review later (often never) and they are often not well protected either. Ideally, these should be fed into a Security Information Event Management (SIEM) solution of some kind. This would then facilitate options for an automated or human-led review and response.
In addition to this, threat hunts across the network are not performed as intelligence feeds are unavailable – neither do tools exist to aggregate logging enough to facilitate them. Combing through your environment and periodically looking for threats that may be lurking dormant is another essential activity as part of maintaining a proactive security program.
Cythera strongly recommends to our clients that having a sound endpoint solution that provides all of the above capabilities – AV, EDR, HIPS, SIEM – is monitored both by human operators as well as automated to prevent breaches and leveraging threat intelligence feeds to facilitate threat hunting across your network.
Email Security
Cythera commonly identifies organisations that do not have their Sender Policy Framework (SPF) set in their Domain Name System (DNS) records. However, their records are often broken by typos and thus incomplete. Domain Message Authentication Reporting & Conformance (DMARC) and Domain Keys Identified Mail (DKIM) are often not set or if they are, DKIM keys are not rotated frequently or DMARC policies are rarely set to Quarantine or Reject for fear of impact. As these are set up inside an organisation’s DNS records, these are referenced whenever someone goes to send an email to an organisation’s domain.
Fear of temporarily disrupting email is a valid concern – however, it should not be a justification for weak email security settings.
Cythera often see organisations have set their email gateways to check DNS records for inbound emails but not often set for their own domains. This allows threat actors to send emails forged from internal domains. Cythera also see this gap used to facilitate all manner of cyber incidents and fraud – both with their third-party service providers and partners, as well as the owners of domains. Cythera also often see that for organisations managing multiple domains, these policies are not configured appropriately across all domains – leaving chinks in the armour.
These DNS records play a vital role in specifying authorised senders, and the rules around how an organisation wants to see their emails handled. Organisations can signal to the world how they want their emails securely managed by ensuring these settings are appropriately configured within DNS across all domains.
We hope this article proves useful in enhancing your cybersecurity posture. If you would like to discuss the posture of your control environment with respect to the Australian Government’s ACSC Strategies To Mitigate Cyber Incidents and ASD Essential 8 frameworks, please contact us.
Want to know more about your control landscape? Contact us to discuss a Cyber Maturity Assessment against the ACSC 37 mitigation strategies via sales@cythera.com.au or call us on 1300 298 437.
