ASD Top 35 Mitigation Strategies

The Australian Signals Directorate (ASD) has updated it’s “Strategies to Mitigate Targeted Cyber Intrusions”.  These strategies are based on ASD’s most recent analysis of incidents across the Australian Government. First published in 2010, the most recent update occurred in February 2014. Whilst originally aimed at government organisations there is a lot of value for commercial organisations to adopt these strategies in order to protect their networks and users.  Request More Information

The following outlines where Shearwater is able to provide assistance through services or product in addressing the Top 35 strategies. 

 

Mitigation Strategy Effectiveness RankingMitigation StrategyOverall Security EffectivenessService
Assistance
Product
Option
1Application whitelisting of permitted/trusted programs, to prevent execution of malicious or unapproved programs including .DLL files, scripts and installers. EssentialPolicy/Process development
MSS – Implementation, Product Management, Patching, Report, Monitor, Maintain.
Carbon Black

AV/End Point Security Products (McAfee, Sophos, etc)

2Patch applications,eg, Java, PDF viewers, Flash, web browsers and Microsoft Office. Patch or mitigate systems with ‘extreme risk’ vulnerabilities within two days. Use the latest version of applications.EssentialPolicy/Process Development
MSS – Implementation, Product Management, Patching, Report, Monitor, Maintain.
Secunia
3Patch operating system vulnerabilities. Patch or mitigate systems with ‘extreme risk’ vulnerabilities within two days. Use the latest suitable operating system. Avoid Windows XP.EssentialPolicy/Process Development
MSS – Implementation, Product Management, Patching, Report, Monitor, Maintain.
Secunia

4Restrict administrative privileges to operating systems and applications based on user duties. Such users should use a separate unprivileged account for email and web browsing.EssentialAccess Control Review/Audit
Policy/Process development
MSS – Implementation, Product Management, Patching, Report, Monitor, Maintain.

Dell TPAM

RSA Adaptive Authentication

One of the key praiseworthy characteristics of the ASD Top 35 is the whitespace between the Top 4 Strategies and the remaining strategies. The whitespace has the effect of stating that organisations should prioritise the Top4 first as a mechanism to reduce the impact of targeted cyber intrusions.

Once organisations have implemented the Top 4 mitigation strategies, first on the computers of users who are most likely to be targeted by cyber intrusions and then on all computers and servers, additional mitigation strategies can be selected to address security gaps until an acceptable level of residual risk is reached. Request More Information

Mitigation Strategy Effectiveness RankingMitigation StrategyOverall Security EffectivenessService
Assistance
Product
Option
5User application configuration hardening, disabling the running of internet-based Java code, untrusted Microsoft Office macros, and undesired web browser and PDF viewer features.ExcellentDesign
Implementation
Configuration
Audit/Review
MSS – Product Management, Report, Monitor, Maintain.
Carbon Black
6Automated dynamic analysis of email and web content run in a sandbox to detect suspicious behaviour including network traffic, new or modified files, or configuration changes.ExcellentDesign
Implementation
Configuration
MSS – Product Management, Report, Monitor, Maintain.
Blue Coat

FireEye

Cisco AMP

7Operating system generic exploit mitigation mechanisms, eg, Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET).ExcellentDesign
Implementation
Configuration
Audit/Review
MSS – Product Management, Report, Monitor, Maintain.
Carbon Black

Microsoft

8Host-based Intrusion Detection/Prevention System to identify anomalous behaviour such as process injection, keystroke logging, driver loading and persistence.ExcellentImplementation
Configuration
MSS – Product Management, Report, Monitor, Maintain.
Cisco

Carbon Black

Splunk, LogRhythm, Huntsman
(SIEMs to support the function)

9Disable local administrator accounts to prevent network propagation using compromised local administration credentials that are shared by several computers.ExcellentPolicy development
Awareness Training
Rule establishment
Design
Implementation
Configuration
MSS – Product Management, Report, Monitor, Maintain
Dell TPAM
10Network segmentation and segregation into security zones to protect sensitive information and critical services such as user authentication by Microsoft Active Directory.ExcellentDesign
Implementation
Configuration
MSS – Product Management, Report, Monitor, Maintain
11Multi-factor authentication especially implemented for remote access or when the user is about to perform a privileged action or access a sensitive information repository.ExcellentImplementation
Configuration
MSS – Product Management, Report, Monitor, Maintain.

RSA Adaptive Authentication
12Software-based application firewall, blocking incoming network traffic that is malicious or otherwise unauthorised, and denying network traffic by default.ExcellentDesign
Implementation
Configuration
Audit/Review
MSS – Product Management, Report, Monitor, Maintain.

Palo Alto

Cisco

Blue Coat

13Software-based application firewall, blocking outgoing network traffic that is not generated by whitelisted applications, and denying network traffic by default.ExcellentDesign
Implementation
Configuration
Audit/Review
MSS – Product Management, Report, Monitor, Maintain.

Palo Alto

Cisco

Blue Coat

14Non-persistent virtualised sandboxed trusted operating environment, hosted outside the organisation’s internal network, for risk activities such as web browsing.ExcellentImplementation
Configuration
MSS – Product Management, Report, Monitor, Maintain.
Cisco Ironport

Zscaler

Clearswift

Marshal Netwitness (Spectrum)

Fireeye.

Huntsman

Splunk

15Centralised and time-synchronised logging of successful and failed computer events with automated immediate log analysis, storing logs for at least 18 months.ExcellentDesign
Implementation
Configuration
Audit/Review
MSS – Product Management, Report, Monitor, Maintain.
Splunk, LogRhythm, Huntsman
(SIEMs to support the function)
16Centralised and time-synchronised logging of allowed and blocked network events with automated immediate log analysis, storing logs for at least 18 months.ExcellentImplementation
Configuration
MSS – Product Management, Report, Monitor, Maintain.
Blue Coat

Ironport

Clearswift

Splunk, LogRhythm, Huntsman
(SIEMs to support the function)

17Email content filteringallowing only business-related attachment types. Preferably analyse/convert/sanitise links, PDF and Microsoft Office attachments.ExcellentImplementation
Configuration
MSS – Product Management, Report, Monitor, Maintain.
Blue Coat

Ironport

Clearswift

18Web content filtering of incoming and outgoing traffic, whitelisting allowed types of web content and using behavioural analysis, cloud-based reputation ratings, heuristics and signatures.ExcellentDesign
Implementation
Configuration
Audit/Review
MSS – Product Management, Report, Monitor, Maintain.

Blue Coat
19Web domain whitelisting for all domains, since this approach is more proactive and thorough than blacklisting a tiny percentage of malicious domains.ExcellentImplementation
Configuration
MSS – Product Management, Report, Monitor, Maintain.
Blue Coat
20Block spoofed emails using Sender ID or Sender Policy Framework (SPF) to check incoming emails, and a ‘hard fail’ SPF record to help prevent spoofing of your organisation’s domain.GoodAwareness TrainingBlue Coat

Cisco Ironport

21Workstation and server configuration management based on a hardened Standard Operating Environment with unrequired functionality disabled e.g. IPv6, autorun and LanMan.GoodDesign
Implementation
Configuration
Audit/Review
MSS – Product Management, Report, Monitor, Maintain.

Carbon Black

Microsoft

22Antivirus software using heuristics and automated internet-based reputation ratingsto check a program’s prevalence and its digital signature’s trustworthiness prior to execution.GoodDesign
Implementation
Configuration
Audit/Review
MSS – Product Management, Report, Monitor, Maintain

Carbon Black
23Deny direct internet access from workstations by using an IPv6-capable firewall to force traffic through a split DNS server, an email server or an authenticated web proxy server.GoodDesign
Implementation
Configuration
Audit/Review
MSS – Product Management, Report, Monitor, Maintain.

Carbon Black

Imperva

24Server application security configuration hardening e.g. databases, web applications, customer relationship management, finance, human resources and other data storage systems.GoodDesign
Implementation
Configuration
Audit/Review
MSS – Product Management, Report, Monitor, Maintain.

Palo Alto

Checkpoint

Juniper

Fortigate

Cisco

25Enforce a strong passphrase policycovering complexity, length and expiry, and avoiding both passphrase re-use and the use of a single dictionary word.GoodDesign
Implementation
Configuration
Audit/Review
MSS – Product Management, Report, Monitor, Maintain.
Kaspersky

Sophos

Trend Micro

McAfee

Symantec

26Removable and portable media control as part of a data loss prevention strategy, including storage, handling, whitelisting allowed USB devices, encryption and destruction.ExcellentImplementation
Configuration
MSS – Product Management, Report, Monitor, Maintain.
Carbon Black
27Restrict access to Server Message Block (SMB) and NetBIOS services running on workstations and on servers where possible.GoodPolicy development
Awareness Training
Rule establishment
Design
Implementation
Configuration
MSS – Product Management, Report, Monitor, Maintain.
Dell TPAM
28User education, eg, internet threats and spear-phishing socially-engineered emails. Avoid weak passphrases, passphrase re-use, exposing email addresses and unapproved USB devices.GoodOnline awareness training Phriendly Phishing

Shearwater User Awareness Training

SANS ‘Securing The Human’

Security Innovation

29Workstation inspection of Microsoft Office files for potentially malicious abnormalities, eg, using the Microsoft Office File Validation or Protected View features.GoodDesign
Implementation
Configuration
Audit/Review
MSS – Product Management, Report, Monitor, Maintain.

Carbon Black
30Signature-based antivirus software that primarily relies on up-to-date signatures to identify malware. Use gateway and desktop antivirus software from different vendors.GoodDesign
Implementation
Configuration
Audit/Review
MSS – Product Management, Report, Monitor, Maintain.

Kaspersky

Sophos

Trend Micro

McAfee

Symantec

31TLS encryption between email servers to help prevent legitimate emails being intercepted and used for social engineering. Perform content scanning after email traffic is decrypted.GoodDesign
Implementation
Configuration
Audit/Review
Bluecoat

Ironport

Marshal

Clearswift

Huntsman Splunk, eNvision,Arcsight (SIEMS to support the function)

32Block attempts to access web sites by their IP address instead of by their domain name, eg, implemented using a web proxy server, to force cyber adversaries to obtain a domain name.GoodDesign
Implementation
Configuration
Audit/Review
MSS – Product Management, Report, Monitor, Maintain.

Bluecoat

Ironport

Marshal

Clearswift

Huntsman Splunk, eNvision, Arcsight (SIEMS to support the function)

33Network-based Intrusion Detection/Prevention System using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries.AverageDesign
Implementation
Configuration
Audit/Review
MSS – Product Management, Report, Monitor, Maintain.

Sourcefire

Checkpoint

34Gateway blacklisting to block access to known malicious domains and IP addresses, including dynamic and other domains provided free to anonymous internet users.AverageDesign
Implementation
Configuration
Audit/Review
MSS – Product Management, Report, Monitor, Maintain.

Palo Alto

Checkpoint

Sourcefire

35Capture network trafficto/from internal critical-asset workstations and servers, as well as traffic traversing the network perimeter, to perform post-intrusion analysis.AverageDesign
Implementation
Configuration
Audit/Review
MSS – Product Management, Report, Monitor, Maintain.
RSA Netwitness,

Solera