ASD Top 35 Mitigation Strategies
We provide assistance through services or product in addressing the Top 35 strategies
The Australian Signals Directorate (ASD) has updated it’s “Strategies to Mitigate Targeted Cyber Intrusions”. These strategies are based on ASD’s most recent analysis of incidents across the Australian Government. First published in 2010, the most recent update occurred in February 2014. Whilst originally aimed at government organisations there is a lot of value for commercial organisations to adopt these strategies in order to protect their networks and users. Request More Information.
The following outlines where Shearwater is able to provide assistance through services or product in addressing the Top 35 strategies.
| Mitigation Strategy Effectiveness Ranking | Mitigation Strategy | Overall Security Effectiveness | Service Assistance | Product Option |
|---|---|---|---|---|
| 1 | Application whitelisting of permitted/trusted programs, to prevent execution of malicious or unapproved programs including .DLL files, scripts and installers. | Essential | Policy/Process development MSS – Implementation, Product Management, Patching, Report, Monitor, Maintain. | Carbon Black
AV/End Point Security Products (McAfee, Sophos, etc) |
| 2 | Patch applications,eg, Java, PDF viewers, Flash, web browsers and Microsoft Office. Patch or mitigate systems with ‘extreme risk’ vulnerabilities within two days. Use the latest version of applications. | Essential | Policy/Process Development MSS – Implementation, Product Management, Patching, Report, Monitor, Maintain. | Secunia |
| 3 | Patch operating system vulnerabilities. Patch or mitigate systems with ‘extreme risk’ vulnerabilities within two days. Use the latest suitable operating system. Avoid Windows XP. | Essential | Policy/Process Development MSS – Implementation, Product Management, Patching, Report, Monitor, Maintain. | Secunia |
| 4 | Restrict administrative privileges to operating systems and applications based on user duties. Such users should use a separate unprivileged account for email and web browsing. | Essential | Access Control Review/Audit Policy/Process development MSS – Implementation, Product Management, Patching, Report, Monitor, Maintain. | Dell TPAM
RSA Adaptive Authentication |
One of the key praiseworthy characteristics of the ASD Top 35 is the whitespace between the Top 4 Strategies and the remaining strategies. The whitespace has the effect of stating that organisations should prioritise the Top4 first as a mechanism to reduce the impact of targeted cyber intrusions.
Once organisations have implemented the Top 4 mitigation strategies, first on the computers of users who are most likely to be targeted by cyber intrusions and then on all computers and servers, additional mitigation strategies can be selected to address security gaps until an acceptable level of residual risk is reached.
Request More Information
| Mitigation Strategy Effectiveness Ranking | Mitigation Strategy | Overall Security Effectiveness | Service Assistance | Product Option |
|---|---|---|---|---|
| 5 | User application configuration hardening, disabling the running of internet-based Java code, untrusted Microsoft Office macros, and undesired web browser and PDF viewer features. | Excellent | Design Implementation Configuration Audit/Review MSS – Product Management, Report, Monitor, Maintain. | Carbon Black |
| 6 | Automated dynamic analysis of email and web content run in a sandbox to detect suspicious behaviour including network traffic, new or modified files, or configuration changes. | Excellent | Design Implementation Configuration MSS – Product Management, Report, Monitor, Maintain. | Blue Coat
FireEye Cisco AMP |
| 7 | Operating system generic exploit mitigation mechanisms, eg, Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET). | Excellent | Design Implementation Configuration Audit/Review MSS – Product Management, Report, Monitor, Maintain. | Carbon Black
Microsoft |
| 8 | Host-based Intrusion Detection/Prevention System to identify anomalous behaviour such as process injection, keystroke logging, driver loading and persistence. | Excellent | Implementation Configuration MSS – Product Management, Report, Monitor, Maintain. | Cisco
Carbon Black Splunk, LogRhythm, Huntsman |
| 9 | Disable local administrator accounts to prevent network propagation using compromised local administration credentials that are shared by several computers. | Excellent | Policy development Awareness Training Rule establishment Design Implementation Configuration MSS – Product Management, Report, Monitor, Maintain | Dell TPAM |
| 10 | Network segmentation and segregation into security zones to protect sensitive information and critical services such as user authentication by Microsoft Active Directory. | Excellent | Design Implementation Configuration MSS – Product Management, Report, Monitor, Maintain | |
| 11 | Multi-factor authentication especially implemented for remote access or when the user is about to perform a privileged action or access a sensitive information repository. | Excellent | Implementation Configuration MSS – Product Management, Report, Monitor, Maintain. | RSA Adaptive Authentication |
| 12 | Software-based application firewall, blocking incoming network traffic that is malicious or otherwise unauthorised, and denying network traffic by default. | Excellent | Design Implementation Configuration Audit/Review MSS – Product Management, Report, Monitor, Maintain. | Palo Alto
Cisco Blue Coat |
| 13 | Software-based application firewall, blocking outgoing network traffic that is not generated by whitelisted applications, and denying network traffic by default. | Excellent | Design Implementation Configuration Audit/Review MSS – Product Management, Report, Monitor, Maintain. | Palo Alto
Cisco Blue Coat |
| 14 | Non-persistent virtualised sandboxed trusted operating environment, hosted outside the organisation’s internal network, for risk activities such as web browsing. | Excellent | Implementation Configuration MSS – Product Management, Report, Monitor, Maintain. | Cisco Ironport
Zscaler Clearswift Marshal Netwitness (Spectrum) Fireeye. Huntsman Splunk |
| 15 | Centralised and time-synchronised logging of successful and failed computer events with automated immediate log analysis, storing logs for at least 18 months. | Excellent | Design Implementation Configuration Audit/Review MSS – Product Management, Report, Monitor, Maintain. | Splunk, LogRhythm, Huntsman (SIEMs to support the function) |
| 16 | Centralised and time-synchronised logging of allowed and blocked network events with automated immediate log analysis, storing logs for at least 18 months. | Excellent | Implementation Configuration MSS – Product Management, Report, Monitor, Maintain. | Blue Coat
Ironport Clearswift Splunk, LogRhythm, Huntsman |
| 17 | Email content filteringallowing only business-related attachment types. Preferably analyse/convert/sanitise links, PDF and Microsoft Office attachments. | Excellent | Implementation Configuration MSS – Product Management, Report, Monitor, Maintain. | Blue Coat
Ironport Clearswift |
| 18 | Web content filtering of incoming and outgoing traffic, whitelisting allowed types of web content and using behavioural analysis, cloud-based reputation ratings, heuristics and signatures. | Excellent | Design Implementation Configuration Audit/Review MSS – Product Management, Report, Monitor, Maintain. | Blue Coat |
| 19 | Web domain whitelisting for all domains, since this approach is more proactive and thorough than blacklisting a tiny percentage of malicious domains. | Excellent | Implementation Configuration MSS – Product Management, Report, Monitor, Maintain. | Blue Coat |
| 20 | Block spoofed emails using Sender ID or Sender Policy Framework (SPF) to check incoming emails, and a ‘hard fail’ SPF record to help prevent spoofing of your organisation’s domain. | Good | Awareness Training | Blue Coat
Cisco Ironport |
| 21 | Workstation and server configuration management based on a hardened Standard Operating Environment with unrequired functionality disabled e.g. IPv6, autorun and LanMan. | Good | Design Implementation Configuration Audit/Review MSS – Product Management, Report, Monitor, Maintain. | Carbon Black
Microsoft |
| 22 | Antivirus software using heuristics and automated internet-based reputation ratingsto check a program’s prevalence and its digital signature’s trustworthiness prior to execution. | Good | Design Implementation Configuration Audit/Review MSS – Product Management, Report, Monitor, Maintain | Carbon Black |
| 23 | Deny direct internet access from workstations by using an IPv6-capable firewall to force traffic through a split DNS server, an email server or an authenticated web proxy server. | Good | Design Implementation Configuration Audit/Review MSS – Product Management, Report, Monitor, Maintain. | Carbon Black
Imperva |
| 24 | Server application security configuration hardening e.g. databases, web applications, customer relationship management, finance, human resources and other data storage systems. | Good | Design Implementation Configuration Audit/Review MSS – Product Management, Report, Monitor, Maintain. | Palo Alto
Checkpoint Juniper Fortigate Cisco |
| 25 | Enforce a strong passphrase policycovering complexity, length and expiry, and avoiding both passphrase re-use and the use of a single dictionary word. | Good | Design Implementation Configuration Audit/Review MSS – Product Management, Report, Monitor, Maintain. | Kaspersky
Sophos Trend Micro McAfee Symantec |
| 26 | Removable and portable media control as part of a data loss prevention strategy, including storage, handling, whitelisting allowed USB devices, encryption and destruction. | Excellent | Implementation Configuration MSS – Product Management, Report, Monitor, Maintain. | Carbon Black |
| 27 | Restrict access to Server Message Block (SMB) and NetBIOS services running on workstations and on servers where possible. | Good | Policy development Awareness Training Rule establishment Design Implementation Configuration MSS – Product Management, Report, Monitor, Maintain. | Dell TPAM |
| 28 | User education, eg, internet threats and spear-phishing socially-engineered emails. Avoid weak passphrases, passphrase re-use, exposing email addresses and unapproved USB devices. | Good | Online awareness training | Phriendly Phishing
Shearwater User Awareness Training SANS ‘Securing The Human’ Security Innovation |
| 29 | Workstation inspection of Microsoft Office files for potentially malicious abnormalities, eg, using the Microsoft Office File Validation or Protected View features. | Good | Design Implementation Configuration Audit/Review MSS – Product Management, Report, Monitor, Maintain. | Carbon Black |
| 30 | Signature-based antivirus software that primarily relies on up-to-date signatures to identify malware. Use gateway and desktop antivirus software from different vendors. | Good | Design Implementation Configuration Audit/Review MSS – Product Management, Report, Monitor, Maintain. | Kaspersky
Sophos Trend Micro McAfee Symantec |
| 31 | TLS encryption between email servers to help prevent legitimate emails being intercepted and used for social engineering. Perform content scanning after email traffic is decrypted. | Good | Design Implementation Configuration Audit/Review | Bluecoat
Ironport Marshal Clearswift Huntsman Splunk, eNvision,Arcsight (SIEMS to support the function) |
| 32 | Block attempts to access web sites by their IP address instead of by their domain name, eg, implemented using a web proxy server, to force cyber adversaries to obtain a domain name. | Good | Design Implementation Configuration Audit/Review MSS – Product Management, Report, Monitor, Maintain. | Bluecoat
Ironport Marshal Clearswift Huntsman Splunk, eNvision, Arcsight (SIEMS to support the function) |
| 33 | Network-based Intrusion Detection/Prevention System using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries. | Average | Design Implementation Configuration Audit/Review MSS – Product Management, Report, Monitor, Maintain. | Sourcefire
Checkpoint |
| 34 | Gateway blacklisting to block access to known malicious domains and IP addresses, including dynamic and other domains provided free to anonymous internet users. | Average | Design Implementation Configuration Audit/Review MSS – Product Management, Report, Monitor, Maintain. | Palo Alto
Checkpoint Sourcefire |
| 35 | Capture network trafficto/from internal critical-asset workstations and servers, as well as traffic traversing the network perimeter, to perform post-intrusion analysis. | Average | Design Implementation Configuration Audit/Review MSS – Product Management, Report, Monitor, Maintain. | RSA Netwitness,
Solera |
Request a Callback
After you complete the form, a security advisor will contact you to answer any questions you might have and understand your specific requirements.
Get in touch
Get answers! Our security advisors are ready to take your call and provide all the information you need on improving your security and compliance posture.
1300 228 872
Mon – Fri, 9:00am – 5:00pm AEST