The Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies to help cybersecurity professionals in all organisations mitigate cybersecurity incidents caused by various cyber threats. This guidance addresses targeted cyber intrusions (i.e. those executed by advanced persistent threats such as foreign intelligence services), ransomware and external adversaries with destructive intent, malicious insiders, ‘business email compromise’, and industrial control systems.
The following mitigation strategies for:
- Targeted cyber intrusions and other external adversaries who steal data
- Ransomware denying access to data for monetary gain, and external adversaries who destroy data and prevent computers/networks from functioning
- Malicious insiders who steal data such as customer details or intellectual property
- Malicious insiders who destroy data and prevent computers/networks from functioning.
Mitigation Strategies to Prevent Malware Delivery and Execution:
- Application control to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers.
- Patch applications (e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers). Patch/mitigate computers with ‘extreme risk’ security vulnerabilities within 48 hours. Use the latest version of applications.
- Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate.
- User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers.
Mitigation Strategies to Limit the Extent of Cyber Security Incidents:
- Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing.
- Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ security vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions.
- Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository.
Mitigation Strategies to Detect Cyber Security Incidents and Respond:
- Continuous incident detection and response with automated immediate analysis of centralised time-synchronised logs of allowed and denied computer events, authentication, file access and network activity.
- Host-based intrusion detection/prevention system to identify anomalous behaviour during program execution (e.g. process injection, keystroke logging, driver loading and persistence).
- Endpoint detection and response software on all computers to centrally log system behaviour and facilitate incident response. Microsoft’s free SysMon tool is an entry-level option.
Mitigation Strategies to Recover Data and System Availability:
- Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.
- Business continuity and disaster recovery plans which are tested, documented and printed in hardcopy with a softcopy stored offline. Focus on the highest priority systems and data to recover.
- System recovery capabilities e.g. virtualisation with snapshot backups, remotely installing operating systems and applications on computers, approved enterprise mobility, and onsite vendor support contracts.
Mitigation Strategy Specific to Preventing Malicious Insiders:
- Personnel management e.g. ongoing vetting especially for users with privileged access, immediately disable all accounts of departing users, and remind users of their security obligations and penalties.