Introduction to Cyber Security Frameworks Series: Essential 8

Cyber Security Frameworks Series 

 As we celebrate Cyber Security Awareness Month, we stay steadfast in our commitment to bolstering digital defences, so we created this special series that focuses on Cyber Security Frameworks.  

There are three prominent cyber security frameworks that serve as the guides that point the way towards a more secure digital landscape – these include the Essential 8 (E8), the CIS (Centre for Internet Security) Controls, and the NIST (National Institution of Standards and Technology). In this series, we will explore the intricacies of E8 and NIST, examining their principles, strategies, and crucial contributions to the field of cyber resilience. Together, let us arm ourselves with the information and resources we need to strengthen our digital domains, ensuring cybersecurity is a top priority for everyone throughout Cyber Security Awareness Month and beyond. 

About the Essential 8 Framework

 Embarking on our “Intro to Cyber Security Frameworks Series,” we find ourselves circling back to a pivotal concept introduced in our previous blog post, “The Essential 8 Cybersecurity Framework.” This foundational framework forms the basis of our exploration of cyber security policies and best practices.  

Whether you are already familiar with “The Essential 8” or encountering it for the first time, this series aims to provide a comprehensive and up-to-date understanding of this vital framework. So, let us set the stage for a more in-depth investigation into the field of cyber resilience by examining the core concepts that form the basis of “The Essential 8.”  

E8 is hailed as having the most effective mitigation strategies developed by the Australian Cyber Security Centre (ACSC) as part of its Strategies to Mitigate Cyber Security Incidents. It is designed for small and medium-sized businesses (SMBs) as the baseline for establishing a simple yet solid cyber security foundation by firstly, significantly raising the barriers for potential cyber threats seeking to breach systems and secondly, efficiently taking actions in response to such attacks.  

E8 Pillar Strategies  

To gain a deeper understanding of each strategy, Microsoft offers highly informative articles that explain each pillar and provide guidance on implementing the controls necessary to reach specific maturity levels, which you can access here. 

E8 Implementation and Assessment

It is important to understand that the E8 strategies work in synergy. By implementing as well as assessing compliance with E8, the Essential 8 Maturity Model comes in handy, where the ACSC defined three specific target maturity levels. Each level is designed to counter increasingly sophisticated targeting and tradecraft such as procedures, techniques, tools, and tactics. There also exists Maturity Level Zero, in cases where an organisation’s maturity falls below Maturity Level One.  

You should strategise for an appropriate target maturity level that aligns with your organisation’s specific environment and incrementally put each maturity level into action until your desired target is reached. Also, you should methodically structure your implementation process to attain uniform maturity levels across all eight mitigation strategies before progressing to higher levels of maturity. 

For an effective E8 implementation, you may want to have an assessment conducted by an independent party, particularly in cases where it is mandated by government directives, policies, regulatory authorities, or as stipulated within contractual agreements. It is important to note that while the process of conducting an assessment may vary based on an organisation’s system’s size and complexity, there are fundamental principles that remain consistent across all assessments. Therefore, you should integrate the guidelines provided by the ACSC while also seeking your assessor’s discernment and expertise.  

If you are interested in an E8 audit or would like further information, you can chat to our Cyber Security Specialists today.

E8 Maturity Levels 

To facilitate organisations in their adoption of the Essential Eight, ACSC has defined four distinct maturity levels, ranging from Maturity Level Zero through to Maturity Level Three. Consider the following key factors in understanding the E8 maturity levels:  

• The probability of being targeted depends on the organisation’s attractiveness to malicious actors. 
• Cybersecurity incident impact is linked to data confidentiality, system availability, and data integrity needs. 

Maturity Level 0 

An organisation’s cybersecurity posture is said to be vulnerable at this level. According to the tradecraft and targeting in Maturity Level 1, if these vulnerabilities are exploited, they may endanger the confidentiality of their data or the integrity and availability of their systems and data. 

Maturity Level 1 

At this maturity level, the primary focus is on malicious actors who are content to exploit readily available and widely used tradecraft to gain unauthorised access to, and potentially take control of, systems. In most cases, they are not specifically targeting an individual victim; instead, they seek any vulnerable target they can find, employing social engineering techniques to deceive users into compromising system security and deploying malicious applications, such as via Microsoft Office macros. Once successfully infiltrated, and depending on their goals, malicious actors could destroy data, including backups.  

Maturity Level 2 

At this maturity level, the focus shifts to malicious actors who exhibit a moderate increase in their capabilities compared to the previous level. These actors are willing to allocate more time, and importantly, enhance the sophistication of their tools, which may involve actively targeting credentials through phishing and utilising both technical and social engineering techniques to bypass weak multi-factor authentication and compromising system security, such as the use of malicious applications. In cases where compromised accounts hold special privileges, these actors will exploit them, while in other instances, they will actively seek accounts with special privilege access. 

Maturity Level 3 

At this maturity level, the focus shifts to malicious actors who display a higher degree of adaptability and reduced reliance on publicly available tools and techniques. These actors have the capability to exploit vulnerabilities within a target’s cybersecurity posture, such as outdated software or insufficient logging and monitoring capabilities. They do so not only to prolong their access once they initially breach a target but also to evade detection and strengthen their presence. These malicious actors swiftly leverage newly available exploits and other tradecrafts to enhance their chances of success, having the willingness and capability to invest considerable effort in bypassing the unique policies and technical controls implemented by their specific targets.

Now it may be assumed that reaching Maturity Level 3 means having a robust defence considering it is the highest level, however, it is not impervious to serious malicious actors who are willing to invest considerable time, financial resources, and effort to reach their target, as described above. And so, organisations should continue to explore and implement the remaining mitigation strategies as recommended by esteemed cyber security institutions.  

Conclusion 

The Essential Eight can successfully address a substantial fraction of cyber threats, but it’s important to recognise that they might not cover all potential hazards. To fully strengthen cybersecurity defences, it is important to investigate further mitigation techniques and controls, such as those offered in the Information Security Manual and the techniques to Mitigate Cyber Security Incidents. 

For more information on each maturity level including its requirements as well as other relevant resources on Essential 8, please visit https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight.