Back to Guides

Essential Eight Implementation Guide

A comprehensive guide to implementing the Essential Eight strategies for cyber resilience

Updated: March 2023
Reading time: 15 min

Table of Contents

Introduction to the Essential Eight

The Essential Eight is a prioritized list of mitigation strategies developed by the Australian Cyber Security Centre (ACSC) to help organizations protect their systems against cyber threats. These strategies were developed based on the ACSC's experience in responding to cyber security incidents and their understanding of adversary tradecraft.

Implementing the Essential Eight proactively can help organizations minimize the likelihood and impact of cyber security incidents. While no set of mitigation strategies can guarantee protection against all cyber threats, the Essential Eight provides organizations with a baseline level of security that makes it much harder for adversaries to compromise systems.

This guide provides detailed information on implementing each of the Essential Eight strategies, with practical advice tailored to different organizational sizes and maturity levels.

Why the Essential Eight Matters

The Essential Eight strategies address the most common attack vectors used by adversaries. By implementing these strategies, organizations can prevent up to 85% of targeted cyber attacks, according to the ACSC.

Mitigation Strategies

The first four strategies are primarily focused on preventing malware delivery and execution.

Limiting Extent

The next three strategies are focused on limiting the extent of cyber security incidents.

1

Application Control

Application control (also known as application whitelisting) is designed to protect against the execution of unapproved/malicious programs including malware. By controlling which applications can be run on a system, organizations can prevent the execution of malicious code and unauthorized applications.

Implementation Steps

  1. Identify business requirements for applications
  2. Develop and document an application control policy
  3. Implement application control using tools such as Microsoft AppLocker, Windows Defender Application Control, or third-party solutions
  4. Test the implementation in a controlled environment
  5. Deploy to production in phases
  6. Monitor and maintain the application control solution

Common Challenges

Implementing application control can be challenging due to the need to identify all legitimate applications and the potential for business disruption if legitimate applications are blocked. Start with a pilot group and gradually expand the implementation.

Maturity Levels

Maturity Level One

Application control is implemented on workstations for standard operating environments.

Maturity Level Two

Application control is implemented on workstations, servers, and network devices.

Maturity Level Three

Application control is implemented on all devices. Rules are validated on an annual or more frequent basis.

2

Patch Applications

Security vulnerabilities in applications can be exploited by adversaries to gain access to systems. Patching applications involves applying updates to fix these vulnerabilities and protect against known exploits.

Implementation Steps

  1. Develop and document an application patching policy
  2. Maintain an inventory of applications and their versions
  3. Implement automated patch management tools
  4. Test patches in a non-production environment
  5. Deploy patches according to a risk-based schedule
  6. Monitor and report on patching compliance

Best Practice

Extreme risk vulnerabilities should be patched within 48 hours of release. High risk vulnerabilities should be patched within two weeks of release. Medium and low risk vulnerabilities should be patched within one month of release.

Maturity Levels

Maturity Level One

Security vulnerabilities in applications are patched or mitigated within one month of release.

Maturity Level Two

Security vulnerabilities in applications are patched or mitigated within two weeks of release.

Maturity Level Three

Security vulnerabilities in applications are patched or mitigated within 48 hours of release.

3

Configure Microsoft Office Macro Settings

Microsoft Office macros can be used by adversaries to deliver and execute malicious code. Configuring macro settings to block macros from the internet and only allow vetted macros can significantly reduce this attack vector.

Implementation Steps

  1. Develop and document a Microsoft Office macro policy
  2. Identify business requirements for macros
  3. Configure Microsoft Office macro settings using Group Policy or other management tools
  4. Implement digital signing for approved macros
  5. Train users on the risks of enabling macros from untrusted sources
  6. Monitor and enforce macro settings

Warning

Macros are a common attack vector for malware. Only allow macros from trusted locations, and consider implementing application control to prevent the execution of malicious macros.

Maturity Levels

Maturity Level One

Microsoft Office macros are disabled for users that do not have a business requirement.

Maturity Level Two

Microsoft Office macros are only allowed to execute from trusted locations.

Maturity Level Three

Microsoft Office macros are only allowed to execute from trusted locations and are digitally signed.

4

User Application Hardening

User application hardening involves configuring web browsers and other applications to reduce the attack surface and prevent the execution of malicious code. This includes disabling unnecessary features and plugins.

Implementation Steps

  1. Develop and document a user application hardening policy
  2. Identify applications that require hardening
  3. Configure web browsers to block or disable Flash, ads, and Java
  4. Implement application hardening using Group Policy or other management tools
  5. Test the hardened configuration in a controlled environment
  6. Deploy to production and monitor for issues

Key Focus Areas

Focus on hardening web browsers, PDF viewers, Microsoft Office, and other commonly used applications. These applications are frequently targeted by adversaries.

Maturity Levels

Maturity Level One

Web browsers are configured to block Flash content, ads, and Java. PDF viewers are configured to disable JavaScript.

Maturity Level Two

Web browsers are configured to block Flash content, ads, and Java. PDF viewers are configured to disable JavaScript. Microsoft Office is configured to disable Object Linking and Embedding.

Maturity Level Three

Web browsers are configured to block Flash content, ads, and Java. PDF viewers are configured to disable JavaScript. Microsoft Office is configured to disable Object Linking and Embedding. All unnecessary features in applications are disabled.

5

Restrict Administrative Privileges

Administrative privileges should be restricted to users who need them to perform their duties. This reduces the risk of adversaries gaining administrative access to systems and the potential impact of malware.

Implementation Steps

  1. Develop and document an administrative privileges policy
  2. Identify users who require administrative privileges
  3. Implement the principle of least privilege
  4. Use separate accounts for administrative and standard user activities
  5. Implement Just-In-Time (JIT) administration where possible
  6. Regularly review and audit administrative privileges

Risk Reduction

Restricting administrative privileges can reduce the impact of a compromise by limiting the ability of adversaries to move laterally within the network and access sensitive data.

Maturity Levels

Maturity Level One

Privileged access to systems is validated when first requested and revalidated on an annual or more frequent basis.

Maturity Level Two

Privileged access to systems is validated when first requested and revalidated on a quarterly or more frequent basis.

Maturity Level Three

Privileged access to systems is validated when first requested and revalidated on a monthly or more frequent basis.

6

Patch Operating Systems

Security vulnerabilities in operating systems can be exploited by adversaries to gain access to systems. Patching operating systems involves applying updates to fix these vulnerabilities and protect against known exploits.

Implementation Steps

  1. Develop and document an operating system patching policy
  2. Maintain an inventory of operating systems and their versions
  3. Implement automated patch management tools
  4. Test patches in a non-production environment
  5. Deploy patches according to a risk-based schedule
  6. Monitor and report on patching compliance

Best Practice

Extreme risk vulnerabilities should be patched within 48 hours of release. High risk vulnerabilities should be patched within two weeks of release. Medium and low risk vulnerabilities should be patched within one month of release.

Maturity Levels

Maturity Level One

Security vulnerabilities in operating systems are patched or mitigated within one month of release.

Maturity Level Two

Security vulnerabilities in operating systems are patched or mitigated within two weeks of release.

Maturity Level Three

Security vulnerabilities in operating systems are patched or mitigated within 48 hours of release.

7

Multi-factor Authentication

Multi-factor authentication (MFA) adds an extra layer of security by requiring users to provide two or more verification factors to gain access to a resource. This makes it more difficult for adversaries to gain unauthorized access to systems and data.

Implementation Steps

  1. Develop and document a multi-factor authentication policy
  2. Identify systems and services that require MFA
  3. Select and implement an MFA solution
  4. Configure MFA for privileged users, remote access, and cloud services
  5. Train users on how to use MFA
  6. Monitor and enforce MFA usage

Key Considerations

Consider the usability of the MFA solution, as well as its security. Solutions that are difficult to use may lead to user resistance or workarounds that reduce security.

Maturity Levels

Maturity Level One

MFA is implemented for remote access to systems and for privileged users.

Maturity Level Two

MFA is implemented for remote access to systems, for privileged users, and for all users when accessing important data repositories.

Maturity Level Three

MFA is implemented for remote access to systems, for privileged users, for all users when accessing important data repositories, and for all users when accessing systems containing sensitive data.

8

Regular Backups

Regular backups are essential for recovering from cyber security incidents, such as ransomware attacks. Backups should be stored offline and tested regularly to ensure they can be used to restore systems and data.

Implementation Steps

  1. Develop and document a backup policy
  2. Identify systems and data that require backup
  3. Implement a backup solution that supports the 3-2-1 backup strategy
  4. Schedule regular backups
  5. Test backups regularly to ensure they can be restored
  6. Store backups securely, with offline copies

3-2-1 Backup Strategy

The 3-2-1 backup strategy involves having at least three copies of your data, stored on two different types of media, with one copy stored offsite.

Maturity Levels

Maturity Level One

Backups of important data, software, and configuration settings are

Maturity Level Two

Backups of important data, software, and configuration settings are performed daily. Backups are stored both onsite and offsite.

Maturity Level Three

Backups of important data, software, and configuration settings are performed hourly. Backups are stored both onsite and offsite. Backups are tested quarterly.

Implementation Roadmap

Implementing the Essential Eight is a journey, not a destination. Organizations should start with the strategies that are most relevant to their risk profile and gradually implement the remaining strategies over time.

Phased Approach

  1. Phase 1: Focus on preventing malware delivery and execution (Application Control, Patch Applications, Configure Microsoft Office Macro Settings, User Application Hardening)
  2. Phase 2: Focus on limiting the extent of cyber security incidents (Restrict Administrative Privileges, Patch Operating Systems, Multi-factor Authentication)
  3. Phase 3: Focus on recovering from cyber security incidents (Regular Backups)

Key Considerations

Consider the resources available to your organization, as well as the potential impact of each strategy. Start with the strategies that are most likely to provide the greatest benefit for the least amount of effort.

Conclusion

The Essential Eight is a prioritized list of mitigation strategies that can help organizations protect their systems against cyber threats. By implementing these strategies, organizations can significantly reduce the likelihood and impact of cyber security incidents.

This guide has provided detailed information on implementing each of the Essential Eight strategies, with practical advice tailored to different organizational sizes and maturity levels.

We encourage all organizations to implement the Essential Eight as part of their overall cyber security strategy.