Strategies to Mitigate Targeted Cyber Intrusions – Key Changes for 2014

Strategies to Mitigate Targeted Cyber Intrusions, updated February 2014

Annex A: Key Changes for 2014

This annex highlights the key changes made for the 2014 version of the Strategies to Mitigate Targeted Cyber Intrusions table and Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details document. Specifically highlighted are the key changes to the mitigation strategy descriptors, rankings and overall security effectiveness, as well as key additional guidance provided in the body of this document.

Key Overarching Changes

Document and Section
Change and Reason

Strategies to Mitigate Targeted Cyber Intrusions, table.

Change: Amendment to text that separates the Top 4 mitigation strategies from the remaining mitigation strategies.
Reason: To further clarify priority order of implementing the Top 4, and ensure implementation on servers is specifically referenced.

Change: Amendments to Strategies to Mitigate Targeted Cyber Intrusions table columns.

  • Column ‘Designed to Prevent or Detect an Intrusion’ deleted.
  • Column ‘Helps Detect Intrusions’ added.
  • Column ‘Helps Mitigate Intrusion Stage 1: Code Execution’ retitled to ‘Helps Prevent Intrusion Stage 1: Code Execution’.
  • Column ‘Helps Mitigate Intrusion Stage 2: Network Propagation’ retitled to ‘Helps Contain Intrusion Stage 2: Network Propagation’.
  • Column ‘Helps Mitigate Intrusion Stage 3: Data Exfiltration’ retitled to ‘Helps Contain Intrusion Stage 3: Data Exfiltration’.

Reason: In the 2012 version, in some cases the word prevent was used to mean preventing the scope of an intrusion escalating to enable cyber adversaries to achieve their goals, rather than necessarily preventing initial malicious code execution. For example, using a non-persistent virtualised sandboxed trusted operating environment was listed as preventing an intrusion. However, the primary benefit of this mitigation strategy is to contain malicious code that has already executed, rather than preventing the malicious code from executing. The changes to the table columns are intended to clarify that to prevent an intrusion in the context of this document suite now specifically refers to preventing initial code execution. These wording changes are also the reason why the values in these columns have changed for a small number of mitigation strategies.

Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details, Introduction.

Change: Text added on document’s applicability to mobile devices.
Reason: To clarify that the primary focus of the Strategies to Mitigate Targeted Cyber Intrusions document suite is on defending user workstations and servers, as well as to refer to other available ASD guidance for advice on the secure use of mobile devices.

Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details, Rationale for Implementing the Mitigation Strategies.

Change: Additional text to reference the requirement for organisations to regularly perform and test offline backups.
Reason: This guidance helps organisations to recover from cyber intrusions.

Key Changes to the Mitigation Strategies

Reasons for changes to the effectiveness ranking of mitigation strategies have not been provided in every instance. Such changes are, for the most part, due to other mitigation strategies being introduced, merged, or changing in ranking. Specific reasons are provided for mitigation strategies that have significantly changed in effectiveness.

Strategy 2014 ↑↓ 2012 Change and Reason

Application whitelisting

1

1

Change: Amendment to strategy descriptor and text added to Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details.
Reason: To address additional types of programs such as scripts and installers.

Patch applications

2

2

Change: Strategy descriptor amended to mention patching web browsers and using the latest version of applications.
Reason: To reflect the prevalent exploitation of vulnerabilities in web browsers and Java, as well as the additional security technologies typically incorporated into newer versions of applications.

Change: Text added to Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details.
Reason: To assist with patch management and assessing the risk of vulnerabilities.

Patch operating system vulnerabilities

3

3

Change: Text added to Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details.
Reason: To assist with patch management and assessing the risk of vulnerabilities.

Restrict administrative privileges

4

4

Change: Strategy descriptor amended and text added to Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details.
Reason: To highlight that administrative privileges need to be restricted based on user duties, and that this mitigation strategy applies to:

  1. users who have domain or local system administrative privileges, and equivalent administrative privileges in non-Windows operating systems
  2. users who have elevated operating system privileges
  3. users who have privileged access to applications such as a database
  4. administrative accounts that permit vendors to perform remote access.

User application configuration hardening

5

18

Change: Ranking moved up to #5. Strategy descriptor amended and text added to Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details.
Reason: To assist with significantly reducing the attack surface, including mitigating intrusions that exploit the prevalence of Java vulnerabilities or leverage Microsoft Office macros.

Automated dynamic analysis

6

N/A

N/A

Change: Behavioural analysis functionality has been extracted from the ‘Email content filtering’ and ‘Web content filtering’ mitigation strategies to create a new mitigation strategy. Text added to Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details.
Reason: There has been an increase in the availability and effectiveness of automated dynamic analysis technologies since the previous version of this document suite was published.

Operating system generic exploit mitigation

7

21

Change: Ranking moved up to #7. The ‘Overall Security Effectiveness’ column value changed from Good to Excellent. Strategy descriptor amended and text added to Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details.
Reason: To reflect the proven effectiveness of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) to help mitigate techniques used to exploit vulnerabilities, even in cases where the existence and details of vulnerabilities were not publicly known at the time. See:

Host-based Intrusion Detection/Prevention System

8

11

Change: Ranking moved up to #8.

Disable local administrator accounts

9

5

Change: Ranking moved down to #9.

Network segmentation and segregation

10

7

Change: Ranking moved down to #10. Minor amendment to strategy descriptor.
Reason: To include a specific example of sensitive information and critical services requiring the protection provided by this strategy.

Multi-factor authentication

11

6

Change: Ranking moved down to #11.

Software-based application firewall, blocking incoming network traffic

12

8

Change: Ranking moved down to #12. Minor amendment to strategy descriptor.

Software-based application firewall, blocking outgoing network traffic

13

9

Change: Ranking moved down to #13. Minor amendment to strategy descriptor.

Non-persistent virtualised sandboxed trusted operating environment

14

10

Change: Ranking moved down to #14. Minor amendment to strategy descriptor.

Centralised and time-synchronised logging of successful and failed computer events

15

12

Change: Ranking moved down to #15.

Change: Text added to Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details.
Reason: To provide additional guidance on where to focus log analysis activities.

Centralised and time-synchronised logging of allowed and blocked network activity

16

13

Change: Ranking moved down to #16.

Email content filtering

17

14

Change: Ranking moved down to #17. Amendments to strategy descriptor and Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details.
Reason: To reflect that cyber adversaries increasingly use spear phishing emails that either have an attachment type required for business purposes (and is therefore whitelisted), or have a hyperlink instead of an attachment. Also, the behavioural analysis component of this mitigation strategy is now covered in detail by the new ‘Automated dynamic analysis’ mitigation strategy.

Web content filtering

18

15

Change: Ranking moved down to #18. Minor amendment to strategy descriptor.
Reason: The behavioural analysis component of this mitigation strategy is now covered in detail by the new ‘Automated dynamic analysis’ mitigation strategy.

Web domain whitelisting for all domains

19

16

Change: Ranking moved down to #19.
Reason: To reflect that cyber adversaries are distributing and controlling malware by using legitimate (and therefore probably whitelisted) cloud computing services, as well as legitimate but temporarily compromised websites. See:

Change: Now incorporates previous mitigation strategy #17 ‘Web domain whitelisting for HTTPS/SSL domains’.
Reason: To reflect the significant increase in the number of websites that use HTTPS/SSL.

Block spoofed emails

20

19

Change: Ranking moved down to #20. Text added to Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details.
Reason: To provide more complete guidance and help avoid misconfiguration of SPF records for subdomains and non-existent subdomains.

Workstation and server configuration management

21

22

Change: Ranking moved up to #21. Minor amendment to strategy descriptor and text to help mitigate malicious DLL files being loaded added to Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details.
Reason: To reflect cyber intrusion tradecraft. See Sophos Naked Security: Targeted Malware Attack Piggybacks on Nvidia Digital Signature, 27 February 2013

.

Change: Now incorporates previous mitigation strategy #31 ‘Disable LanMan passphrase support’.

Antivirus software using heuristics and automated Internet-based reputation ratings

22

25

Change: The ‘Antivirus software’ mitigation strategy (#25 in the previous version of this document) has been split into two mitigation strategies, creating this new mitigation strategy. Text added to Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details.
Reason: To reflect the difference in effectiveness between signature-based antivirus software and antivirus software that uses heuristics and automated Internet-based reputation ratings.

Deny direct Internet access from workstations

23

24

Change: Ranking moved up to #23.

Server application configuration hardening

24

23

Change: Ranking moved down to #24. Minor amendment to strategy descriptor.

Enforce a strong passphrase policy

25

27

Change: Ranking moved up to #25.

Change: Amendment to strategy descriptor and minor addition to Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details.
Reason: To note that use of an appropriately configured and secured passphrase vault can assist with storing and managing many complex passphrases.

Removable and portable media control

26

29

Change: Ranking moved up to #26. Minor addition to Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details.

Restrict access to Server Message Block (SMB) and NetBIOS

27

28

Change: Ranking moved up to #27.

Change: Minor addition to Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details.
Reason: To provide specific information on the risks this strategy primarily mitigates – internal reconnaissance and network propagation.

User education

28

20

Change: Ranking moved down to #28.
Reason: To reflect that user education will not prevent a user from visiting a legitimate website that has been temporarily compromised to serve malicious content as part of a 'watering hole' or 'drive-by download'. Visiting such a website might compromise the user’s workstation without any obvious indications of compromise for the user to detect.

Change: Minor addition to Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details.
Reason: To clarify the specific need to educate staff who have a technical role.

Workstation inspection of Microsoft Office files

29

26

Change: Ranking moved down to #29. Minor amendment to strategy descriptor.

Signature-based antivirus software

30

25

Change: Ranking moved down to #30. Amendments to strategy descriptor and Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details.
Reason: To reflect the difference in effectiveness between signature-based antivirus software and antivirus software that uses heuristics and automated Internet-based reputation ratings (as is now expressed through two distinct mitigation strategies – #22 and #30 – relating to antivirus software).

TLS encryption between email servers

31

30

Change: Ranking moved down to #31.

Block attempts to access websites by their IP address

32

32

Change: Minor amendment to strategy descriptor.
Reason: To provide implementation guidance.

Change: The ‘Overall Security Effectiveness’ column value changed from Good to Average.
Reason: To reflect that cyber adversaries who compromise a legitimate website automatically inherit a domain name. This mitigation strategy is also circumvented by cyber adversaries who obtain dynamic domains and other domains provided free to anonymous Internet users with minimal or no attribution.

Network-based Intrusion Detection/Prevention System

33

33

Change: No changes.

Gateway blacklisting

34

34

Change: No changes.

Capture network traffic

35

35

Change: Minor amendment to strategy descriptor.
Reason: To focus on capturing network traffic to/from internal critical asset workstations and servers, as well as traffic traversing the network perimeter.

Contact

Australian government customers with questions regarding this advice should contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.