Strategies to Mitigate Targeted Cyber Intrusions - Changes

Download the differences between the 2010 version and 2011 version of the Top 35 Mitigation Strategies (300K PDF)

Introduction

  1. This document highlights the major changes between the mitigation strategies DSD published in February 2010 and the version published in July 2011.

Changes to Mitigation Strategies

  1. Mitigation Strategy #1 - Patch operating system
    • Changed to ranking #2.
    • Changed text from:
      • Patch the operating system and applications that have a corporately manageable auto-update feature.  Patch or mitigate serious vulnerabilities within two days.
    • to:
      • Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities.  Use the latest operating system version.
  2. Mitigation Strategy #2 - Patch third-party applications
    • Changed to ranking #1.
    • Changed Maintenance Cost from Medium to High.
    • Changed text from:
      • Patch third-party applications, eg, PDF viewer, ActiveX objects and other web browser plugins.  Patch or mitigate serious vulnerabilities within two days.
    • to:
      • Patch applications, eg, PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities.  Use the latest version of applications.
  3. Mitigation Strategy #3 - Minimise administrative privileges
    • Changed text from:
      • Minimise administrative privileges to only users who need them.  Such users should use a separate unprivileged account for email and web browsing.
    • to:
      • Minimise the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing.
  4. Mitigation Strategy #4 - Application whitelisting
    • Changed text from:
      • Application whitelisting to help prevent unapproved programs from running, eg, solutions such as Microsoft Software Restriction Policies or AppLocker.
    • to:
      • Application whitelisting to help prevent malicious software and other unapproved programs from running, eg, by using Microsoft Software Restriction Policies or AppLocker.
  5. Mitigation Strategy #5 - Host-based intrusion detection/prevention system
    • No change.
  6. Mitigation Strategy #6 - Workstation conversion/sanitisation
    • Changed to ranking #12.
    • Changed User Resistance from Medium to Low.
    • Changed Upfront Cost from Medium to Low.
    • Changed text from:
      • Workstation conversion/sanitisation of Microsoft Office files, eg, Microsoft Office Isolated Conversion Environment (MOICE).
    • to:
      • Workstation inspection of Microsoft Office files for abnormalities, eg, using the Microsoft Office File Validation feature.
  7. Mitigation Strategy #7 - Whitelisted email content filtering
    • Changed to ranking #6.
    • Changed text from:
      • Whitelisted email content filtering, preferably converting/sanitising PDF and Microsoft Office files.
    • to:
      • Whitelisted email content filtering, allowing only attachment types required for business functionality.  Preferably convert/sanitise PDF and Microsoft Office attachments.
  8. Mitigation Strategy #8 - Gateway
    • Changed to ranking #19.
    • Changed text from:
      • Gateway with a split DNS server, an email server, a password-authenticated web proxy server and a firewall preventing workstations directly accessing the Internet.
    • to:
      • Border gateway using an IPv6-capable firewall to prevent computers directly accessing the Internet except via a split DNS server, an email server, or an authenticated web proxy.
  9. Mitigation Strategy #9 - Data Execution Prevention
    • Changed to ranking #20.
    • Changed text from:
      • Data Execution Prevention using hardware and software mechanisms for all compatible software applications.
    • to:
      • Data Execution Prevention using hardware and software mechanisms for all software applications that support DEP.
  10. Mitigation Strategy #10 - Antivirus software
    • Changed to ranking #21.
    • Changed text from:
      • Antivirus software with up-to-date signatures and heuristic detection capabilities.  Use gateway and desktop antivirus software from different vendors.
    • to:
      • Antivirus software with up-to-date signatures, reputation ratings and other heuristic detection capabilities.  Use gateway and desktop antivirus software from different vendors.
  11. Mitigation Strategy #11 - Sender Policy Framework
    • Changed to ranking #7.
    • Changed Overall Security Effectiveness from Good to Excellent.
    • Changed text from:
      • Sender Policy Framework to help block incoming spoofed emails and to help prevent spoofing of your domain.
    • to:
      • Block spoofed emails using Sender Policy Framework checking of incoming emails and a 'hard fail' SPF record to help prevent spoofing of your organisation’s domain.
  12. Mitigation Strategy #12 - Audit reconnaissance tool usage
    • Merged with mitigation strategy #24 Centralised and time-synchronised logging of successful and failed computer events.
  13. Mitigation Strategy #13 - Restrict access to NetBIOS
    • Changed to ranking #27.
  14. Mitigation Strategy #14 - Application-based workstation firewall (incoming traffic)
    • Changed to ranking #13.
    • Changed text from:
      • Application-based workstation firewall to protect against malicious or otherwise unauthorised incoming network traffic.
    • to:
      • Application-based workstation firewall, configured to deny traffic by default, to protect against malicious or otherwise unauthorised incoming network traffic.
  15. Mitigation Strategy #15 - Network segmentation and segregation
    • Changed text from:
      • Network segmentation and segregation into security zones to protect high value assets using routers, switches and firewalls.
    • to:
      • Network segmentation and segregation into security zones to protect sensitive information and critical services such as user authentication and user directory information.
  16. Mitigation Strategy #16 - Centralised logging
    • Split into two mitigations ranked #23 and #24.
    • Changed text from:
      • Centralised logging using a synchronised time source, combined with regular log analysis.
    • to:
      • Centralised and time-synchronised logging of allowed and blocked network activity, with regular log analysis, storing logs for at least 18 months.
      • Centralised and time-synchronised logging of successful and failed computer events, with regular log analysis, storing logs for at least 18 months.
  17. Mitigation Strategy #17 - Disable unrequired operating system functionality
    • Changed to ranking #25.
    • Changed text from:
      • Disable unrequired operating system functionality, eg, disable or restrict services such as Remote Desktop, harden configuration of file and registry permissions.
    • to:
      • Standard Operating Environment with unrequired operating system functionality disabled, eg, IPv6, autorun and Remote Desktop.  Harden file and registry permissions.
  18. Mitigation Strategy #18 - Application security configuration hardening
    • Split into two mitigations ranked #26 and #28.
    • Changed text from:
      • Application security configuration hardening, especially for Microsoft Office applications, PDF viewers and web browsers.
    • to:
      • Workstation application security configuration hardening, eg, disable unrequired features in PDF viewers, Microsoft Office applications and web browsers.
      • Server application security configuration hardening, eg, databases, web applications, customer relationship management and other data storage systems.
  19. Mitigation Strategy #19 - Application-based workstation firewall (outgoing traffic)
    • Changed to ranking #14.
    • Changed text from:
      • Application-based workstation firewall that whitelists applications allowed to generate outgoing network traffic.
    • to:
      • Application-based workstation firewall, configured to deny traffic by default, that whitelists which applications are allowed to generate outgoing network traffic.
  20. Mitigation Strategy #20 - Web domain whitelisting (HTTPS/SSL)
    • Changed to ranking #11.
    • Changed Overall Security Effectiveness from Good to Excellent.
    • Changed text from:
      • Web domain whitelisting (more proactive and thorough than blacklisting) for domains that use HTTPS/SSL encryption.
    • to:
      • Web domain whitelisting for HTTPS/SSL domains, since this approach is more proactive and thorough than blacklisting a tiny percentage of malicious domains.
  21. Mitigation Strategy #21 - Web content filtering
    • Changed to ranking #9.
    • Changed Overall Security Effectiveness from Good to Excellent.
    • Changed text from:
      • Web content filtering using a combination of signatures, heuristics and whitelisting allowed content types.
    • to:
      • Web content filtering of incoming and outgoing traffic, using signatures, reputation ratings and other heuristics, and whitelisting allowed types of web content.
  22. Mitigation Strategy #22 - Two-factor authentication
    • Changed to ranking #16.
    • Changed text from:
      • Two-factor authentication for access to sensitive information repositories.
    • to:
      • Multi-factor authentication especially implemented for when the user is about to perform a privileged action, or access a database or other sensitive information repository.
  23. Mitigation Strategy #23 - Removable media control
    • Changed to ranking #29.
    • Changed text from:
      • Removable media control including storage, handling, whitelisting allowed USB devices, encryption and destruction.
    • to:
      • Removable and portable media control as part of a Data Loss Prevention strategy, including storage, handling, whitelisting allowed USB devices, encryption and destruction.
  24. Mitigation Strategy #24 - Web domain whitelisting (all domains)
    • Changed to ranking #10.
    • Changed Overall Security Effectiveness from Good to Excellent.
    • Changed text from:
      • Web domain whitelisting (more proactive and thorough than blacklisting) for all domains.
    • to:
      • Web domain whitelisting for all domains, since this approach is more proactive and thorough than blacklisting a tiny percentage of malicious domains.
  25. Mitigation Strategy #25 - Disable LanMan
    • Changed to ranking #31.
    • Changed Overall Security Effectiveness from Average to Good.
    • Changed text from:
      • Disable LanMan password support on workstations and servers.
    • to:
      • Disable LanMan password support and cached credentials on workstations and servers, to make it harder for adversaries to crack password hashes.
  26. Mitigation Strategy #26 - Block attempts to access web sites by their IP address
    • Changed to ranking #32.
    • Changed Overall Security Effectiveness from Average to Good.
  27. Mitigation Strategy #27 - TLS encryption between email servers
    • Changed to ranking #30.
    • Changed Overall Security Effectiveness from Average to Good.
    • Changed text from:
      • TLS encryption between email servers to help prevent legitimate emails being captured over the wire and used for social engineering.
    • to:
      • TLS encryption between email servers to help prevent legitimate emails being intercepted and used for social engineering.  Perform content scanning after email traffic is decrypted.
  28. Mitigation Strategy #28 - Randomised local administrator passwords
    • Changed to ranking #17.
    • Changed Overall Security Effectiveness from Average to Good.
    • Changed text from:
      • Randomised local administrator passwords that are unique and complex for all computers.
    • to:
      • Randomised local administrator passphrases that are unique and complex for all computers.  Use domain group privileges instead of local administrator accounts.
  29. Mitigation Strategy #29 - Gateway blacklisting
    • Changed to ranking #34.
    • Changed text from:
      • Gateway blacklisting to block access to known malicious domains and IP addresses.
    • to:
      • Gateway blacklisting to block access to known malicious domains and IP addresses, including dynamic and other domains provided free to anonymous Internet users.
  30. Mitigations #30, #32, #34 and #35 - Intrusion detection/prevention system
    • Merged into a single mitigation strategy #33 consisting of the text:
      • Network-based Intrusion Detection/Prevention System using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries.
  31. Mitigation Strategy #31 - User education
    • Changed to ranking #8.
    • Changed Overall Security Effectiveness from Average to Excellent, provided that the user education covers topics detailed in the DSD document Strategies to Mitigate Targeted Cyber Intrusions – Mitigation Details, specifically user education:
      • especially for Most Likely Targets, about Internet threats such as identifying spear phishing socially engineered emails or unexpected duplicate emails, and reporting such emails and suspicious phone calls to the security team.
      • educating users to avoid selecting weak passphrases, reusing the same passphrase on the same system, using the same passphrase in several different places, unnecessarily exposing their email address and other personal details, visiting web sites unrelated to work, and using USB devices and other IT equipment not corporately provided.
      • educating users why following IT security policies helps them to protect and appropriately handle the sensitive information they have been entrusted to handle.
    • Changed text from:
      • User education about web threats, focusing on identifying spear phishing socially-engineered emails.
    • to:
      • User education, eg, Internet threats and spear phishing socially-engineered emails.  Avoid weak passphrases, passphrase reuse, exposing email addresses, unapproved USB devices.
  32. Mitigation Strategy #33 - Rolling network capture
    • Changed to ranking #35.
    • Changed text from:
      • Rolling network capture to perform post-incident analysis of inevitable successful intrusions, to determine the adversary’s techniques and assess the extent of damage.
    • to:
      • Full network traffic capture to perform post-incident analysis of successful intrusions, storing network traffic for at least the previous seven days.
  33. Mitigation strategy added: Non-persistent virtualised trusted operating environment
    • Ranking #22.
    • Consisting of the text:
      • Non-persistent virtualised trusted operating environment with limited access to network file shares, for risky activities such as reading email and web browsing.
  34. Mitigation strategy added: Enforce a strong passphrase policy
    • Ranking #18.
    • Consisting of the text:
      • Enforce a strong passphrase policy covering complexity, length, and avoiding both passphrase reuse and the use of dictionary words.
  35. Columns indicating if a mitigation strategy addresses a particular intrusion stage
    • Changed “Conditional” to “Possible”.
  36. Table split into two tables
    • Split by the following text:
      • Once organisations have implemented the top four mitigation strategies, firstly on computers used by employees most likely to be targeted by intrusions and then for all users, additional mitigation strategies can then be selected to address system security gaps to reach an acceptable level of residual risk.
  37. Text at the bottom left corner
    • Changed text from:
      • Further information and contact details to obtain updated copies of this list of mitigations can be found at
        http://www.dsd.gov.au/library/infosec/mitigations.html
    • to:

Contact Details

  1. Additional information about implementing the 35 mitigation strategies.
  2. Australian government agencies seeking clarification about this document can contact DSD
  3. Australian businesses and other Australian private sector organisations seeking further information should contact CERT Australia