Introduction

Control objective

The objective of the Application Control strategy is to ensure applications are only accessible from appropriate locations and to the appropriate users.

Expectation

Organisations are expected to have a comprehensive approach to managing and controlling the execution of software applications.

The approach must include the full lifecycle of approving, deploying, and removing software applications. At higher maturity levels, log retention and monitoring are required.

The scope of application control is also extended from just workstations to internet-facing servers at Maturity Level 2 and all workstations and servers at Maturity Level 3.

Implementing application control

• Identify business-critical applications and formally approve their use.

• Develop application control rules to ensure that only approved applications can be executed.

• Maintain the application control rules using a change management program.

• Validate application control rules on an annual or more frequent basis.

Contents

• Assessment scope

• Assessing application control

• Guidance

  • Maturity Level 1

  • Maturity Level 2

  • Maturity Level 3

• Other considerations

  • Kernel

  • Identifying malicious code execution

  • Applocker and WDAC

• Useful resources

Assessment scope

When carrying out application control assessments, it’s important to consider paths related to standard user-profiles and temporary directories that are utilised by operating systems, web browsers, and email clients. These can include:

• %userprofile%*

• %temp%*

• %tmp%*

• %windir%\Temp*

Based on the system’s setup, some overlap may be present; for example, %temp% and %tmp% are usually found within %userprofile%.

It is important to note that the last major update to the maturity model introduced compiled Hypertext Markup Language (HTML) (.chm files), HTML applications (.hta files) and control panel applets (.cpl files) to the list of file types that need to be controlled. Some application control solutions may not support these file types.

Assessing Application Control

To assess the effectiveness of application control strategies:

• Identify authorised programs.

• Identify the application control approach that is being used (if in place).

• Assess the controls using assessment methods and tools.

• Determine the associated maturity level.

Assessment methods

Application control assessments are possible without tools, but the efficacy of the tests will be significantly reduced, and edge cases that malicious actors might exploit could be missed. For instance, threat actors might deploy bespoke tools to enumerate weak paths in a system.

The ACSC provides guidelines and recommendations on the methods and tools that can be used to assess the control.

The only true way to test is to attempt execution against all file types in all locations.

SysInternals AccessChk application can be used to generate output of folder permissions, but this is only relevant, potentially, for Level 1.

E8MVT

The Essential Eight Maturity Verification Tool (E8MVT) tests application control policies by attempting to write and execute certain file types in specific locations.

The tool also checks that Microsoft’s recommended block rules and drive block rules are implemented.

ACVT

The Application Control Verification Tool (ACVT) tests application control policies by enumerating all sub-directories and attempting to write and execute each relevant file type from each location.

Both the E8MVT and ACVT are part of ASD’s toolkit, available through their partner program.

Scripts

Get AppLocker Policies

Get-AppLockerPolicy -Effective -Xml | Set-Content ('c:\windows\temp\curr.xml')`

Get-AppLockerPolicy -Local | Test-AppLockerPolicy -Path C:\Windows\System32\*.exe -User Everyone

Test in calc.exe or notepad.exe:

Test-AppLockerPolicy -XMLPolicy C:\windows\temp\curr.xml -Path C:\windows\system32\calc.exe, C:\windows\system32\notepad.exe -User Everyone

Sysinternals accesschk

If only trusted Microsoft tools are permitted on the system, SysInternals AccessChk can be used for outputting folder permissions, noting this is only suitable for a path-based approach to implementing the control.

accesschk -dsuvw [path] > report.txt

Running whoami /groups would also need to be executed to determine which user groups a typical standard user belonged to in order to determine the effective permissions for each path.

This approach is, however, likely to be tedious in assessing effectively.

Maturity Level 1 guidance

The intent of application control at Maturity Level 1 can be met without a dedicated application control solution. This is achieved through file system permissions to prevent unnecessary access to user profile directories and temporary folders.

The execution of executables, software libraries, scripts, installers, compiled HTML, HTML applications and control panel applets is prevented on workstations from within standard user profiles and temporary folders used by the operating system, web browsers and email clients.

Given how complex file system permissions can become, it’s essential to attempt to write and execute from all user-accessible directories to effectively check application control.

ACSC’s Essential Eight Maturity Verification (E8MVT) and Application Control Verification (ACVT) tools (available to ACSC partners) can assist in achieving this. A number of other tools on the market can also enumerate a file system to perform this test.

Where applicable, PowerShell cmdlets can be used to test and review AppLocker policies and Sysinternals accesschk can be used if only Microsoft-based tools are available to use.

For a system on which tools cannot be run, and assuming a path-based approach is used, screenshots of the ‘effective access’ permissions for specified folders can be requested. This, however, has limitations because unless screenshots of access permissions are requested for every folder and sub-folder (for which there are usually many), it will not be possible to comprehensively assess whether read, write and execute permissions exist for a given user. Consequently, this will likely impact the quality of evidence cited in the final report.

At a minimum, screenshots for key paths (such as temporary folders used by the operating system, web browsers and email clients) should be requested and examined to determine whether inheritance is set, noting that at any point in a path, application control inheritance previously set by an operating system may be disabled by an application installer

Maturity Level 2 guidance

Whereas Maturity Level 1 is focused on End-User Compute (EUC) endpoints, Level 2 extends application control to internet-facing servers and includes additional log-retention requirements.

Maturity Level 3 guidance

Maturity Level 3 builds on Level 2 in that it requires log monitoring, application control on all servers, and the implementation of Microsoft’s block rules. Application control rulesets also need to be validated at least annually.

Other considerations

Considering Kernel

Virtual memory is split into kernel and user space. The scope to which an application control solution protects a system’s kernel should also be considered.

Identifying adversary attempts to execute malicious code

Application control can help identify attempts to execute malicious code.

This can be achieved by configuring application control to generate event logs for allowed and blocked executions.

Event logs should include relevant information such as:

• name of the file

• date/time stamp

• username of the executing user

Application control logs can also be ingested into an SIEM/SOAR system to allow for and contribute to a broader context of the threat landscape.

AppLocker and WDAC

AppLocker and Windows Defender Application Control (WDAC) are both security features in Windows, designed to control application usage and restrict unauthorised software. However, they have distinct differences:

1. Design and Purpose:

   • AppLocker: Primarily aimed at providing administrators with the ability to specify which users or groups can run particular applications, based on unique identities of files. It’s more about managing application access than outright security.

   • WDAC: Focuses more on security. It is designed to prevent malware and untrusted applications from running by enforcing code integrity policies.

2. Scope and Control:

   • AppLocker: Works at a more granular level, allowing control over scripts, executable files, Windows Installer files, DLLs, and packaged app installers.

   • WDAC: Controls the entire spectrum of executable code on the system, including kernel-mode drivers and user-mode applications.

3. Implementation and Management:

   • AppLocker: Managed through Group Policy, making it easier to implement in an environment already using Group Policy for configurations.

   • WDAC: Managed through PowerShell and uses a different policy format, which can be more complex to set up but offers higher security. -

4. Flexibility and Usability:

   • AppLocker: Offers more flexibility and is simpler to configure, especially for smaller organizations or those with less complex needs.

   • WDAC: While it provides a stronger security posture, implementing and managing it can be more challenging, particularly in environments with diverse applications.

5. System Requirements:

   • AppLocker: Available on Windows 7 and newer versions but only for Enterprise and Ultimate editions.

   • WDAC: This feature is available on Windows 10 and Windows Server 2016 and later, offering broader support across different Windows editions.

6. Security Level:

   • AppLocker: Considered less robust in terms of security compared to WDAC, as it lacks the more comprehensive system-wide controls.

   • WDAC: Provides a more secure environment by ensuring that only trusted software runs on the system.

In summary, while AppLocker is more user-friendly and easier to manage, particularly for application access control, WDAC offers a more comprehensive and secure approach, focusing on system integrity and malware prevention. The choice between the two would depend on the organisation's specific needs and capabilities, particularly in terms of desired security level and ease of management.

Useful resources

• Essential Eight application control - Essential Eight | Microsoft Learn

• Microsoft recommended driver block rules - Windows Security | Microsoft Learn

• Applications that can bypass WDAC and how to block them - Windows Security | Microsoft Learn

• Technical example: Application control | Cyber.gov.au

Introduction

An assessment's planning and scoping stages are essential for structuring the process and ensuring that the security insights gained accurately represent the environment being assessed. During this stage, it’s vital to take into account the context in which an organisation operates, including the threat landscape. In this context, the threat landscape can mean the primary threat the organisation is facing—for example, insider threats or external threats—including the level of threat sophistication.

Assessors should examine the organisation’s policies and procedures, conduct comprehensive tests of technical controls pertinent to each strategy, and assess their effectiveness. Determining the organisation's desired maturity level is key to guiding the assessment and establishing the appropriate scope and methods.

The type and quality of evidence collected will influence the assessment outcomes, so it’s critical to ensure that the evidence gathered is of high quality and reliability. This will underpin the report’s conclusions and recommendations.

When there are mandatory requirements for implementing the Essential Eight, an assessment is needed to attest to the level of maturity of the organisation’s cyber security controls. The assessment process, however, is intended to provide an organisation with actionable insights. For this reason, organisations that do not have a mandated requirement will still find regular assessment helpful as a way to identify improvements.

Non-corporate entities within the Australian Government are typically required to obtain a Maturity Level Two within the broader context of the mandatory Protective Security Policy Framework (PSPF).

The following sections describe the four assessment stages.

Contents

• Assessment planning and preparation

• Assessment scoping

• Assessment of controls

• Development of the assessment report

• Useful resources

Stage 1 - Assessment planning and preparation

During this stage, pre-planning is undertaken to build a contextual overview of the organisation and the threat landscape in which it operates. The assessor will aim to gain an understanding of the infrastructure, the teams the assessor will need to interact with, and the skills required to complete the assessment.

As part of planning, the assessor should discuss the following with the asset owner:

• Determine asset classification and assessment scope.

• Requirements around access to low and high-privileged user accounts, devices, documentation, personnel, and facilities.

• Any approvals required to run scripts and tools within the environment.

• Evidence collection and protection requirements, including following the conclusion of the assessment.

• Finalising approval to use tools and scripts on sample systems/servers/networks.

• Requirements for where the assessment report will be developed (e.g. on the organisation’s system or externally).

• How stakeholder engagement and consultation should be approached, including confirming key contact points.

• Whether any managed service providers support or manage any aspects of the system(s) under assessment, including appropriate points of contact if so.

• Obtaining copies of any previously completed assessment reports for the system.

• Agreement on appropriate use, retention and marketing of the assessment report by both parties.

At the end of this stage, the assessor should have developed the assessment test plan.

Stage 2 - Assessment scoping

Different maturity levels will impact aspects or components of the assessment. During this stage the assessor should become familiar with the requirements for the target maturity level, so the assessment approach and test plan can be adjusted accordingly.

The Essential Eight should be implemented and assessed as a package. If a system has not previously been assessed and demonstrated to meet Maturity Level One, that system should not be assessed for Maturity Level Two. Likewise, a system should be assessed and demonstrated to meet Maturity Level Two before being assessed for Maturity Level Three.

As part of determining the appropriate assessment approach, the assessor should conduct the following activities:

• Make use of asset registers that describe the environment to determine the applicability of the Essential Eight.

• Conduct workshops with the system owners to identify and agree on the precise assessment scope, including out-of-scope items.

• Agree with system owners on the assessment duration and milestones.

• Obtain an approximate breakdown of the operating systems used within the environment.

• Determine the necessary sample size to represent all in-scope assets and types of assets accurately.

• Document any assessment limitations, including sample sizes and constraints in the assessment report.

Evidence quality

Assessments should strive to gather and use the highest-caliber evidence to effectively support conclusions on the effectiveness of controls. Evidence quality requirements should be considered and discussed at this stage.

It’s important to use a mix of qualitative and quantitative techniques, as these will often complement each other and allow for cross-referencing. Qualitative techniques may include reviewing documentation and interviewing system administrators. Quantitative techniques could include reviewing system configurations or utilising tools and scripts.

When conducting assessments, the quality of evidence can typically be categorised as follows:

Stage 3 - Assessment of controls

At this stage, the effectiveness of the controls within the Essential Eight are tested against the target Maturity Level.

ACSC has developed standardised assessment outcomes which must be used.

Each control can be assessed as follows:

• Effective: The organisation effectively meets the control’s objective.

• Ineffective: The organisation is not adequately meeting the control’s objective.

• Alternate control: The organisation effectively meets the control’s objective through an alternate control.

• Not assessed: The control has not yet been assessed.

• Not applicable: The control does not apply to the system or environment.

• No visibility: The assessor was unable to obtain adequate visibility of a control’s implementation.

Importantly, the Essential Eight Maturity Model does not allow for risk acceptance without compensating controls. If a system owner has accepted a risk with no compensating controls, the mitigation strategy must not be considered or implemented.

Moreover, when evaluating the efficacy of compensating controls, it’s important to verify that the level of protection the compensating control(s) offer is commensurate to that prescribed by the Essential Eight to protect against the level of adversarial tradecraft for the target Maturity Level.

There is no scope in the Essential Eight model that allows for risks to be accepted without commensurate compensating controls.

Stage 4 - Development of the assessment report

In the final stage, the assessor will develop the security assessment report.

Understanding maturity levels.

The report will contextualise the assessment against the Maturity Model. The Maturity Model contains four levels that provide a way for an organisation to measure its progress in implementing the Essential Eight while also identifying areas for improvement.

There are three target levels, based on increasingly sophisticated adversarial tradecraft levels. Level 0 designates instances where the requirements of the first maturity level are not met.

At Maturity Level 0, weaknesses exist in the overall cyber security posture. This is also the default starting position if no assessment has been done previously.

At Maturity Level One the focus is on protection against malicious actors who are content to simply leverage widely available tradecraft. This level of maturity does not offer protection against APT tradecraft or other persistent threats, including insider threats.

At Maturity Level Two, a level of protection is reached that is sufficient to mitigate threats from malicious actors willing to invest more time in a target and in the effectiveness of their tools.

At Maturity Level Three, the focus is on threats that are more adaptive and much less reliant on public tools and techniques, such as state-sponsored actors, military operations, and other APTs.

Report validity

The assessment report has no expiry date. Theoretically, an assessment could be indefinite, but assessors should be cautious of relying on older previous reports and should consider doing a gap analysis to determine any deviations from succeeding changes to the Essential Eight and changes within the environment itself.

Treatment and exceptions

The use of exceptions for a system needs to be documented and approved by an appropriate authority through a formal process. The appropriate authority may be defined in the broader PSPF for government entities.

Documentation for exceptions should include the scope and justification for the exception, as well as the following details of the compensating controls:

• Reason, scope, and justification for compensating controls.

• Anticipated implementation lifetime of the compensating control(s).

• The review schedule of the compensating control.

• The system risk rating before and after the compensating control was implemented.

• Any caveats around the use of the system because of the exception.

• The formal acceptance from the appropriate authority of any residual risk for the system.

• When will the need for the exception next be considered by the appropriate authority? Note that exceptions should not be approved beyond one year.

Useful resources

• Essential Eight Assessment Process Guide | Cyber.gov.au

• Essential Eight Maturity Model | Cyber.gov.au

• Essential Eight Maturity Model FAQ | Cyber.gov.au

Introduction

Sometimes, it’s helpful to contextualise what something isn’t. That is certainly the case with the Australian Signals Directorate’s Essential Eight Strategies to Mitigate Cyber Security Incidents.

The Essential Eight and its Maturity Model are often conflated with the Australian Government’s broader Protective Security Policy Framework (PSPF), which has its own Maturity Model.

So, to begin, let’s set the scene.

Contents

• Where did the Essential Eight come from?

• Who’s it for?

• Categorising the strategies

• Where to start

  • Targeted cyber intrusions and other external malicious actors who steal data

  • Ransomware and external malicious actors who destroy data

  • Malicious insiders who steal data

  • Malicious insiders who destroy data and prevent systems functioning

• Useful resources

Where did the Essential Eight come from?

In February 2010, the Strategies to Mitigate Cyber Security Incidents was published to summarise the Information Security Manual. Seven years later, a revision added a degree of relative security effectiveness to these 37 strategies. Eight of these were marked Essential, thus giving rise to the Essential Eight.

Notably, the Essential Eight are not the Easy Eight. Nor is it the minimum needed for an effective cyber security posture. Instead, see it as a prioritisation. If you’re unsure where to start on a cyber security program of work, start with the Essential Eight.

Indeed, the PSPF is quite explicit about this. Policy 10: Safeguarding data from cyber threats states that entities must mitigate common cyber threats by implementing the Essential Eight and considering which of the remaining 29 strategies need to be implemented to achieve an acceptable level of residual risk.

The Essential Eight is not all that you need to do. Policy 10 creates a requirement for entities to consider what remaining mitigation strategies they need to achieve an acceptable level of residual risk.

Who’s it for?

The Essential Eight is not designed for all environments. It focuses on Microsoft Windows environments and may not be as relevant for other settings, such as IoT or Operational Technology.

Increasingly, government directives and legislative instruments are mandating the application of the Essential Eight as a risk management program.

• The PSPF mandates it for most government entities at the Federal level

• Some state governments have mandated it, including Victoria, Queensland, and New South Wales.

• Entities designated as Critical Infrastructure (Security of Critical Infrastructure Act 2018)

Categorising the 37 strategies

The strategies are categorised into five types:

1. Preventing Malware delivery and execution.

2. Limiting the extent of Cyber Security Incidents.

3. Detecting Cyber Security Incidents and Responding.

4. Recovering data and system availability after a Cyber Security incident.

5. Preventing malicious insiders.

Source: cyber.gov.au

The strategies are also tagged against three further dimensions:

1. Potential User Resistance

2. Upfront cost

3. Ongoing maintenance cost

How these dimensions were baselined isn’t clear; presumably, it’s relative.

For the Essential Eight, there are:

• Four prevention strategies.

• Three limiting strategies.

• One recovering strategy.

Where to start?

Logically, the advice is to follow a risk-based approach and start with strategies that mitigate the threats of most concern. This will look different for different organisations. The Strategies to Mitigate Cyber Security Incidents decompose this into four categories.

When implementing a strategy, first implement it for high-risk users and computers, such as those with access to important data and/or are exposed to untrustworthy internet content. Then, implement it for all other users and computers.

Targeted cyber intrusions and other external malicious actors who steal data.

Step 1

In this category, the first step is to implement the essential mitigation strategies that: a. prevent malware payload delivery and execution, b. limit the extent of cyber security incidents, and c. recover data and system availability.

Step 1 implementation order:

1. Application Control

2. Patch Applications

3. Configure Microsoft Office macro settings

4. User application hardening

5. Restrict administrative privileges

6. Patch operating systems

7. Multi-factor authentication

8. Regular backups

Step 2

Next, repeat the first step for the strategies with an effectiveness rating of ‘excellent’ in the detect, preventative, and limiting categories.

Step 2 implementation order:

1. Continuous incident detection and response

2. Automated dynamic analysis of email and web content run in a sandbox.

3. Email content filtering

4. Web content filtering

5. Deny corporate computers direct internet connectivity

6. Operating system generic exploit mitigation

7. Disable local administrator accounts

8. Network segmentation

9. Protect authentication credentials

Step 3

Lastly, consider what remaining strategies are required to achieve an acceptable level of residual risk1.

Ransomware and external malicious actors who destroy data

Step 1

For this category, the first step is to implement the Essential Eight that:

• recover data and system availability,

• prevent malware payload delivery and execution, an

• limit the extent of cyber security incidents.

Step 1 implementation order:

1. Regular backups

2. Application Control

3. Patch Applications

4. Configure Microsoft Office macro settings

5. User application hardening

6. Restrict administrative privileges

7. Patch operating systems

8. Multi-factor authentication

Step 2

Next, repeat the first step for the strategies with an effectiveness rating of ‘excellent’ in the detecting, preventative, and limiting categories.

Step 2 implementation order:

1. Continuous incident detection and response

2. Automated dynamic analysis of email and web content run in a sandbox.

3. Email content filtering

4. Web content filtering

5. Deny corporate computers direct internet connectivity

6. Operating system generic exploit mitigation

7. Disable local administrator accounts

8. Network segmentation

9. Protect authentication credentials

Step 3

Lastly, consider what remaining strategies are required to achieve an acceptable level of residual risk.

Malicious insiders who steal data.

Steps 1 and 2

For this category, the first step is to implement data exfiltration by implementing the strategy ‘Control removable storage media and connected devices’. The second is to implement the limiting strategy: outbound web and email data loss prevention.

Step 1 and 2 implementation order:

1. Control removable storage media and connected devices.

2. Outbound web and email data loss prevention.

Step 3

Next is to implement the Essential Eight limiting strategies and those that allow detection and response.

Step 3 implementation order:

1. Restrict administrative privileges

2. Patch operating systems

3. Multi-factor authentication

4. Continuous incident detection and response

Step 4

Then, repeat the third step for strategies with an effective rating of excellent in the limiting category and implement the preventative strategy of Personnel Management.

Step 4 implementation order:

1. Disable local administrator accounts

2. Network segmentation

3. Protect authentication credentials

4. Personnel management

Step 5

Lastly, if employees are likely to have the technical cyber security capabilities, implement the remaining Essential Eight strategies to prevent malware delivery, then repeat step 3 with less effective mitigation strategies to achieve an acceptable level of residual risk.

Step 5 implementation order:

1. Application Control

2. Patch Applications

3. Configure Microsoft Office macro settings

4. User application hardening

Malicious insiders who destroy data and prevent systems functioning.

Step 1

For this category, the first step is to implement the Essential Eight that:

• recover data and system availability, and

• limit the extent of cyber security incidents.

Step 1 implementation order:

1. Regular backups

2. Restrict administrative privileges

3. Patch operating systems

4. Multi-factor authentication

Step 2

Next, repeat the first step for the strategies with an effectiveness rating of ‘excellent’ in the detecting and limiting categories.

Step 2 implementation order:

1. Continuous incident detection and response

2. Disable local administrator accounts

3. Network segmentation

4. Protect authentication credentials

Step 3

Next, implement the preventative strategy of Personnel Management. Again, if employees are likely to have the technical cyber security capabilities, implement the remaining Essential Eight strategies to prevent malware delivery. Then, repeat step 3 with less effective mitigation strategies to achieve an acceptable level of residual risk.

Step 3 implementation order:

1. Personnel Management

2. Application Control

3. Patch Applications

4. Configure Microsoft Office macro settings

5. User application hardening

Useful resources

• Essential Eight | Cyber.gov.au

• Strategies to Mitigate Cyber Security Incidents | Cyber.gov.au

• Policies | Protective Security Policy Framework

• Policy 10: Safeguarding data from cyber threats | Protective Security Policy Framework

What are the Essential Eight

The Australian Signals Directorate’s Essential Eight Strategies to Mitigate Cyber Security Incidents was developed as a prioritised baseline to assist organisations in protecting their systems against a range of cyber threats.

Notably, the Essential Eight is just a starting point and is not exhaustive. Organisations should conduct regular risk assessments and adopt additional strategies based on their specific threat environment.

For government entities covered by the Protective Security Policy Framework (PSPF), Policy 10: Safeguarding data from cyber threats specifies that in addition to implementing the Essential Eight, entities should:

“[consider] which of the remaining mitigation strategies from the Strategies to Mitigate Cyber Security Incidents need to be implemented to achieve an acceptable level of residual risk for their entity.”

Over the coming months, I’ll endeavour to produce more detailed explainers demonstrating why each of the Essential Eight is important, and focusing on how the controls are assessed.

The table below lists the Essential Eight, the typical exploits each strategy helps protect against and a brief example.

Essential Eight Strategies

1. Application Control

2. Patch Applications

3. Configure Microsoft Office macro settings

4. User Application Hardening

5. Restrict Administrative Privileges

6. Patch Operating Systems

7. Multi-Factor Authentication

8. Daily Backups