First published in February 2010, and revised for 2014, the Australian Signals Directorate (ASD), also known as the Defence Signals Directorate, developed a list of strategies to mitigate targeted cyber intrusions.
The strategies to mitigate targeted cyber Intrusions are ranked in order of overall effectiveness. Rankings are based on ASD’s analysis of reported security incidents and vulnerabilities detected by ASD in testing the security of Australian government networks.
While no single strategy can prevent malicious activity, the effectiveness of implementing the Top 4 strategies can decrease cyber intrusions by 84%. The Top 4 Strategies to Mitigate Targeted Cyber Intrusions are mandatory for Australian Government agencies as of April 2013.
Check Point Software Technologies – breadth of security solutions, enables organizations to implement a tailored and targeted security strategy, that meets business security needs. All solutions are centrally managed through a single console that reduces complexity and operational overhead. As new threats emerge, Check Point solutions allow flexible expansion of services as needed without the addition of new hardware or management complexity.
Check Point Software Technologies takes the guesswork out of choosing the right security with targeted, comprehensive security protections, at the same time assisting you in meeting and implementing the ASD 35 mitigations.
Essential Mitigations
| # | Mitigation Name | Endpoint Blades |
Network Security Blades | Management Blades |
|---|---|---|---|---|
| 2 | Patch applications e.g. Java, PDF viewer, Flash, web browsers and Microsoft Office. Patch/mitigate systems with “extreme risk” vulnerabilities within two days. Use the latest version of applications. | • Compliance | ||
| 3 | Patch operating system vulnerabilities. Patch/mitigate systems with “extreme risk” vulnerabilities within two days. Use the latest suitable operating system version. Avoid Microsoft Windows XP. | • Compliance | ||
| 4 | Restrict administrative privileges to operating systems and applications based on user duties. Such users should use a separate unprivileged account for email and web browsing. | • Full Disk Encryption |
Excellent Mitigations
| # | Mitigation Name | Endpoint Blades |
Network Security Blades | Management Blades |
|---|---|---|---|---|
| 5 | User application configuration hardening, disabling: running Internet-based Java code, untrusted Microsoft Office macros, and unneeded/undesired web browser and PDF viewer features. | • Compliance | • Document Security |
|
| 6 | Automated dynamic analysis of email and web content run in a sandbox to detect suspicious behaviour including network traffic, new or modified files, or other configuration changes. | • Threat Emulation |
||
| 9 | Disable local administrator accounts to prevent network propagation using compromised local administrator credentials that are shared by several workstations. | • Compliance • Full Disk Encryption |
||
| 10 | Network segmentation and segregation into security zones to protect sensitive information and critical services such as user authentication by the Microsoft Active Directory service. | • Firewall • Identity Awareness |
||
| 11 | Multi-factor authentication especially implemented for remote access, or when the user is about to perform a privileged action or access a sensitive information repository. | • Mobile Access • Firewall |
||
| 12 | Software-based application firewall, blocking incoming network traffic that is malicious or otherwise unauthorised, and denying network traffic by default. | • Firewall and Application Control |
• Application Control |
|
| 13 | Software-based application firewall, blocking outgoing network traffic that is not generated by a allowlisted application, and denying network traffic by default. | • Firewall and Application Control |
• Application Control |
|
| 15 | Centralised and time-synchronised logging of successful and failed computer events, with automated immediate log analysis, storing logs for at least 18 months. | • Smart Event • Smart View Tracker • Smart Log • Smart Reporter |
||
| 16 | Centralised and time-synchronised logging of allowed and blocked network activity, with automated immediate log analysis, storing logs for at least 18 months. | • Smart Event • Smart View Tracker • Smart Log • Smart Reporter |
||
| 17 | Email content filtering, allowing only allowlisted business related attachment types. Preferably analyse/convert/sanitise hyperlinks, PDF and Microsoft Office attachments. | • DLP • Anti-Virus • Threat Emulation |
||
| 18 | Web content filtering of incoming and outgoing traffic, allowlisting allowed types of web content and using behavioural analysis, cloud-based reputation ratings, heuristics and signatures. | • IPS • URL Filtering • Anti-Bot • Threat Emulation |
||
| 19 | Web domain allowlisting for all domains, since this approach is more proactive and thorough than blocklisting a tiny percentage of malicious domains. | • URL Filtering | ||
| 20 | Block spoofed emails using Sender ID or Sender Policy Framework (SPF) to check incoming emails, and a “hard fail” SPF record to help prevent spoofing of your organisation’s domain. | • Anti-Spam |
Good Mitigations
| # | Mitigation Name | Endpoint Blades |
Network Security Blades | Management Blades |
|---|---|---|---|---|
| 22 | Antivirus software using heuristics and automated Internet-based reputation ratings to check a program’s prevalence and its digital signature’s trustworthiness prior to execution. | • Anti-Malware | • Anti-Virus | |
| 23 | Deny direct Internet access from workstations by using an IPv6-capable firewall to force traffic through a split DNS server, an email server, or an authenticated web proxy server. | • Firewall | ||
| 24 | Server application configuration hardening e.g. databases, web applications, customer relationship management, finance, human resources and other data storage systems. | • IPS | ||
| 26 | Removable and portable media control as part of a Data Loss Prevention strategy, including storage, handling, allowlisting allowed USB devices, encryption and destruction. | • Media Encryption | ||
| 27 | Restrict access to Server Message Block (SMB) and NetBIOS services running on workstations and on servers where possible. | • Firewall | ||
| 30 | Signature-based antivirus software that primarily relies on up to date signatures to identify malware. Use gateway and desktop antivirus software from different vendors. | • Anti-Malware | • Anti-Virus | |
| 31 | TLS encryption between email servers to help prevent legitimate emails being intercepted and used for social engineering. Perform content scanning after email traffic is decrypted. | • IPSec VPN |
Average Mitigations
| # | Mitigation Name | Endpoint Blades | Network Security Blades | Management Blades |
|---|---|---|---|---|
| 32 | Block attempts to access websites by their IP address instead of by their domain name, e.g. implemented using a web proxy server, to force cyber adversaries to obtain a domain name. | • URL Filtering | ||
| 33 | Network-based Intrusion Detection/Prevention System using signatures and heuristics to identify anomalous traffic both internally and crossing network perimeter boundaries. | • IPS | ||
| 34 | Gateway blocklisting to block access to known malicious domains and IP addresses, including dynamic and other domains provided free to anonymous Internet users. | • Anti-Bot |
Feedback