Australia_Essential_Eight_Mandate_log

Australian Cyber Security Centre Essential 8

To help prevent cyber security incidents, organisations across Australia are recommended to implement eight essential mitigation strategies. This baseline, known as the Essential 8, includes strategies, tools, and technology recommendations that make it much harder for adversaries to compromise networks and systems.

Australian Cyber Security Centre Essential 8 Controls and Snare

The Australian Cyber Security Centre (ACSC) has provided government agencies with a series of technical controls in the Information Security Manual (ISM), designed to protect systems and data from cyber threats. A small subset of high priority controls, known as the “Essential 8“, have been released, to bootstrap organisations into a reasonable baseline security state. The ACSC provides considerable guidance on the implementation of these controls, to help manage cyber security incidents, including:

The core principles of the Information Security Manual (ISM) include:

  • Govern: Identifying and managing security risks.
  • Protect: Implementing security controls to reduce security risks.
  • Detect: Detecting and understanding cyber security events.
  • Respond: Responding to and recovering from cyber security incidents.

How does Snare help implement and manage the Essential 8 controls?

The Snare software suite enables organisations and agencies to detect potentially malicious activity on their systems, applications and networks. Snares’ key principles are to:

  • Collect user activity and audit logs from all parts of the network including, but not limited to:
    • Servers, desktops, databases – user authentication, administrative activity, data accessed, system configuration changes and so on
    • Application logs from services such as DNS, DHCP, IIS, Apache, Java, Custom application logs, or any text-based log file from an application or service.
    • All syslog sources including firewalls, routers, switches, wireless access points, IDS, IPS, proxy servers or network appliances such as NAS storage devices.
  • Provide secure centralised collection of security critical log data, in a locked down forensic data repository divorced from the (potentially compromised) source.
  • Provide reporting and alerting capabilities for the collected log data.
    • ISM recommends that logs should be reviewed regularly to look for malicious or unauthorised system changes. Snare Central provides a compresence suite of out of the box reports that allow security teams to monitor user and systems activity.
    • For details on the coverage you can review our ISO27001 white paper on how Snare helps with compliance.
  • Provide the ability to create alerts in response to specific events, or as a result of changes to specific parts of a system.
    • These alerts can also be linked with threshold reporting so you only get an alert if a threshold has been reached, reducing potential false positives and other noise that the systems can generate from normal user activity.
      • eg: To notify on potential brute-force attacks, only alert if 5 login failures for administrative users occur over a 5 minute period.
  • Perform log correlation of user or system activity by using standard reporting or ad-hoc dynamic searching for threat hunting.
  • The ability to see user activity over multiple systems to detect activities such as:
    • Lateral movement
    • Changes being made from one or more accounts over one or more systems
    • Application execution and system changes
    • Running utilities and tools like PowerShell
    • System configuration changes
    • Database activity monitoring to help detect unauthorised logins, data accesses, data changes affecting the integrity of the systems.
  • Assist cyber security teams to detect early and react decisively to breaches or unauthorised activity.
    • Managing the risks via early detection
    • Respond faster to any incident or policy/compliance violation
    • Provide better governance and oversight for the protection for the information assets the agency has.
  • Assist cyber security teams to trace historical activity using forensic data.
    • What happened, when, who did it and how they did it

Snare agents and Snare Central can combine to help agencies meet, and exceed, the Essential 8 control requirements. The Snare software suite has a history of over two decades of use within national and international government agencies. The Snare software suite also has extensive coverage of the MITRE ATT&CK framework in helping corporations and government agencies detect threat actors and collect the needed forensic logs.

So in the context of the Essential 8 Snare can help in the following ways.

ASD Control ASD on Why Snare Agents Snare Central
Application control to prevent execution of unapproved/malicious programs including .exe, DLL, scripts (e.g. Windows Script Host, PowerShell and HTA) and installers. Why: All non-approved applications (including malicious code) are prevented from executing. Snare agents can collect audit logs to help track all user activity and application program execution. The Snare agents work with the OS audit subsystem to establish audit settings to collect and filter the specific audit events needed. Snare also works well with other tools such as the Windows sysmon utility to track details of program execution, parameters and switches used, file hash details and so on. These features are are used by PowerShell scripts and other programs.

Windows platforms that use applications like Microsoft app locker will create additional events relating to application and user activity, that can be collected and analysed by Snare.

Snare Agents also support File Activity Monitoring(FAM), File Integrity Monitoring(FIM), Registry Activity Monitoring(RAM), Registry Integrity Monitoring (RIM)

Databases can be a weak link with application control/whitelisting, as privileged users can connect to the database then access data outside of the control of the underlying operating system access controls. The Snare Agent Database Activity Monitoring capability therefore provides a more comprehensive security profile, over and above application controls.

Snare Central has hundreds of out-of-the box reports to enable security teams to monitor and document user and system activity.  The system also allows users to create custom reports to fine tune and monitor specific activity based on business needs. Some standard options in the reports include:

  • User activity logins
  • User administrative activity and system changes
  • Program execution and parameters and switches used
  • Files accessed, changed, created or deleted
  • Sensitive Files
  • FIM File Activity
  • RIM Registry Activity
  • Applocker events

Other options including real time alerting and threshold reporting assist security teams to detect specific application execution, sensitive file modifications, or failed logins for specific accounts.

Configure Microsoft Office macro settings to block macros from the internet, and only allow vetted macros either in ‘trusted locations’ with limited write access or digitally signed with a trusted certificate. Why: Microsoft Office macros can be used to deliver and execute malicious code on systems. Snare Agents can collect system and user activity to monitor the forensic effects of malicious macros performing actions on systems. Snare Central can be used to report on system changes and actions performed by users running specific applications.
Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don’t use privileged accounts for reading email and web browsing. Why: Admin accounts are the ‘keys to the kingdom’. Adversaries use these accounts to gain full access to information and systems. Snare Agents can collect the actions performed by administrative users, including running privileged commands, changes to users and groups for resources, or access to sensitive files and data. As administrative users have the keys to the kingdom, making sure the actions they perform are logged and then the logs kept away from the system that generated them is key. The Snare agents collect logs in near real time, and can send the data off-server to a Snare Central or other SIEM system for safe keeping. Snare Central has many out-of-the box reports that cover administrative activities, such as:

  • Accounts added or removed
  • Audit logs cleared (windows)
  • Audit policy changes
  • Group changes
  • Group member changes
  • Groups added or removed
  • User account changes

Other options in Snare Central allow security teams to track and report on who is defined in the administrative user groups and any other special application groups. This allows business owners to regularly review and approve group members, and by proxy, users who have access to critical system access and information. Some of the standard reports include:

  • Account groups
  • Account last login
  • Monitor administrators
  • User flags
  • Windows account expiry
Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository. Why: Stronger user authentication makes it harder for adversaries to access sensitive information and systems. Snare agents and Snare Central combine to collect authentication-related logs from systems, network devices and applications.

VPN appliances or applications, RDP servers, and SSH servers, will generally generate log data that can be captured by Snare Agents, or exported directly to the Snare Central server via syslog. These logs contain details on authentication method (such as Active Directory or PAM on Unix systems), and may indicate details of the privileged operation that takes place.

Once the user is logged in, the tracking of activities and privilege use, is part of the ongoing monitoring that Snare Agents help provide.

Snare Central captures and reports on user authentication activity, capturing high accuracy times and login sources. The reports include:

  • Login failures
  • Login Failures from locked accounts
  • Out of Hours logins
  • Use of Interactive logins and logoffs
  • User login activity

Where devices such as VPN concentrators are used, many send logs over syslog for system and user login activity. These logs can be collected by Snare Central as it can take syslogs from any syslog device. Custom reports can be created to report on these device logs to report and track on user remote login activities.

Patch applications e.g. Flash, web browsers, Microsoft Office, Java and PDF viewers. Patch/mitigate computers with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest version of applications. Why: Security vulnerabilities in applications can be used to execute malicious code on systems. Snare Agents can be used to track changes made to systems such as application patching. Enabling FIM, FAM, RIM and RAM will assist in detecting when applications or critical settings have been changed. Many application on Windows also emit events when internal settings are modified. Snare Central out of the box reports and custom reports can be used to report on the application activities and changes when they occur.  The reports include:

  • FAM and RAM for files or settings accessed, changed, created or deleted
  • Sensitive Files
  • FIM File Activity
  • RIM Registry Activity
User application hardening. Configure web browsers to block Flash (ideally uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g. OLE), web browsers and PDF viewers. Why: Flash, ads and Java are popular ways to deliver and execute malicious code on systems. Snare agents can be used to collect web proxy logs, and monitor applications on the end point system. This allows security administrators to see and know what applications were downloaded and potentially run on the end point system, leading to the detection of potential configuration or policy violations. Snare Central reporting provides details on:

  • Applications downloaded by end-users
  • Websites visited
  • Applications executed on the local systems.

The reports include:

  • Proxy web inappropriate material
  • Top sites
  • Top users
  • Files accessed, changed, created or deleted
  • Sensitive Files
  • FIM File Activity
  • RIM Registry Activity
Patch operating systems. Patch/mitigate computers (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours. Use the latest operating system version. Don’t use unsupported versions. Why: Security vulnerabilities in operating systems can be used to further the compromise of systems. Snare Agents can be used to track the changes made to systems by Operating system patching. Logs produced by FIM, FAM, RIM and RAM will assist in detecting changes to operating system files and settings. Many operating systems such as Windows also create events for when they are changed or updated. Snare Central out-of-the-box reports and custom reports can be used to highlight operating system activities and changes when they occur.  The reports include:

  • FAM and RAM for files or settings accessed, changed, created or deleted
  • Sensitive Files
  • FIM File Activity
  • RIM Registry Activity
Daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes. Why: To ensure information can be accessed following a cyber security incident (e.g. a ransomware incident). Snare Agents can collect logs from backup systems where available. Many backup tools keep logs of backup activity and details on activities such as:

  • When the scheduled backup ran
  • If it was successful, or had errors and failed.

These text log files can be collected by the Snare agents if the software cannot send the logs via syslog to Snare Central for reporting.

Snare Central can be used to report the status of the backup software, and if the backups worked or failed. Having successful backups is critical to recover systems from a cyber incident.

Snare Solutions Included in 2021 Australian Defence Catalogue

Snare has been accepted into the 2021 Australian Defence Sales Catalogue. Produced by Australian Military Sales (AMS), the Australian Defence Sales Catalogue showcases selected products and services from Australian defence industry and Australian Defence Force (ADF) surplus equipment available for sale under government-to-government arrangements.