Journey to Essential Eight Alignment

Scott Gardner — 4 August, 2021

The internet has never been a more dangerous place for business. The number and sophistication of cyber-attacks is increasing every day with any website, file downloaded, or email opened a potential target for malicious actors.

Due to the ever-increasing online dangers, the Australian Cyber Security Centre (ACSC) has developed a set of eight essential mitigation strategies that are designed to protect Microsoft Windows-based internet-connected networks from the most common cyber-attacks such as malware/ransomware and phishing attacks. When implemented correctly, these mitigation strategies can significantly reduce the likelihood of suffering a cyber-attack.

The Essential Eight are broken down into four maturity levels covering the eight mitigation strategies which are designed to allow businesses to apply these techniques using a risk-based approach.

The Essential Eight mitigation strategies cover the following critical areas:

  • Application Control
  • Application Hardening
  • Application Patching
  • Microsoft Office Macro Execution
  • Multi-Factor Authentication
  • Operating System Patching
  • Restricting Administrative Privileges
  • System and Data Backups

When implementing the above controls for an organisation, tasks are broken down into the following areas to allow organisations to develop and test settings in a controlled manner.


The first stage in an organisation’s journey to Essential Eight alignment is to plan for which maturity level is most appropriate for their environment. Maturity levels increase in complexity to implement with more stringent controls needed for each strategy.

Organisations can choose from the following maturity levels:

Maturity Level Zero has recently been added by ACSC as a default position that signifies weaknesses in an organisation’s security posture. This is often the starting point for most organisations who have not developed any security controls.

Maturity Level One is the minimum recommended level of security posture for any organisation. This level requires the implementation of controls that are focussed on widely available exploits such as vulnerabilities in internet-facing services that have not been patched or authentication against systems with stolen or brute forces credentials.

Maturity Level Two focuses on the mitigation of exploits and adversaries that have invested more time and effort than the previous maturity level. Effectiveness of tools are often greater with these exploits with more focus given to bypassing security controls and evading detection. Credentials used in these types of attacks are often gathered with targeted phishing campaigns and circumvent weak multi-factor authentication mechanisms rather than using brute force or purchased password lists.

Maturity Level Three is the final level of implementation and focuses on adversaries that are much more sophisticated with their attacks and are less reliant on public tools and techniques. Often these adversaries are willing to invest more time and effort in focusing on specific targets, attempting to circumvent security controls implemented by an organisation. Once inside a target system, adversaries seek to gather privileged credentials and password hashes and move laterally across a system to gain a foot hold in the network. Attempts to evade detection and remove traces of access are also more sophisticated in this style of attack.

Discovery and Implementation Plan

In order to develop a plan for implementing Essential Eight security controls, a discovery of the current environment needs to be performed to identify areas of misalignment so that a gap analysis can be created. From this gap analysis, a prioritised list of controls can be formulated which address the requirements for implementing the chosen maturity level.

During implementation planning, settings, and tools for each of the controls will be decided to meet the target maturity level. Controls can be implemented utilising inbuilt Microsoft tooling such as Microsoft AppLocker or third-party utilities such as Airlock Digital’s Allowing Listing and Execution Control product.

A delivery mechanism for all settings and controls is also decided during implementation planning with a combination of Microsoft Group Policy, Microsoft Intune and other mechanisms often used based on an organisation’s cloud readiness.

Pilot Rollout

Once a plan has been signed off and all settings and controls are ready for implementation, a test group is identified, and settings rolled out to this group. A period of review of the controls follows and revisions made in line with the organisation’s risk profile to ensure that the business can continue to operate with a wider rollout.

Full Rollout

After a successful pilot rollout, settings are rolled out to all systems in the organisation with special attention to the security controls implemented for end-user devices and public-facing services such as web and email servers.

Upon completion of the rollout, a full set of documentation of the specific settings and controls should be developed to successfully support the deployment in the future.

Support & Maintenance

It is important to remember during the implementation of Essential Eight maturity levels that security is an ever-evolving process and is never “set and forget”. Regular reviews of the security controls that have been implemented will need to be conducted to ensure the organisation maintains their target maturity level. As the threat landscape continues to evolve the ACSC is committed to providing updated guidance to ensure businesses remain safe.

Chamonix has recently developed an Essential Eight-as-a-Service offering to assist organisations with the implementation and maintenance of their security journey which covers all component – from discovery and planning through to implementation and maintenance of security policies in the future.

Contact us to find out how we can help.