Interestingly, the Top 4 are not gateway security strategies nor are they strictly EDR. Protection has become more complicated over the years. Most malware use techniques that have been around for quite some time.
However the combination of those techniques, delivery mechanisms and the vulnerabilities they exploit vary. As new vulnerabilities are discovered, changes to code or new code are introduced to exploit those vulnerabilities. The biggest change, however, is the permitter, or more directly, the lack thereof.
Organisations have more devices connected to more external elements than ever before. Many of these devices do not reside permanently within the confines of the organisation's network. They are transient. They are plentiful.
And they present a very large attack surface for a huge array of very unsophisticated attacks that can cause enormous disruption, very quickly. Gateway security is extremely important, but only highly effective if the sole entry into a network is via that gateway. Unless the organisation is in a highly classified environment or is a closed network, that single point doesn't exist.
This is why the Top 4 mitigation strategies are so effective at preventing a cybersecurity incident. Because they address the biggest attack surface of endpoints, servers and privileged access.
What ISN'T in the Top 4?
Behavioural analysis, Heuristics, host-based firewalls, the NextGen anything, micro-segmentation, and more. This doesn't mean that these strategies aren't in the mitigation strategies listed in the ISM, they just don't make the cut of the Top 4 that combined, mitigate the majority of risks. Antivirus (AV) doesn't make the Top 4.
It is in the ISM, but its “Relative security effectiveness rating” is “Limited” according to the ASD. AV relies on knowing what malware exists and having it in a list or definitions database.
If the AV vendor(s) haven't seen it before or haven't acquired information about it, it invariably will not be in their definitions. If it's not in the list chances of detection go down depending on the functionality of the solution. Heuristics and analysis are good, but even that can miss new patterns.
What are the Top 4? Below are the Top 4 and in order:
1) Application Whitelisting
2) Patch Applications
3) Patch Operating Systems
4) Restrict Administrative Privileges
Four strategies that can mitigate 85% of attacks and Ransomware.
Ransomware relies primarily on executing the malware on a system.
It may rely on various vulnerabilities to exist to be able to function. In some cases, as is with more sophisticated variants, it requires elevated privileges or privileged access to function. Implemented correctly, the above strategies stop Ransomware dead in its tracks.
In the case of NotPetya and WannaCry ransomware, they used the EternalBlue exploit that made use of a vulnerability in Microsoft's implementation of the SMB protocol (see CVE-2017-0144).
Microsoft had released patches for this in March 2017, and yet two months later when WannaCry hit the wild, tens of thousands of machines were infected, because they hadn't patched. Organisations can be slow to patch due to fear of introducing new bugs, feature additions that may not be welcome or introducing incompatibilities to existing software.
Kasper Lindgaard, Senior Director, Research and Security at Flexera points out the lack of process behind organisations' patch strategies.“WannaCry and other incidents in 2017 revealed that many businesses still don't have comprehensive processes to patch vulnerable systems and upgrade end-of-life systems. This lack of process is the main driver for a large number of unpatched vulnerabilities that gives criminals a large window of opportunity to execute attacks” said Lindgaard.
A very simple procedure to patch could have prevented millions of dollars of damage. Consuming security budget on EDR when the basics that can stop infection or breaches aren't being followed seems to be counter-intuitive.
Even before that, stopping malicious files from executing at the point of insertion would have significantly mitigated the risk of the attack in the first place.
Daniel Schell, co-founder of Australian application whitelisting company, Airlock Digital, said “The NotPetya attack dropped a DLL file into the Windows folder and executed. This bypassed a majority of “nextgen” and application control solutions. By preventing untrusted files from executing Airlock easily prevented this method. How long will organisations continue to allow untrusted files to execute in their environment?