Top strategies to mitigate targeted cyber intrusions

Stephen Gillies, editor

Claiming that over 70% of successful intrusions could have been prevented by implementing the top 4 recommendations, the Australian Defence Signals Directorate (DSD) has updated its list of strategies to mitigate targeted cyber intrusions.

According to security vendor Sophos, these threats are focused on financial gain for hackers and include Fake anti-virus software, Attacks utilising fake marketing campaigns (including Search Engine Optimisation abuse), Social Networking site clickjacking (tricking users to click on disguised links) and traditional mail phishing campaigns.

Many of these security attacks rely on users not having up to date systems, running unpatched software or without web and email anti-malware/anti-virus solutions in place.

The Defence Signals Directorate (DSD) first published the list of 35 strategies in 2010, and according to one member of the DSD security team started as a list on the back of a beer coaster. 

Since then, much like all good beer coaster ideas, the list has been updated and refined. The list is informed by DSD’s experience in operational cyber security, including responding to serious cyber incidents and performing vulnerability assessments and penetration testing for Australian government agencies.

Mike Burgess, First Assistant Secretary Cyber and Information Security, explained to an audience of approximately 200 government and vendor security professionals on Wednesday that a number of the Top 35 mitigation strategies had moved within the list in priority, but that the list was largely the original 35. Each which would significantly improve an organisations security posture and many address the majority of current IT security risks with up to date thinking on monitoring and whitelisting.

While the top four strategies may address 70% of security issues, searchSecurity has focused on the top 12 which offer a strong grounding for any enterprise, business or individual wishing to remain safe on the Internet. Security is the responsibility of all users, and the twelve points are things every user can understand and implement on their laptops, desktops and mobile devices (where applicable).

1 Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications. Updates are provided by most software vendors and should be applied in all circumstances where a security update is involved.

2 Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version. Many users are still running Windows-XP environments, and old versions of Windows 2000. While the cost of updating may have an impact on the business, the cost of a security incident can be multiple magnitudes higher.

3 Minimise the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing. Using the Administrator account on any end point is probably a bad idea. User accounts should be created for all staff, and elevated access only used for administration specific tasks.

4 Application whitelisting to help prevent malicious software and other unapproved programs from running e.g. by using Microsoft Software Restriction Policies or AppLocker.

5 Host-based Intrusion Detection/Prevention System to identify anomalous behaviour such as process injection, keystroke logging, driver loading and call hooking.

6 Whitelisted email content filtering allowing only attachment types required for business functionality. Preferably convert/sanitise PDF and Microsoft Office attachments. Many end user applications have options for whitelisting email attachments based upon the existance of an email address in a contact list. Enterprises with email gateway infrastructure should make use of content filters to check anti-virus status for all incoming attachments.

7 Block spoofed emails using Sender Policy Framework checking of incoming emails, and a "hard fail" SPF record to help prevent spoofing of your organisation's domain. Organisations like Google and Yahoo now build these checks into their web mail interfaces, and the education of users (see the next point!) helps users better identify phishing attacks using SPF (and other email identification methods like DKIM) technologies.

8 User education e.g. Internet threats and spear phishing socially engineered emails. Avoid: weak passphrases, passphrase reuse, exposing email addresses, unapproved USB devices.

9 Web content filtering of incoming and outgoing traffic, using signatures, reputation ratings and other heuristics, and whitelisting allowed types of web content.

10 Web domain whitelisting for all domains, since this approach is more proactive and thorough than blacklisting a tiny percentage of malicious domains.

11 Web domain whitelisting for HTTPS/SSL domains, since this approach is more proactive and thorough than blacklisting a tiny percentage of malicious domains.

12 Workstation inspection of Microsoft Office files for abnormalities e.g. using the Microsoft Office File Validation feature

The remainder of the list can be found on the DSD website at and many non-government organisations would benefit from reviewing these strategies against their own IT Security risk mitigation strategies and policies.

The Defence Signals Directorate (DSD) is an intelligence agency in the Australian Government Department of Defence, with its headquarters in Canberra. Their mission is to ‘Reveal their secrets, protect our own’. Operationally DSD:

  • collects and analyses foreign signals intelligence, known as Sigint
  • provides advice and assistance on information and communications security, known as InfoSec.

DSD provides information security advice and services mainly to Australian federal and state government agencies. DSD also works closely with industry to develop and deploy secure cryptographic products.