ASD’s Top 4 becomes Essential 8

March 10 2017, by Macquarie Technology Group | Category: Government

The Australian Signals Directorate (ASD) recently published updated guidance – “Strategies to mitigate cyber security incidents” replacing the older guidance. With this the ASD also expanded its recommended, “Top 4” mitigation techniques” to “Essential 8”, adding 4 key mitigation techniques to the list to help agencies create robust mitigation against targeted cyber intrusions and ransomware.

So what were the Top 4? These were:

  1. Application whitelisting
  2. Restrict administrative privileges
  3. Patch operating systems
  4. Patch applications

ASD considers these 4 to be able to mitigate at least 85% of the intrusion when implemented as a package.

Here are the additional 4 that now makeup Essential 8

  1. User application hardening
  2. Multi-factor authentication
  3. Disable untrusted Microsoft Office macros
  4. Daily backup of important data

The last two in the list above are new mitigation strategies added to the previous list increasing the total strategies to 37.


Macquarie Government can help prevent Distributed Denial of Service (or commonly known as DDoS) attacks upon Australian Government agencies and departments

Here is our view on the changes.

When the Top 4 were made mandatory a few years ago, it was based on information available at that point in time. The cyber threats and attackers have evolved since then; the attacks have become more intelligent, more penetrative and more lethal. We wrote about what to watch out for in 2017 in a recent blog. Likewise, agencies also needed to find more robust techniques against the continuous evolution of attackers.   ASD has been doing its own research, crunching data and analysing major incidents globally and has now revised guidance with the creation of “Essential 8”.

Before embarking on the journey to implement these mitigation strategies, it is critical for organisations to perform a thorough risk assessment which will help them identify the priority order of the implementation.

With the previous version of the mitigation guidelines, ASD made a bold statement that its recommended “Top 4” were strong enough to mitigate 85% of “targeted cyber-attacks”. What did that statement do? It immediately got the attention of the IT security teams because it appeared like a “smallish list” to tackle to achieve high level of protection while in comparison the full list of 35 techniques sounded much more intimidating. Similarly, “Essential 8” gets the attention straight away as a more manageable implementation from a slightly longer list of recommended controls (37 from 35 before). ASD also divides the Essential 8 into two groups, presumably to make their benefits easier to understand

  • To prevent malware from running.
    • Application whitelisting
    • Patch applications
    • User application hardening
    • Disable untrusted Microsoft Office macros
  • To limit the extent of incidents and recover data
    • Restrict administrative privileges
    • Patch operating systems
    • Daily backup of important data
    • Multi-factor authentication

Mitigation strategies cannot be stagnant – they need to continuously evolve. No IT security professional would have put a wager on ASD’s Top 4 remain unchanged forever. The list had to expand at some stage. The recent examples, such as Mirai botnet, Stuxnet and Edward Snowden, have further reinforced the need for additional security controls which turns the original question around, from why to why not.

This is where “Essential 8” is well-positioned. All agencies that have already implemented or are on track to implanting the Top 4 may find it easier to add four more controls to their mitigation strategy without having to allocate massive budget or resources. It’s worth noting that some agencies may have proactively gone beyond the “Top 4” to implement some, or all, of the “Essential 8. They are now sitting back and smiling at their achievements.

Will ASD raise the mandatory governance baseline as well?

The question remains whether the ASD will raise the bar for government entities so the new minimum mandated baseline is the Essential 8 (currently Top 4) and thus reinforce the importance of embracing the new guide. Without this change, there is a real risk that agencies will be slow to adopt the new guidance. This is a real issue as the level of security is ultimately dictated by the “weakest link

Okay, so what next?

With the “Essential 8” becoming the new baseline, we have put together a white paper eGuide to help you navigate these Essential 8. With some recommended strategies that you may want to consider.

Download white paper here

Finally: if you do need help navigating through the Essential 8 or any others out of ASD’s complete list of 37 strategies to mitigate cyber security incidents then speak to us, we are here to help.



About Macquarie Government.

Macquarie Government is a division of the Macquarie Technology Group (ASX MAQ). It provides services to Federal and State Government agencies, including Secure Internet and Secure Cloud services.