Long Arrow Right External Link angle-right Search Times Spinner angle-left

ThreatLocker as an Essential Eight Maturity Model Mitigation Strategy

View in Browser

Level 1

Application Control

  • Description - "The execution of executables, software libraries, scripts, installers, compiled HTML, HTML Applications and control panel applets are prevented on workstations from within standard user profiles and temporary folders used by the operating system, web browsers and email clients."
    • ThreatLocker meets this mitigation strategy. Utilizing Application Control, ThreatLocker enables the blocking of executables, installers, scripts, software libraries, and control panel applets on any endpoint by specific users or all users, specific folders or all folders, and specific Applications or all Applications. Storage Control provides the ability to block CHM files and HTA files on any endpoint, by any user, and by any or all programs.  

Patch Applications

  • Description - "Internet-facing services, office productivity suites, web browsers and their extensions, email clients, PDF software, Adobe Flash Player, and security products that are no longer supported by vendors are removed."
    • ThreatLocker meets this mitigation strategy. Application Control Policies can be configured to Deny access to any products that you don't want users to access. 

Configure Microsoft Office Macro Settings

  • Description - "Microsoft Office macros are disabled for users that do not have a demonstrated business requirement."
    • While ThreatLocker can not change configurations within Microsoft Office, ThreatLocker can help with this mitigation strategy. ThreatLocker Application Control Ringfencing can be configured to prevent Office Applications from accessing the internet entirely for all users or specific users. Storage Control provides the ability to block macros file extensions for all users or specific users. 
  • Description - "Microsoft Office macros in files originating from the internet are blocked."
    • While ThreatLocker can not change configurations within Microsoft Office, ThreatLocker can help with this mitigation strategy. ThreatLocker Application Control Ringfencing can be configured to prevent Office Applications from accessing the internet entirely for all users or specific users. Storage Control provides the ability to block macros file extensions for all users or specific users. The Application Control Policies for web browsers can be configured to block file access and then you can manually whitelist any file locations you wish to allow the browsers to access or, alternatively, you can allow file access and create a blacklist to block the browser's access to any macros extensions.
  • Description - "Microsoft Office macro security settings cannot be changed by users."
    • Although TheatLocker can not change configurations within Microsoft Office, any Policies created in ThreatLocker can't be changed by anyone except a ThreatLocker Administrator so even if an end-user changes their Office settings, end-users can not change the ThreatLocker Policy that has been specifically configured by you to prevent Office from communicating with the internet, or the Storage Control Policies that block specific file extensions.

User Application Hardening

  • Description - " Web browsers do not process Java from the internet."  
    • ThreatLocker can be configured to meet this mitigation strategy. By utilizing Application Control Ringfencing, you can block your web browsers from interacting with any Java file extensions. 
  • Description - "Internet Explorer 11 does not process content from the internet."
    • ThreatLocker can be used to meet this mitigation strategy. Utilizing Application Control Ringfencing, you can block Internet Explorer 11 from accessing the internet. 

Restrict Administrative Privileges

  • Description - "Requests for privileged access to systems and Applications are validated when first requested."
    • ThreatLocker can be used to meet this mitigation strategy. By enabling Elevation Control, you can eliminate local admin accounts and users will need to request access to Elevated privileges. Once requested, a ThreatLocker Administrator will need to approve the request before Elevation is enabled. These privileges are only enabled on the specific Applications that you have set them to apply to. Using Ringfencing, you can ensure that these elevated Applications can not interact with other Applications, preventing the possibility of Application hopping.
  • Description - "Privileged accounts (excluding privileged service accounts) are prevented from accessing the internet, email and web services." 
    • Threatlocker can assist with meeting this mitigation strategy. With Application Control, you can block specific users/accounts from accessing any internet browsers, enabling you to specify the users with admin credentials and prevent them from using any web browsers.

Regular Backups

  • Description - "Unprivileged accounts can only access their own backups."
    • ThreatLocker can meet this mitigation strategy. Utilizing Storage Control, you can allow or deny access to any of your backup files or directories to specific users and/or Applications. 
  • Description - "Unprivileged accounts are prevented from modifying or deleting backups."
    • ThreatLocker can meet this mitigation strategy. Utilizing Storage Control, you can allow or deny access to any of your backup files or directories to specific users and/or Applications, and you can also specify Read-Only access. 

Level 2

Application Control

  • Description - "Application control is implemented on workstations and internet-facing servers to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML Applications and control panel applets to an organization-approved set."
    • ThreatLocker meets this mitigation strategy. Utilizing Application Control, ThreatLocker enables the blocking of executables, installers, scripts, software libraries, and control panel applets on any endpoint by specific users or all users, specific folders or all folders, and specific Applications or all Applications. Storage Control provides the ability to block CHM files and HTA files on any endpoint, by any user, and by any or all programs. 
  • Description - "Allowed and blocked executions on workstations and internet-facing servers are logged."
    • ThreatLocker meets this mitigation strategy. The ThreatLocker Unified Audit will log in real-time all executions that are occurring or being attempted on all endpoints in one central location.

Configure Microsoft Office Macro Settings

  • Description - "Microsoft Office macros are blocked from making Win32 API calls."
    • While ThreatLocker can not change configurations within Microsoft Office, ThreatLocker can help with this mitigation strategy. Application Control Ringfencing can be configured to block Office from communicating with the internet, therefore preventing any Win32 API calls.
  • Description - "Allowed and blocked Microsoft Office macro executions are logged."
    • ThreatLocker meets this mitigation strategy. The ThreatLocker Unified Audit will log in real-time all executions that are occurring or being attempted on all endpoints in one central location.

User Application Hardening

  • Description - "Microsoft Office is blocked from creating child processes."
    • ThreatLocker can be used to meet this mitigation strategy. Application Control Ringfencing enables you to block Office's ability to interact with all Applications, thereby stopping it from being able to create any child processes.
  • Description - "Microsoft Office is blocked from creating executable content."
    • ThreatLocker can be used to meet this mitigation strategy. By default, all executable content will be blocked, and will only be permitted to run once it has been approved. You could also configure Application Control Ringfencing to block Office's access to any files with an executable extension.
  • Description - "PDF software is blocked from creating child processes."
    • ThreatLocker can be used to meet this mitigation strategy. Application Control Ringfencing enables you to block a PDF software's ability to interact with other Applications, thereby stopping it from being able to create any child processes.
  • Description - "Blocked PowerShell script executions are logged."
    • ThreatLocker meets this mitigation strategy. The ThreatLocker Unified Audit will log in real-time all executions that are occurring or being attempted on all endpoints in one central location.

Restrict Administrative Privileges

  • Description - "Privileged access to systems and Applications is automatically disabled after 12 months unless revalidated."
    • ThreatLocker can help meet this mitigation strategy. ThreatLocker Elevation Control provides the ability to set an expiration of your choosing on Elevated privileges for any and/or all specified Applications.  
  • Description - "Privileged access to systems and Applications is automatically disabled after 45 days of inactivity."
    • ThreatLocker can help meet this mitigation strategy. ThreatLocker Elevation Control provides the ability to set an expiration of your choosing on Elevated privileges for any and/or all specified Applications.
  • Description - "Privileged operating environments are not virtualized within unprivileged operating environments."
    • ThreatLocker can meet this mitigation strategy. ThreatLocker Application Control enables you to block all virtualization environments, ensuring that no VMs can be created with privileged access on non-privileged machines.
  • Description - "Use of privileged access is logged."
    • ThreatLocker helps meet this mitigation strategy. The ThreatLocker Unified Audit will log all executions on the endpoint, and distinguish if it was with elevated privileges or not, in real-time.   

Regular Backups

  • Description - "Unprivileged accounts, and privileged accounts (excluding backup administrators), can only access their own backups."
    • ThreatLocker can meet this mitigation strategy. Utilizing Storage Control, you can allow or deny access to any of your backup files/folders/directories to specific users and/or Applications.
  • Description - "Unprivileged accounts, and privileged accounts (excluding backup administrators), are prevented from modifying or deleting backups."
    • ThreatLocker can meet this mitigation strategy. Utilizing Storage Control, you can allow or deny access to any of your backup files to specific users and/or Applications, and you can also specify Read-Only access.

Level 3

Application Control

  • Description - "Application control is implemented on workstations and servers to restrict the execution of executables, software libraries, scripts, installers, compiled HTML, HTML Applications, control panel applets and drivers to an organization-approved set."
    • ThreatLocker can meet this strategy by utilizing Application Control, ThreatLocker enables the blocking of executables, installers, scripts, software libraries, and control panel applets on any endpoint by specific users or all users, specific folders or all folders, and specific Applications or all Applications. Storage Control provides the ability to block CHM files and HTA files on any endpoint, by any user, and by any or all programs.
  • Description - "Microsoft’s ‘recommended block rules’ are implemented."
    • ThreatLocker can meet this mitigation strategy. Application Control Applications and Policies can be manually configured to block every Microsoft Recommended block rule, and many of these rules are premade as Recommended Policies within ThreatLocker.
  • Description - "Microsoft’s ‘recommended driver block rules’ are implemented."
    • ThreatLocker meets this mitigation strategy. With ThreatLocker's Application Control Whitelisting, only executables you have created a Policy for will be allowed. No drivers can run unless you create a Policy for them. And Policies can be manually created to block any drivers you want to explicitly deny in your environment.
  • Description - "Application control rulesets are validated on an annual or more frequent basis."
    • Although ThreatLocker does not review your rulesets, it does provide reports that can help meet this mitigation strategy. Using ThreatLocker's Reports, you can easily generate a list of all approved Applications.
  • Description - "Allowed and blocked executions on workstations and servers are centrally logged and protected from unauthorized modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected."
    • ThreatLocker does not monitor your endpoint activity but does help you meet this mitigation strategy by providing protected, centralized logs of all blocked and allowed executions. ThreatLocker's Unified Audit will capture all successful and failed executions from every endpoint in a central location. The Unified Audit entries can not be modified or deleted by anyone, and are kept by default for 30 days, but that period can be extended if desired.

Patch Applications

  • Description - "Applications that are no longer supported by vendors are removed."
    • ThreatLocker can not remove Applications from your endpoints. However, ThreatLocker can help to meet this mitigation strategy because any Application can have a policy created to Deny it, therefore it will be unable to run in your environment.  

Configure Microsoft Office Macro Settings

  • Description - "Only Microsoft Office macros running from within a sandboxed environment, a Trusted Location or that are digitally signed by a trusted publisher are allowed to execute."
    • ThreatLocker can meet this mitigation strategy. Application Control provides the ability to configure rules to allow or deny executables based on digital signature and trusted directories. And once the PCs are in Secured Mode, the default deny will prevent any executable that hasn't been expressly permitted from running on any machine with ThreatLocker installed.
  • Description - "Only privileged users responsible for validating that Microsoft Office macros are free of malicious code can write to and modify content within Trusted Locations."
    • ThreatLocker can help meet this strategy. Storage Control enables you to allow or deny access to any specified data locations or limit access to Read-Only to only specific users and/or Applications. 
  • Description - "Allowed and blocked Microsoft Office macro executions are centrally logged and protected from unauthorized modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected."
    • ThreatLocker does not monitor your endpoint activity but does help you meet this mitigation strategy by providing protected, centralized logs of all blocked and allowed executions. ThreatLocker's Unified Audit will capture all successful and failed executions from every endpoint in a central location. The Unified Audit entries can not be modified or deleted by anyone, and are kept by default for 30 days, but that period can be extended if desired.

User Application Hardening

  • Description - "Internet Explorer 11 is disabled or removed."
    • ThreatLocker can meet this mitigation strategy. ThreatLocker Application Control enables you to deny Internet Explorer 11, preventing it from executing. 
  • Description - "Blocked PowerShell script executions are centrally logged and protected from unauthorized modification and deletion, monitored for signs of compromise, and actioned when cyber security events are detected."
    • ThreatLocker does not monitor your endpoint activity but does help you meet this mitigation strategy by providing protected, centralized logs of all blocked and allowed executions. ThreatLocker's Unified Audit will capture all successful and failed executions from every endpoint in a central location. The Unified Audit entries can not be modified or deleted by anyone, and are kept by default for 30 days, but that period can be extended if desired.

Restrict Administrative Privileges

  • Description - "Privileged access to systems and Applications is limited to only what is required for users and services to undertake their duties."
    • ThreatLocker helps meet this mitigation strategy. ThreatLocker's Elevation Control enables you to reduce or eliminate privileged access accounts, and then allow Elevation for only specified users and/or specified Applications as needed for their specific job duties. Application Control provides the ability to prevent any Applications that are not needed from running.
  • Description - "Privileged accounts are prevented from accessing the internet, email and web services."
    • ThreatLocker can help meet this mitigation strategy. ThreatLocker's Application Control enables you to specify only specific users that can access web browsers.
  • Description - "Just-in-time administration is used for administering systems and Applications."
    • ThreatLocker can help meet this mitigation strategy. ThreatLocker's Elevation Control enables you to reduce or eliminate privileged access accounts, and then allow Elevation for only specified users and/or specified Applications as needed for their specific job duties. Application Control enables you to limit the time of day and/or days of the week that specific Applications can be used.
  • Description - "Use of privileged access is centrally logged and protected from unauthorized modification and deletion, monitored for signs of compromise and actioned when cyber security events are detected."
    • ThreatLocker does not monitor your endpoint activity but does help you meet this mitigation strategy by providing a centralized log. The Unified Audit will capture all successful and failed executions, and if they were performed with elevated privileges from every endpoint in a central location. The Unified Audit entries can not be modified or deleted by anyone, and are kept by default for 30 days, but that period can be extended if desired.

Regular Backups

  • Description - "Unprivileged accounts, and privileged accounts (excluding backup administrators), cannot access backups."
    • ThreatLocker can meet this mitigation Strategy. Utilizing Storage Control, you can allow or deny access to any of your backup files/folders/directories to specific users and/or Applications.
  • Description - "Unprivileged accounts, and privileged accounts (excluding backup break glass accounts), are prevented from modifying or deleting backups."
    • ThreatLocker can meet this mitigation strategy. Utilizing Storage Control, you can allow or deny access to any of your backup files/folders/directories to specific users and/or Applications, and you can also specify Read-Only access.

Resource:

“Essential Eight Maturity Model.” Essential Eight Maturity Model | Cyber.gov.au, https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-maturity-model.