They say hindsight is 2020, and in this case, we're glad that 2020 is behind us. Fires and Viruses and Explosions (oh my!). During the course of the (ongoing) pandemic Australians, businesses and individuals saw an increased dependence on the internet - Working from home, accessing information and staying in touch with colleagues, friends and family. We saw many people lose their jobs and certain sectors struggle with the change and others collapse entirely. Due to the increased reliance on the internet, we also saw an increased attack surface and an increase in cybercrime activity. On a year-on-year basis the ACSC saw an increase in cybercrime reports of 13%, totalling some 67,500 reported incidents, roughly translating to 1 attack every 8 minutes and impacting every business sector and government agencies at all levels. An important takeaway is these are only the events we know about. The pandemic saw an acceleration in Cybercrime, but also in the sophistication of the attacks. Subnet has been developing a defence in depth strategy in alignment to ISO27001, ISM & Essential 8, and NIST frameworks to help our partners develop and grow their security through a step by step maturity journey.
The ACSC report identifies a couple of key attack trends and threats as follows:
- Phishing and Spear Phishing attacks using the pandemic as a matter of public interest to gain a foothold into organisations. The attacks were orchestrated by state actors and criminals seeking respectively to gain information about Australia's response to COVID and to leverage critical services in the health sector to encourage ransomware payments.
This threat vector attacks a non-system based vulnerability in the system, of which the only way to address this is to increase the frequency of security awareness training. The best simile being a Fire Drill, we train for evacuation in the event of a fire regularly. However the likelihood of a cyber incident is much higher than a fire, and yet most organisations have no strategy to detect or deal with an incident should one arrive.
- Critical Infrastructure was targeted during the reporting period, targeting essential services attacking health, food and energy sectors - with large scale, high profile attacks reaching the news from America, the Colonial Pipeline attack - Australia was no different, and these attacks disrupt essential services, and can potentially harm or kill people.
This threat vector follows that every system is vulnerable with sufficient time. There are many ways to address this kind of vulnerability, including but not limited to - Essential 8 Maturity 3 (E8M3) Patching, and workaround implementation, Managed Endpoint Detect and Respond (MDR) tools like CrowdStrike and Application Whitelisting services. Illustrating the importance of a layered, varied threat mitigation strategy. The simile for this one is not using the same lock and key to secure every door, as a locksmith will be able to bypass it, instead of increasing the number of skills required to get past certain vectors.
- Ransomware has grown in profile and is a significant threat to Australian organisations. A recent industry trend is for the attackers to analyse using OSINT to determine what likely insurance will be employed at an organisation and using that knowledge to increase the ransom to something that sits outside of insurance payout, making the decision to pay non-trivial. The global impact of Colonial Pipeline attacks really highlights the risk associated with this sort of attack.
This threat is exploited and employed in so many ways, it's staggering, to mitigate this. Solutions like MDR, E8M3 Patching, Strong Password Policies, Security Awareness Training, Incident Response Drills, Application Whitelisting, Server and Workstation security baselines, 3,2,1 Backup Strategy and at least 7 months worth of retention on immutable storage, such as Datto BCDR service provide a significant value proposition. The list to mitigate ransomware goes on and on.
- Rapid Exploitation of Security vulnerabilities saw large scale attacks on vulnerabilities, most notably Microsoft Exchange and Print Nightmare impacting clients worldwide with an attack that has a phone book (DNS MX lookup). We saw authorisation from the US Government authorising the FBI to find vulnerable United States companies and use the exploit to patch the system for the vulnerability. Ethical Hacking to the next level!!
The mitigation for this is a strong MDR, Application Whitelisting, E8M3 plan swiftly testing, patching and implementing workarounds to ensure minimal disruption to networks. Each time highlighting the impact on availability that is fast becoming critical in this internet-dependent world.
- Supply chains for cloud offered software and services, we saw attacks hitting large scale MSP vendors like Kaseya and SolarWinds impacting Vendor, MSP and Clients alike. We've seen insurance companies now asking if you, or your vendors using these products. You can bet that this will raise your premiums!
The mitigation for this is to ensure that your vendors have certification from an applicable, national or international standard such as ISO27001. To have appropriate system hardening to ensure that you're not vulnerable, and services now built into the Microsoft Azure stack such as Bastion, enabling Just-In-Time access to administer business systems. Having a great BCDR product like Veeam or Datto, regularly tested and Disaster Recovery Plans including regular tabletop and simulation exercises.
- Business email compromise (BEC) is a major threat to Australians working remotely. The average loss per event has increased to $50,600(AUD). Attacks have become more sophisticated, targeted and streamlined, and emails are studied for the writing styles of the impersonated person.
This threat is mitigated by wet pen policies for large funds transfers. Emails are being digitally signed to give the trust of integrity and non-repudiation. Email banners advising if an email came from outside an organisation. General suspicious cast on the requests of individuals circumventing the normal process. Security Awareness Training is key, being aware of links that go to the wrong URL. Validating unusual changes to account information with the person who requested it. A secure DNS service that actively blocks malicious websites or bad URLs, a Next-Generation Firewall from vendors like Fortinet that block known bad content and malicious URLs.
While a higher proportion of attacks were experienced in the eastern states, the highest average financial losses were experienced and self-reported by victims in South Australia and Western Australia.
Business Email Compromise (BEC) accounted for 51.45 million (AUD) in total losses for the last financial year, a 15% increase year on year. The average loss per successful BEC transaction also increased, a staggering 54% and in 1 case lead to bankruptcy of the company.
Multi-factor authentication through Azure AD as an OpenID/OAuth provider is absolutely critical - Single-Factor Authentication recently got added to a list of BAD security practices. Passwords have become Passphrases with the recommended length exceeding 20 characters. "Correct Horse Battery Staple" indeed (https://xkcd.com/936/).
One of the very worrying trends that appears to have come about is that Cybercriminals are now exfiltrating data as well as encrypting it and demanding a ransom, this then leads to the threat of disclosure of confidential, private or sensitive information which could be quite devastating for a company. This practice most notably seen on the REVil gang website on the DarkWeb is treating any contact with law enforcement as hostile and will release the data if they discover that you've made contact with the government in any way.
In the next blog, in this two-part series, we will share insights on best practices, tools and mitigation strategies that organisations can implement to build a resilient cybersecurity program.