State sponsored attacks…..what you should know

The Morrison Government today raised the issue of state sponsored attacks against Australian companies and critical infrastructure and immediately the Seccom Global phones started ringing. Unfortunately, this is not new, it has been happening for many years, but it seems it takes a national announcement by our Prime Minister for people to sit up and take notice.

The Australian Cyber Security Centre (ACSC) released an advisory, 2020-008: copy-paste compromises – tactics, techniques and procedures used to target multiple Australian networks. As stated in the heading, the advisory details the tactics, techniques and procedures identified during the Australian Cyber Security Centre’s investigation of cyber campaigns targeting Australian networks.

The report discusses how unpatched, public facing infrastructure is one of the prime attack vectors. A very simple solution to this is, “patch, patch and patch.” Many of the attacks that we hear about are completely avoidable simply by patching your systems. If you have a public facing website and you are not protecting this through regular patching, strong authentication and using a Web Application Firewall solution, then be warned. If you have not locked down your admin access to your network infrastructure and are not using multifactor authentication or strong logging and reporting, ouch!

The report states: “The actor was identified making use of compromised legitimate Australian web sites as command and control servers”. During investigations, the ACSC has identified two key milestones which, if implemented, would have greatly reduced the risk of compromise by the TTPs identified in this advisory:

  • • Prompt patching of internet-facing software, operating systems and devices.
  • • Use of multi-factor authentication across all remote access services.

The report goes onto say, “A common issue that reduced the effectiveness and speed of investigative efforts was the lack of comprehensive and historical logging information across a number of areas including web server request logs, windows event logs and internet proxy logs.”

Put simply, if you are not properly logging your network, how do you expect to find answers when an event occurs. I will go onto add that in any good cybersecurity plan, prevention and detection are critical – but so is recovery. You must have a great backup and recovery strategy for when a critical attack occurs.

One of the questions that I have been repeatedly asked today is, “Is my firewall protecting me from these attacks?” My answer to this is both yes and no. Having a firewall is part of the solution to protecting your network, however understanding the entire attack surface is vital. Our recent whitepaper, “Understanding the Cyber Kill Chain”, provides further insight.

It is important to understand that once an organisation has been breached it may take several months before the breach is detected. A clever attack will mimic the behaviour of your users so not to raise any red flags. In summary, visibility is as important as perimeter defence. Ensuring strong partnerships with Cyber Security Specialists, employing best of breed technologies and building a resilient security posture must all form part of your overall cyber strategy.

Further reading