On 12 October 2016, the Australian Cyber Security Centre (ACSC) released its 2016 Threat Report.
The report contains information on trends in malicious cyber activity, and what actions organisations should take to prevent and respond to cyber threats.
Australian industry is persistently targeted by a broad range of cyber activity risking the profitability, competitiveness and reputation of Australian businesses. Between 1 January 2015 and 30 June 2016 ACSC responded to 1095 cyber security incidents on government systems which were considered serious enough to warrant operational response. This level of response was required despite growing ability in government agencies to respond to their own lower level incidents.
Key matters that the report addresses include:
Using correct cyber terminology
ACSC is critical of the use by the media, academics, the public and foreign governments of emotive language when describing cyber incidents, in particular the use of the term “cyber attack” to encompass common cyber threats as it complicates an advanced appreciation of the spectrum of possible cyber security risks, vulnerability and consequences, and blurs understanding of potential ‘red lines’ in cyberspace.
A “cyber attack” means a deliberate act through cyberspace to manipulate disrupt, deny, degrade of destroy computers or networks or the information on them, with the effect of seriously compromising national security, stability or economic prosperity.
The frequent misuse of the term “cyber attack” results in a heightened sense of risk in the country. ACSC confirms that Australia has still not been subject to a “cyber attack”. It is not the case that such an event has occurred and has not yet been detected, as the effects of such an event could not go unnoticed. ACSC does, however, say that the threat of such an attack occurring has increased over the past 5 years.
Delays in detecting or reporting cyber security incidents
ACSC notes that cyber security incidents often go undetected or unreported – this adds to the challenges in managing cyber risks and impacts on ACSC’s ability to understand the threat and improve its ability to assist organisations.
A recent example of delayed detection is the cyber intrusion on the Bureau of Meteorology’s network which by the time the intrusion was detected, all passwords on BOM’s network were compromised. Evidence also suggested the use of network scanning and time stamp modification tools on hosts were established.
Investigations into the incident suggested that the primary compromise was by a foreign intelligence service. Security controls in place were found to be insufficient to protect the network from common cybercrime. The BOM have now implemented the Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions and this will significantly improve the security posture of the BOM’s corporate network. ACSC is also continuing to work with BOM to implement a number of specific recommendations to mitigate future compromise.
Malicious cyber activity creates risk for the profitability, competiveness and reputation of Australian businesses and this makes companies reluctant to self-report incidents. Non reporting impacts on the ability to improve the security posture of Australian computer networks.
To enable ACSC and businesses to learn about cyber threats and develop mitigation strategies to respond to them, both ACSC and ASIC encourage businesses to report incidents regardless of whether their incident has to be reported under any mandatory reporting requirements.
What industries have been the main targets of cyber incidents in Australia in the past 12 months?
Incidents occur across all industries, however:
- Energy and communications sectors had the highest number of compromised systems;
- Banking and financial services had the highest incidence of Distributed Denial of Service (DDoS); and
- Energy, mining and resources sectors received the highest number of malicious emails.
In addition, the ongoing theft of intellectual property poses significant challenges in the competitive area of research and development in universities, public and private research firms and government sectors.
Are you at risk of a cyber incident?
Lower value companies have also been targeted to gain access to higher value companies through the relationships they share. Organisations need to be aware that they may be targeted purely on this basis.
What are the current trends in cyber threats?
Trends in cyber threats include:
- Spear phishing: emails that contain a malicious link or file attachment in order to gain access to corporate networks;
- Ransomware: encrypts files on a computer (including network file shares and attached external storage devices). Victims are required to pay a ransom (typically in bit coins) to unlock files;
- Web-seeding: compromising web sites frequently visited to exploit targets without overt communication; and
- Malicious advertising: a growing area using popular and trusted websites – a malicious code is inserted into an advertisement presented in normal browsing that redirects the user to a location that will automatically download malicious code.
A typical compromise involves a spear phishing email sent to a target relying on trust by using what appears to be a genuine email or known contact. Once the user opens the malicious link or spear phishing email, malware is deployed that creates an entry into the network. Knowledge of the compromised network is then built, sometimes exceeding the knowledge of the system’s own administrators. Once a presence is established there are attempts to procure legitimate user credentials and establish remote access. To ensure persistence malware or a web shell is installed to ensure ongoing access to the system. Once persistent access is obtained the intent of accessing the system will be executed.
Methods of avoiding detection are becoming increasingly sophisticated in order to defeat security controls.
There is a need for Australian businesses to develop a robust cyber security strategy and plan for managing cyber incidents
While the cost of implementing a robust cyber security strategy may seem high, there are significant direct and indirect costs in the event of a serious network compromise. ACSC reports that few organisations have sufficiently planned or prepared for a significant cyber security incident and organisations should ensure that they:
- Plan and prepare: by identifying critical systems, monitoring for cyber security threats and incidents, having security risk management plans for information security systems, and identifying key stakeholders including communications and legal. It is also critical to understand the layout of the network. Companies should also test what is being retained or logged by analytic systems to enable a baseline to be developed and to assist in detection of anomalies;
- Respond: by having a plan in place to be able to respond quickly in the event of an incident and isolate an affected workstation or server; and
- Report: through understanding legislative requirements and obligations for incident reporting and having the necessary procedures in place.
This article was written by Sarah Harrison, Partner and Desiree Dyer, Solicitor.