John Pescatore - SANS Director of Emerging Security Trends
This week’s Drilldown focuses on just one item (included below) from NewsBites Issue 50, which detailed sophisticated state-backed attacks against private industry in Australia.
The main takeaway: The Australian Signals Directorate (ASD), which is the equivalent of the U.S. National Security Agency, once again pointed out that well-known basic security hygiene (starting with installing existing patches) would have prevented these attacks from succeeding.
Back in 2013 or so, the ASD tested its top four recommended security controls (application whitelisting, application patching, OS patching and limiting admin privileges). The ASD found that those four actions alone mitigated 85% of the advanced targeted attacks it was seeing in the real world.
In 2017, the ASD expanded the model to focus on changes in threats, and in particular adding data backup and multifactor authentication (MFA) to form the Essential Eight Maturity Model. It recently also added three maturity levels to each factor.
Organizations already using the CIS Critical Security Controls as a baseline won’t see anything new in the Essential Eight. Neither framework really tells anyone experienced in cybersecurity anything they didn’t already know. One of the biggest values of adopting one of these frameworks is using it to convince management to back the changes required to patch faster, test applications more, limit privileges, increase the strength of authentication, and so on, because security teams can rarely implement any of these by themselves. As part of developing plans for returning to normal operations, including the adoption and use (or getting support for more effective use) should be a key part of recommendations to management.
Prime Minister: Australia is Under State-Sponsored Cyberattack
(June 19, 2020)
At a press conference on Friday, June 19, Australian Prime Minister Scott Morrison warned that the country's public sector is under cyberattack from a state-backed actor. The attacks have targeted organizations in a range of sectors, including government, private industry, education, health and essential services, and operators of critical infrastructure. Morrison declined to identify the country that he believes is responsible for the attacks. A technical advisory from the Australian Signals Directorate (ASD) describes the "tactics, techniques and procedures used to target multiple Australian networks."
[Pescatore] Two telling quotes from the ASD alert: (1) "The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor," and (2) "ACSC Recommended Prioritised Mitigations ... Prompt patching of internet facing software, operating systems and devices. All exploits utilised by the actor in the course of this campaign were publicly known and had patches or mitigations available." The attacks were sophisticated, but basic security hygiene (patching) would have disabled those attacks. The ASD has shown data on how the top four basic security hygiene controls alone mitigate 85% of sophisticated, targeted cyberattacks.
[Neely] While attribution is a nice to have, ensuring that sufficient security is in place for systems as well as recovery from attacks are critical activities. The ASD/ACSC advisory provides prioritized mitigations, starting with patching and implementing MFA, followed by the Essential Eight controls www.cyber.gov.au/sites/default/files/2020-06/PROTECT - Essential Eight Maturity Model (June 2020).pdf Those are common sense changes that will dramatically reduce the attack surface.
Read more in:
The Sydney Morning Herald: Morrison reveals malicious 'state-based' cyber attack on governments, industry
SC Magazine: Australia says state-based actor is behind surge of sophisticated cyberattacks
The Register: Australian PM says nation under serious state-run 'cyber attack' - Microsoft, Citrix, Telerik UI bugs 'exploited'
Gov.au (ASD): Advisory 2020-008: Copy-Paste Compromises - tactics, techniques and procedures used to target multiple Australian networks (PDF)
Confirm this is correct and replace in text: