Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
In December 2018, the US Department of Justice charged Chinese nationals in an extensive global hacking campaign. The hackers, part of Chinese cyber espionage group APT10, allegedly accessed service providers in twelve countries. This is an example of Nation states seeking access to other government’s systems and information by attacking the data supply chain for security weaknesses; by compromising a managed service provider’s (MSP) systems an adversary may be able to pivot to the primary target, although often the MSP holds confidential information, in its own right, that could further the adversary’s goals.
This type of activity is not new; back in March 2017, the Australian Cyber Security Centre (ACSC) learned of a compromise in a construction company that services the Australian government. The malware used in that attack was also attributed to APT10; you can read the investigation report here. APT10 has been around since 2006.
In light of the most recent attack, ACSC released a guidance communication last week, on 11 January 2019, calling for cyber vigilance:
“Following the global compromise of managed service providers or MSPs, the Australian Cyber Security Centre (ACSC) is calling on Australian businesses and individuals to be proactive in implementing better cyber security practices”.
The full communication is available here.
It was the tactics, techniques and procedures (TTP) used in these APT attacks that identified the attacker as Chinese espionage group, APT10. Like many breaches, the adversary starts by sending well-crafted, very specific spear phishing emails to the target, having done relatively sophisticated research on the intended victim.
Using social media, such as LinkedIn and Twitter, they are able to find out a lot about their target before they craft an email. Most people who use LinkedIn say where they work, what team they work in, what their role involves and there is generally enough information about their work history to make social engineering straightforward.
Once APT10 has all this useful information, it’s not hard to create an email that sounds convincing. For example, if the target is a Windows system administrator, by claiming to come from an organisation whose technology the target is an expert in, with some serious information on a security vulnerability or something to do with an up and coming feature release, the administrator will likely believe it, especially if its timely and appears genuine. APT10 also has the resources to make sure this is as believable as possible, ensuring the email doesn’t have the usual grammar and spelling mistakes we’ve come to expect from phishing emails.
Figure 1 APT10’s targeting methodology (courtesy ACSC)
Once the victim has opened the email attachment, the malware executes and installs a back door for APT10 to use any time in the future. The spear phishing campaign was vast and spanned more than a dozen countries, with as many MSPs and government contractors as possible, being targeted. Once APT10 had accessed the MSP, they did not necessarily pivot to their government target immediately. Rather they’ll establish the beachhead in the MSP network until their organisation has a specific target to aim for.
Figure 1 depicts the methodology APT10 uses to gain access to its intended target via their MSP (courtesy of ACSC1).
Over the past decade, there has been a lot of research by security firms on the nature of these advanced persistent threats. FireEye (and previously Mandiant) started with their seminal paper on the activities of APT1 (Unit 61398, Comment Crew), believed to be China’s People’s Liberation Army (PLA) General Staff Department’s (GSD), commonly referred to by its Military Unit Cover Designator (MUCD) as Unit 61398. Yet another military intelligence APT, of the 17 groups listed on FireEye’s website, nine of them are specifically attributed to a Chinese origin.
Other nations states such as North Korea, Iran, Russia and Vietnam also feature on that list of active APTs, highlighting the need for organisations to instil a culture of security and take mitigative steps within their businesses to better protects them from this persistent threat of espionage.
As mentioned earlier in this blog post, ACSC has released a communication detailing recommendations on how MSPs and businesses should mitigate against APTs. It’s very important that organisations develop comprehensive security programmes and mitigation strategies that improve their overall resilience to cyber-attacks.
To assist in developing such a programme, it’s a good idea to break it up into manageable stages. We recommend the following steps as a good place to start:
Most mitigation strategies are processes or procedural, but given most attacks target your information systems, you do need to look at how your systems are configured and build a picture (preferably in real time) of what’s going on across your network.
ACSC’s guidelines known as Essential Eight: Strategies to Mitigate Cyber Security Incidents highlights eight key security controls that can be used to mitigate up to 85% of targeted attacks. Without doubt, any organisation implementing all eight of these controls will be better off and more able to defend against cyber-attacks from APT10 or any other attacker referenced on the FireEye website. Yet the Essential Eight does not include logging and monitoring, something we believe should be included in everyone’s cyber security programme to better measure the success of their mitigation controls.
Figure 2 The Necessary Nine – Essential Eight and Protective Monitoring
ACSC’s investigation report1 into APT10’s targeting of an Australian MSP sees “increased logging” as a primary mitigation strategy. The report says, “It is advised that logs be retained for as long as possible; based on the incident timeframe, a minimum of 18 months logging would assist with any future incident investigations.”
By installing competent SIEM technology into your environment, the event logs from every system, network device and application can be sent directly to a central system, and normalised so that sense can be made of it. Logs are often voluminous and contain irrelevant system data that cyber investigators don’t need, so having a toolset that sifts through it for relevant events and applies logic and rules to highlight potential issues pays big dividends to your security posture.
To further assist both your organisation’s risk owners and operational security team, it is critical that they understand their exposure at any one point in time. Having a Security Scorecard that monitors the efficacy of your security controls and delivers continuous detailed reporting against the mitigation strategies allows risk owners to make quick, informed decisions based on the nature of the risk. It also serves to let security teams see when patching hasn’t been applied or a problem has occurred with a backup, enabling a rapid response.
Figure 3 Huntsman Security Scorecard – monitoring Security Control effectiveness
Ongoing maintenance of your security controls and the overall security culture of your organisation requires a systematic compliance regime that continues to monitor compliance with the security controls and solutions you use. You should establish regular testing of your environment, such as your gateways to customer systems or your records management systems, to ensure you are meeting your own internal security objectives to protect your key information assets.
Having your security team manage compliance on an ongoing basis is the best way of maintaining a security baseline, as you don’t have to wait until the end of the year to find out from your test team that all your servers are missing patches. Rather, that end of year test should be finding things you would not typically know about, such as a deep configuration issues on the network, or finding a zero-day vulnerability in your database server.
If you’d like to find out more on how to establish a protective monitoring regime and ongoing security compliance capability contact the Huntsman Security team.
 APT Groups: Who’s who of cyber threat actors https://www.fireeye.com/current-threats/apt-groups.html
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.