Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
In December 2018, the US Department of Justice charged Chinese nationals in an extensive global hacking campaign. The hackers, part of Chinese cyber espionage group APT10, allegedly accessed service providers in twelve countries. This is an example of Nation states seeking access to other government’s systems and information by attacking the data supply chain for security weaknesses; by compromising a managed service provider’s (MSP) systems an adversary may be able to pivot to the primary target, although often the MSP holds confidential information, in its own right, that could further the adversary’s goals.
This type of activity is not new; back in March 2017, the Australian Cyber Security Centre (ACSC) learned of a compromise in a construction company that services the Australian government. The malware used in that attack was also attributed to APT10; you can read the investigation report here. APT10 has been around since 2006.
In light of the most recent attack, ACSC released a guidance communication last week, on 11 January 2019, calling for cyber vigilance:
“Following the global compromise of managed service providers or MSPs, the Australian Cyber Security Centre (ACSC) is calling on Australian businesses and individuals to be proactive in implementing better cyber security practices”.
The full communication is available here.
It was the tactics, techniques and procedures (TTP) used in these APT attacks that identified the attacker as Chinese espionage group, APT10. Like many breaches, the adversary starts by sending well-crafted, very specific spear phishing emails to the target, having done relatively sophisticated research on the intended victim.
Using social media, such as LinkedIn and Twitter, they are able to find out a lot about their target before they craft an email. Most people who use LinkedIn say where they work, what team they work in, what their role involves and there is generally enough information about their work history to make social engineering straightforward.
Once APT10 has all this useful information, it’s not hard to create an email that sounds convincing. For example, if the target is a Windows system administrator, by claiming to come from an organisation whose technology the target is an expert in, with some serious information on a security vulnerability or something to do with an up and coming feature release, the administrator will likely believe it, especially if its timely and appears genuine. APT10 also has the resources to make sure this is as believable as possible, ensuring the email doesn’t have the usual grammar and spelling mistakes we’ve come to expect from phishing emails.
Figure 1 APT10’s targeting methodology (courtesy ACSC)
Once the victim has opened the email attachment, the malware executes and installs a back door for APT10 to use any time in the future. The spear phishing campaign was vast and spanned more than a dozen countries, with as many MSPs and government contractors as possible, being targeted. Once APT10 had accessed the MSP, they did not necessarily pivot to their government target immediately. Rather they’ll establish the beachhead in the MSP network until their organisation has a specific target to aim for.
Figure 1 depicts the methodology APT10 uses to gain access to its intended target via their MSP (courtesy of ACSC1).
Over the past decade, there has been a lot of research by security firms on the nature of these advanced persistent threats. FireEye (and previously Mandiant) started with their seminal paper on the activities of APT1 (Unit 61398, Comment Crew), believed to be China’s People’s Liberation Army (PLA) General Staff Department’s (GSD), commonly referred to by its Military Unit Cover Designator (MUCD) as Unit 61398. Yet another military intelligence APT, of the 17 groups listed on FireEye’s website, nine of them are specifically attributed to a Chinese origin.
Other nations states such as North Korea, Iran, Russia and Vietnam also feature on that list of active APTs, highlighting the need for organisations to instil a culture of security and take mitigative steps within their businesses to better protects them from this persistent threat of espionage.
As mentioned earlier in this blog post, ACSC has released a communication detailing recommendations on how MSPs and businesses should mitigate against APTs. It’s very important that organisations develop comprehensive security programmes and mitigation strategies that improve their overall resilience to cyber-attacks.
To assist in developing such a programme, it’s a good idea to break it up into manageable stages. We recommend the following steps as a good place to start:
Most mitigation strategies are processes or procedural, but given most attacks target your information systems, you do need to look at how your systems are configured and build a picture (preferably in real time) of what’s going on across your network.
ACSC’s guidelines known as Essential Eight: Strategies to Mitigate Cyber Security Incidents highlights eight key security controls that can be used to mitigate up to 85% of targeted attacks. Without doubt, any organisation implementing all eight of these controls will be better off and more able to defend against cyber-attacks from APT10 or any other attacker referenced on the FireEye website. Yet the Essential Eight does not include logging and monitoring, something we believe should be included in everyone’s cyber security programme to better measure the success of their mitigation controls.
Figure 2 The Necessary Nine – Essential Eight and Protective Monitoring
ACSC’s investigation report1 into APT10’s targeting of an Australian MSP sees “increased logging” as a primary mitigation strategy. The report says, “It is advised that logs be retained for as long as possible; based on the incident timeframe, a minimum of 18 months logging would assist with any future incident investigations.”
By installing competent SIEM technology into your environment, the event logs from every system, network device and application can be sent directly to a central system, and normalised so that sense can be made of it. Logs are often voluminous and contain irrelevant system data that cyber investigators don’t need, so having a toolset that sifts through it for relevant events and applies logic and rules to highlight potential issues pays big dividends to your security posture.
To further assist both your organisation’s risk owners and operational security team, it is critical that they understand their exposure at any one point in time. Having a Security Scorecard that monitors the efficacy of your security controls and delivers continuous detailed reporting against the mitigation strategies allows risk owners to make quick, informed decisions based on the nature of the risk. It also serves to let security teams see when patching hasn’t been applied or a problem has occurred with a backup, enabling a rapid response.
Figure 3 Huntsman Security Scorecard – monitoring Security Control effectiveness
Ongoing maintenance of your security controls and the overall security culture of your organisation requires a systematic compliance regime that continues to monitor compliance with the security controls and solutions you use. You should establish regular testing of your environment, such as your gateways to customer systems or your records management systems, to ensure you are meeting your own internal security objectives to protect your key information assets.
Having your security team manage compliance on an ongoing basis is the best way of maintaining a security baseline, as you don’t have to wait until the end of the year to find out from your test team that all your servers are missing patches. Rather, that end of year test should be finding things you would not typically know about, such as a deep configuration issues on the network, or finding a zero-day vulnerability in your database server.
If you’d like to find out more on how to establish a protective monitoring regime and ongoing security compliance capability contact the Huntsman Security team.
 APT Groups: Who’s who of cyber threat actors https://www.fireeye.com/current-threats/apt-groups.html
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.