Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
On Friday 19th June, the Australian Prime Minister gave a press conference outlining an intense and persistent cyber attack against Australian organisations, allegedly originating from an overseas adversary. The Prime Minister confidently stated that a hostile nation-state was behind the campaign, refrained from naming the culprit. Other news outlets, however, suggested unnamed senior government officials claimed the origin was China, but this remains unconfirmed by official sources.
Apparently increased levels of cyber attacks are being experienced across Australian government and businesses and the effectiveness of regular system patching and multi-factor authentication (MFA) were specifically highlighted as areas for improvement.
The Australian Cyber Security Centre (ACSC) released more detail in a 48-page advisory entitled “Copy-Paste Compromises – tactics, techniques and procedures used to target multiple Australian networks.” This advisory details the tactics, techniques and procedures (TTPs) the ACSC has identified during their investigation of this series of attacks. These TTPs listed in their advisory use the MITRE ATT&CK® Framework to categorise them, allowing security teams to immediately understand the nature of the attacks and the controls that may prevent further breaches.
ACSC strongly recommends implementing the ASD Essential 8 controls to help organisations prevent these sorts of attacks. In fact, by applying all eight of these controls to a maturity level of three or more, they have found prevents as many as 85% of targeted attacks. There is no doubt that monitoring the implementation and ongoing effectiveness of each of these eight critical controls can be effective in improving an organisation’s security posture.
The Essential Eight is ACSC’s prioritised list of cyber mitigation strategies to help protect any organisation. Each of the eight controls can be tailored to meet specific organisational requirements, based on considerations such as the industry they are in, the risk profile and the most anticipated threat actors against whom they are defending.
The Essential Eight highlights implementing application control, ensuring applications are fully patched, configuring Microsoft Office macro settings and user application hardening as the most important of the eight controls, followed by restricting administrative privileges, patching operating systems, implementing MFA and comprehensive daily backups. You can find more in-depth technical insight into where these eight recommendations originated in the ASD ISM, Australian Government’s Information Security Manual.
Of the Essential Eight controls, a few of them will make a massive difference to the current attacks targeting Australian organisations, since these attacks are reliant on two weaknesses in our security defences. Firstly, a significant number of attacks begin with successful phishing campaigns, enticing users to give up credentials or install malware on their systems. You can all but remove account compromise from an organisation’s attack surface through the implementation of a trusted multi-factor authentication (MFA) solution, where you need additional authentication over usernames and passwords before the user being allowed to access systems.
Patching your OS systems and applications ensures they are protected from the latest vulnerabilities and exploits. This significantly improves the resilience of your enterprise against this common and highly successful attack vectors.
MFA solutions provide a defensive barrier against account compromise by ensuring you include the input of something much harder than usernames and passwords in the authentication chain, such as biometrics (e.g. fingerprints) and tokens (RSA, Google Authentication, etc.). Even if the attacker intercepts the username and password, the biometric makes it almost impossible to hijack. In the same way, they need access to the token to authenticate since it provides a one-time use code that is impossible to guess.
ACSC has developed a cyber maturity model to allow organisations to gauge the current effectiveness of their controls against the Essential Eight security target, with detailed descriptions of what each maturity level means against each control. Maturity levels are defined as:
For the best coverage, you should aim for maturity level three, since level three ensures the implementation fully protects the organisations in the context of its purpose. For example, at level three MFA protects all remote access users, authenticates all privileged users, and protects access to confidential or critical information stores.
It’s an inevitability of the modern business world that cyber attacks happen; securing your business against determined attackers is a complex and incredibly difficult challenge and a problem space that’s changing all the time.
ACSC has stated that while investigating cyber incidents, organisations have insufficient logs and records that show the visibility of activity occurring on their computer systems and networks. Deep insight into what’s happening on each system is needed for practical incident response activities since it offers insight into what happened. It helps reduce the impact of the attack, the time to respond and allows the organisation to determine how to prevent future attacks on this nature.
Every computer system and network device can log activity to a very detailed level. MFA solutions, for example, will show who logged on, when they logged on, and even what geographical location they are logging on from, so you can see how that is incredibly useful in an investigation. However, some systems may be configured to be less verbose, and in some cases logs may be overwritten within a matter of hours, depending on retention policies.
Security teams need a way to collect and analyse logs across the entire infrastructure, then collate that information into a useful report that prioritises their activities. A Security Information and Event Management (SIEM) system is the most effective way to meet this requirement as it can baseline normal behaviour and report at different management levels, such as technical security teams, operational managers and executives.
Huntsman Security supports the MITRE ATT&CK® Framework in its solutions; advisories such as last week’s one from ACSC, are used by security operations teams to develop correlation rules against known attack types, tied to the context of the logs collected from each of the organisation’s specific systems.
The MITRE Corporation defines the ATT&CK® Matrix as:
“… a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations [to be] used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cyber security product and service community.”
The value of the MITRE ATT&CK® matrix comes from how it normalises an approach for the security industry to defining attack tactics, techniques and procedures; meaning when ACSC says:
Lateral Movement: T1028 – Windows Remote Management
The ACSC identified the actor utilising Windows Remote Management (WinRM) via PowerShell to move laterally through victim networks.
Security teams can then refer to the details in the ATT&CK® Matrix, as follows:
Windows Remote Management
Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell.
Cobalt Strike: Cobalt Strike can use WinRM to execute a payload on a remote host.
Threat Group-3390: Threat Group-3390 has used WinRM to enable remote execution.
Disable or Remove Feature or Program: Disable the WinRM service.
Network Segmentation: If the service is necessary, lock down critical enclaves with separate WinRM infrastructure and follow WinRM best practices on use of host firewalls to restrict WinRM access to allow communication only to/from specific devices.
Privileged Account Management: If the service is necessary, lock down critical enclaves with separate WinRM accounts and permissions.
Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.
Protect your organisation from cyber attack. Huntsman Security has mapped its technology’s capabilities to the MITRE ATT&CK® Framework to assist security teams in transforming threat advisories into actionable intelligence.
Explore how Huntsman Security can assist your organisation in the implementation and performance measurement of the Essential Eight security controls and how it fulfils MITRE ATT&CK® mitigation strategies.
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.