NewsBites Drilldown for the Week Ending 26 June 2020

by SANS Blog on June 29, 2020

John Pescatore
– SANS Director of Emerging Security Trends

This week’s Drilldown focuses on just one item (included below) from NewsBites Issue 50, which detailed sophisticated state-backed attacks against private industry in Australia.

The main takeaway: The Australian Signals Directorate (ASD), which is the equivalent of the U.S. National Security Agency, once again pointed out that well-known basic security hygiene (starting with installing existing patches) would have prevented these attacks from succeeding.

Sponsorships Available

Back in 2013 or so, the ASD tested its top four recommended security controls (application whitelisting, application patching, OS patching and limiting admin privileges). The ASD found that those four actions alone mitigated 85% of the advanced targeted attacks it was seeing in the real world.

In 2017, the ASD expanded the model to focus on changes in threats, and in particular adding data backup and multifactor authentication (MFA) to form the Essential Eight Maturity Model. It recently also added three maturity levels to each factor.

Organizations already using the CIS Critical Security Controls as a baseline won’t see anything new in the Essential Eight. Neither framework really tells anyone experienced in cybersecurity anything they didn’t already know. One of the biggest values of adopting one of these frameworks is using it to convince management to back the changes required to patch faster, test applications more, limit privileges, increase the strength of authentication, and so on, because security teams can rarely implement any of these by themselves. As part of developing plans for returning to normal operations, including the adoption and use (or getting support for more effective use) should be a key part of recommendations to management.

______________________________________________________________________________

Prime Minister: Australia is Under State-Sponsored Cyberattack

(June 19, 2020)

At a press conference on Friday, June 19, Australian Prime Minister Scott Morrison warned that the country’s public sector is under cyberattack from a state-backed actor. The attacks have targeted organizations in a range of sectors, including government, private industry, education, health and essential services, and operators of critical infrastructure. Morrison declined to identify the country that he believes is responsible for the attacks. A technical advisory from the Australian Signals Directorate (ASD) describes the “tactics, techniques and procedures used to target multiple Australian networks.”

[Editor Comments][Pescatore] Two telling quotes from the ASD alert: (1) “The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor,” and (2) “ACSC Recommended Prioritised Mitigations … Prompt patching of internet facing software, operating systems and devices. All exploits utilised by the actor in the course of this campaign were publicly known and had patches or mitigations available.” The attacks were sophisticated, but basic security hygiene (patching) would have disabled those attacks. The ASD has shown data on how the top four basic security hygiene controls alone mitigate 85% of sophisticated, targeted cyberattacks.

[Neely] While attribution is a nice to have, ensuring that sufficient security is in place for systems as well as recovery from attacks are critical activities. The ASD/ACSC advisory provides prioritized mitigations, starting with patching and implementing MFA, followed by the Essential Eight controls www.cyber.gov.au/sites/default/files/2020-06/PROTECT – Essential Eight Maturity Model (June 2020).pdf Those are common sense changes that will dramatically reduce the attack surface.