The Australian Cyber Security Centre (ACSC) 2017 Threat Report has just been released. The centre identified 47,000 cyber security incidents in 2016–17, a 15% increase on last year, and includes a breach on a defence contractor with links to national security projects.
Clive Lines, coordinator of the ACSC, reported that there were “two distinct trends when it comes to the level of sophistication employed by adversaries and cybercriminals”. On one end of the spectrum were increasingly sophisticated tactics employing new techniques and tools, in an attempt to infiltrate well-protected networks, particularly government networks. On the other end, networks are continuing to be compromised by crude techniques that use publicly known vulnerabilities, despite these being preventable with “established and relatively straightforward cyber security measures”.
Here are the key takeaways from the ACSC Threat Report 2017 for Australian organisations.
Increasing ease of entry into cybercrime
The past year has seen the growth of online communication networks, forums and so-called “darknet” marketplaces, where people are able to effectively purchase cybercrime as a service. This means that, despite having relatively low levels of technological know-how, people are more readily able to purchase services including malware deployment and development and cashout services, which allow people to transfer illicit funds overseas. This has effectively lowered the bar for entry into the world of cybercrime.
Cyber espionage on the rise
“Australia continues to be a target of persistent and sophisticated cyber espionage directed by foreign intelligence services – and will remain so for the foreseeable future,” says the report.
According to the ACSC, their knowledge of state-sponsored espionage has continued to grow, though they admit that the “true scale of cyber espionage activities against Australia may never be known”.
Cyber espionage not only targets government networks – it also targets private businesses involved in foreign investment, engaged in activities or industries of interest to foreign states, or whose networks are particularly vulnerable and can be used as infrastructure to attack other targets (even if their own networks hold no information of interest to foreign states).
Risk of cyber terrorism remains low
Despite what they might claim, terrorist groups lack the technical sophistication to conduct cyberattacks on Australian networks. While it’s possible they may develop this capability, this would involve a big change in recruitment and training efforts. In the meantime, they will continue to use more basic methods, such as defacing websites and hacking social media accounts.
Threats to government
While the ASCS has observed a reduction in major compromises of Australian Government networks, this does not necessarily represent a reduction in targeting. According to the report, “Foreign states continue to possess the greatest intent and capability to compromise Australian government networks.”
Threats to the private sector
The private sector continues to be targeted, noting an 11% increase in sectors that have not traditionally been targeted, such as accommodation, hospitality and automotive sectors, reflecting the increasing scope of cybercriminals. Cyber espionage remains a primary threat to the Australian private sector, with criminals particularly targeting intellectual property and other commercially sensitive information such as company negotiation strategies or business plans.
The private sector is particularly vulnerable to malicious emails, and targeted, socially engineered spearphishing, sometimes combined with phone calls, which has been regularly used to gain access to corporate networks.
Threats to financial institutions
Cybercriminals have yet to severely affect Australian financial institutions, as their relatively mature cyber security defences makes them less attractive targets compared to more vulnerable targets in developing countries.
They should not be complacent, however, as criminal groups continue to conduct malicious activity, such as deploying malware on a network to steal online banking credentials or conducting large, multi-stage intrusions to facilitate larger scale theft.
Threats to managed service providers (MSPs)
MSPs have a broad range of customers, which can include government, military and business organisations, and they often have extensive access to their networks and data. They are, therefore, a highly attractive target for cybercriminals. In 2017, the compromise of the global networks of several MSPs was reported, and the ASCS reported that some of these compromises were used to subsequently compromise the MSPs’ customers.
Organisations need to be aware of the risks associated with outsourcing to service providers, as not knowing the risks makes it more difficult to manage them. The ASCS recommends building effective cyber security strategies into contracts for added protection.
Major challenges facing Australian organisations
Ransomware is one of the most prevalent cybercrime threats in Australia, and its virulence is only expected to increase, with the rise of ransomware-as-a-service (RaaS), a pseudo-franchise model that provides entry into the ransomware market via the darknet for anyone willing to pay, regardless of technical capability. This model means the vendor can reach a much larger victim base, without any extra effort on their part.
While ransomware sophistication continues to grow, as criminals make more use of advanced social engineering techniques and known Australian brands and government department identities, the most commonly reported ransomware delivery method remains large-scale untargeted phishing campaigns, whereby the victim downloads a malicious attachment on an email, as these campaigns are cheap and easy to run, and get results.
The second most common delivery method is through an exploit kit, which is a software toolkit that runs on a web service, and therefore doesn’t require a person to download a file – just visiting a website infected with malware while running vulnerable software is enough to become compromised.
Business email compromise (BEC)
According to the Australian Criminal Intelligence Commission (ACIC), BEC was responsible for losses of over $20 million, up from $8.6 million the previous year.
BEC typically involves social engineering, a psychological tactic whereby criminals use information gleaned from things like social media, websites and shareholder reports, as well as fraudulent documents and accounts, to manipulate someone into divulging information or performing an action. Most commonly, it involves someone impersonating a senior employee to change invoice details or generate a sense of urgency to bypass anti-fraud processes.
In one instance, a cybercriminal who used social engineering to pose as a CEO and COO of a company was able to obtain fraudulent payments of over US$500,000.
Distributed denial of service (DDoS)
DDoS activities will remain an “enduring threat”, says the ASCS, as state, criminal and issue motivated groups continue to take advantage of weaknesses in internet-connected devices.
While a DDoS may not necessarily occur in Australia, it still has the potential to affect Australian systems through interdependencies. However, these interdependencies also hold the key to mitigating this threat, as it means DDoS activities can be disrupted at several points.
Internet of Things (IoT)
As home automation grows, so too must the number of internet-connected devices. These devices, however, are not always designed with security top of mind, and a lack of standardisation and absence of any agreed security baseline means there is the potential for significant security risk. This is particularly disturbing when you consider devices that can change the real-world environment, such as medical devices, cars and door locks.
ACSC recommends implementing cyber security mitigation and incident management strategies, such as the ASD’s Essential Eight, which significantly reduces risk for almost all types of cyber incidents.
Performing routine system maintenance and relying on software and applications for network security is not sufficient; organisations must also have well-defined systems processes, such as network segregation, administrative privilege restrictions, and system logging. The report also states, “Investing in trained personnel will prove more beneficial than investing in software and applications that existing personnel may not be able to support.”
To learn more about how to protect your organisation, particularly when it comes to the Internet of Things, download our ebook Cautionary tales: cyber security and the Internet of Things. It explains the biggest challenges in cyber security over the next decade, identifies common cyber-attack sources and will help you prepare your organisation well enough to survive a cyber-attack. Download it today.