Cyber Security Picture 2013

Download CSOC Update, Cyber Security Picture 2013 (440K PDF), June 2014

Summary

  1. This report summarises cyber intrusion activity identified by or reported to the Cyber Security Operations Centre (CSOC) during 2013. It provides a broad overview of cyber threats to Australian government networks, as observed by the CSOC.
  2. The Strategies to Mitigate Targeted Cyber Intrusions remain your best defence against the cyber threat. Implementing the Top 4 strategies as a package is at the core of this protection, as they mitigate at least 85% of cyber intrusions responded to by the CSOC. The Top 4 strategies prevent execution of malicious software, and minimise software vulnerabilities and the ability of a cyber adversary to propagate across a network. The remaining 31 strategies form an excellent basis from which to assess further network security initiatives based on a risk assessment. Your risk assessment processes should take into account the specific risks faced by your agency, the information you are protecting, and your current network security posture.
  3. While socially-engineered emails remain the most prevalent threat to Australian government networks, the CSOC observed the emergence of several new techniques used in these emails during 2013, such as the use of cloud storage providers, Java files, and the repurposing of genuine emails. The increasing skill and resourcefulness of cyber adversaries highlights the importance of being continually vigilant and up-to-date in your network security. The Strategies to Mitigate Targeted Cyber Intrusions have been updated in 2014 to reflect the evolution of the threat environment.
  4. Although the initial cost of implementing the Strategies to Mitigate Targeted Cyber Intrusions can seem high for some agencies, they actually represent an important investment in your organisation, reducing long-term costs and risk. If you experience a network compromise, not only will you be faced with the cost of implementing these strategies to prevent further compromise, but you will also incur both higher direct and indirect costs associated with remediating the compromise. These costs include, but are not limited to, investigating the compromise, tactical remediation, reputational costs, opportunity costs from the loss of information, and lost productivity. See ASD’s The Cost of Compromise publication for more information about costs associated with compromise.

Key CSOC stats 2013, 940 incident responses, 49% to federal government agencies, trend of increasing malware - contact ASD if you require assistance

Something old, something new

The same spear-phishing threat…

  1. Targeted socially-engineered emails remain the most prevalent method used to target Australian government networks. Where an intrusion method was identified, these emails comprised 53% of cyber security incidents responded to by the CSOC in 2013. While the percentage decreased from 63% in 2012 and 77% in 2011, a corresponding increase in other techniques demonstrates the persistence and innovative methods of cyber adversaries to compromise Australian government information.

…but new techniques

  1. While targeted socially-engineered emails are a traditional threat vector, cyber adversaries have diversified aspects of their tradecraft in order to increase the likelihood of successful delivery and user interaction, such as through the use of:
    1. cloud storage providers, including Dropbox
    2. Java (JAR) files, and
    3. repurposing genuine emails.
  2. Dropbox is a free online file storage service which allows users to share files and collaborate with other users, accessing and synchronising all types of files across all the devices they use. An email with a legitimate subject and a Dropbox link is more likely to bypass email content filtering and gateway antivirus scanning. Files shared through the use of Dropbox are downloaded over an encrypted channel, and consequently, unless an appropriate vendor product has been installed, the effectiveness of traditional network monitoring to detect malware significantly decreases.
  1. The CSOC recommends that you carefully risk-assess your use of cloud storage services, review the mitigations these services have in place and assess their effectiveness, and implement appropriate strategies to mitigate the risks.
  2. In 2013, the CSOC noted that socially-engineered emails sent to Australian government departments containing malicious Java (.jar or JAR) attachments accounted for 10% of attachments used in socially-engineered emails where an intrusion method was identified. A JAR file is an archive file format that distributes software on the Java platform – successful execution of JAR attachments may allow a cyber adversary to gain remote access to the victim network.
  1. With its ability to run regardless of the user’s workstation architecture, the Java platform remains a preferred program to perform business functions. Although each new version of Java undergoes heavy scrutiny by the IT community for new security vulnerabilities, many Australian government agencies have poor patching practices, leaving them exposed to vulnerabilities that are exploited by cyber adversaries.
  2. The Strategies to Mitigate Targeted Cyber Intrusions have been updated in 2014 to reflect the growing emergence of Java as a threat to Australian government networks. In addition to implementing the Top 4 strategies to protect your network from your user’s browsing activities, the following strategies are also recommended to combat the Java threat:
    1. Strategy 5 – User application configuration hardening, disabling running of Internet-based Java code, untrusted Microsoft Office macros, and unneeded/undesired web browser and PDF viewer features.
    2. Strategy 7 – Operating system generic exploit mitigation e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET).
    3. Strategy 17 – Email content filtering, allowing only whitelisted business related attachment types. Preferably analyse/convert/sanitise hyperlinks, PDF and Microsoft Office attachments.
    4. Strategy 18 – Web content filtering of incoming and outgoing traffic, whitelisting allowed types of web content and using behavioural analysis, cloud-based reputation ratings, heuristics and signatures.
    5. Strategy 21 – Workstation and server configuration management based on a hardened Standard Operating Environment, disabling unneeded/undesired functionality e.g. IPv6, autorun and LanMan.
  3. In addition to these strategies, ASD also recommends that you consider these additional technical controls for mitigating malicious Java exploits:
    1. Allowing Java applications to run only from trusted sources, such as the corporate intranet or Australian government (gov.au) internet domains.
    2. Configuring separate browsers for internal and external use.
    3. Investigate the use of Oracle’s Deployment Rule Set which ensures less trusted applications are run with only the latest version of Java, while allowing legacy applications to run on other versions.
  4. Cyber adversaries are persistent and aggressive in their efforts to compromise Australian government networks, and are constantly updating their tradecraft to achieve success. In 2013, the CSOC also saw evidence of legitimate emails and attachments being repurposed, modified to include malicious code, and then re-used to target Australian government users in socially-engineered emails.

Drive-by download and watering-hole techniques

  1. Open-source reporting has alluded to the growing popularity of watering-hole techniques in 2013. Taking full advantage of a user’s trust in a website, the watering-hole technique provides an effective method for exploitation.
  1. In 2013, the amount of activity observed by the CSOC attributed to drive-by download activity increased. However, the nature of this activity was incidental and opportunistic rather than deliberate targeting – it is very difficult to identify watering holes that have been specifically created to target particular users. Consequently, the CSOC has little evidence of premeditated targeting of Australian government victims using this technique.
  2. While user education is an important defence-in-depth approach, it will not prevent a user from visiting a legitimate website that has been temporarily compromised to deliver malicious content as part of a watering-hole or drive-by download. Visiting such a website might compromise the user’s workstation without any obvious indications of compromise to the user.
  3. There are two aspects to mitigating this type of activity:
    1. Ensure that your websites and web applications cannot be compromised and used as watering holes. ASD has released the guidance document Protecting Web Applications and Users, which can assist.
    2. In addition to implementing the Top 4 Strategies to Mitigate Targeted Cyber Intrusions to protect your networks from your user’s browsing activities, you should also deploy:
      1. Strategy 5 – User application configuration hardening, disabling running Internet-based Java code, untrusted Microsoft Office macros, and unneeded/undesired web browser and PDF viewer features.
      2. Strategy 6 – Automated dynamic analysis of email and web content run in a sandbox to detect suspicious behaviour, including network traffic, new or modified files, or other configuration changes.
      3. Strategy 7 – Operating system generic exploit mitigation e.g. Data Execution Prevention (DEP), Address Space Layout Randomisation (ASLR) and Enhanced Mitigation Experience Toolkit (EMET).
      4. Strategy 17 – Email content filtering, allowing only whitelisted business-related attachment types. Preferably analyse/convert/sanitise hyperlinks, PDFs and Microsoft Office attachments.

A final word

  1. Your network is not necessarily the only network that holds your agency’s information – do not forget about contractors and other service providers, who may be the weaker and therefore more attractive target for a cyber adversary that wants your information. Also consider that you likely hold the information of others, often with contractual provisions around confidentiality or secrecy. While your own information may potentially not be of interest to a cyber adversary, information you hold for third parties may be, and cyber adversaries often target the weakest link.

Further information

  1. The Australian Government Information Security Manual (ISM) assists in the protection of official government information that is processed, stored or communicated by Australian government systems.
  2. ASD’s Strategies to Mitigate Targeted Cyber Intrusions and its companion ASD products, which complement the advice in the ISM.

Contact

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.