Australia crumbles under Cyber Storm attack

Australia crumbles under Cyber Storm attack

Summary: The 55 Australian organisations that took part in Australia's cyberwar games, Cyber Storm II suffered "death by a thousand cuts", according to the head of Australia's Cyber Storm II effort.


The 55 Australian organisations that took part in Australia's cyberwar games, Cyber Storm II, suffered "death by a thousand cuts", according to the head of Australia's Cyber Storm II effort.

Speaking at day three of the AusCERT 2008 security conference, Steven Stroud, head of Australia's Cyber Storm effort and director of e-security exercises at the Attorney General's Department, told delegates that the incident response teams of participating organisations often became short-sighted under the simulated attacks, leading to chains of command crumbling, careless mistakes, and the loss of vital information.

"A lot of organisations wanted to exercise senior incident response (IR) boards, and to do that they had to create a crisis on the shop floor. What they found out was, that it was very hard to get people to escalate. The IR teams were putting out spot fires here and there and no one took a step back to see the whole house was on fire," he told delegates.

"They're only talking about what they know about. They're only talking about what they can deal with, or deal with shortly. They are not projecting out how bad can this be... That doesn't happen. Some of the feedback is that it's not because they're busy, but it was because of a mindset."

Incident response teams too often dealt with localised problems, but failed to see how to tackle the high-level issues.

"An example from the banking sector was a number of, let's say, theoretical customers [who] had their credentials compromised through Internet banking. So the response was to reset the credentials. However, no one dealt with the actual problem, which was that these people all had keyloggers, so resetting credentials was a waste of time," said Stroud.

Many organisations were also surprised by the level of pain caused by the attacks — despite being well aware of their impact.

"If you hit your hand with a hammer, it's going to hurt. In Cyber Storm, a lot of people hit their hand with a hammer and were surprised that it hurt," said Stroud.

Standard operating procedures, such as logging incidents and following a chain of command, crumbled as the intensity of attacks increased in certain exercises, resulting in the loss of vital information. Stroud said incident response teams need to take a "101" course in data forensics.

"They need to be able to handle information to sort out their troubles and know where [information] is."

An incident response manager from one Cyber Storm participant studied how these procedures stood up to different levels of intensity, said Stroud.

"These guys had quite robust, formal communications paths. The way they did things — they were generally pretty busy and it all worked really well. So they took the phone call, they logged it. They got an e-mail, they logged it, etc, etc. And as they got busier, the logs became, instead of on the keyboard, scraps of paper and then became shouts across the room. As they got less busy, they went back to formal, but as a result a lot of information got lost."


Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion

    Fortunately I live in Tasmania which, as far as I can see, is not yet crumbling. With such widespread drought up there I guess it's inevitable that large parts will crumble but to suggest that All of Australia is crumbling is as informative as revealing it's made of old loaves of bread.

    I was relieved, after reading the article, that the headline is unrelated to the content.

    On that, all I can say is that all that is needed is for humans to have the speed and processing capacity to match computers. Then there would not be a problem, would there?
  • Streamline the core incident data gathering

    In my experience, a lot of information gathering processes:

    - request more infomation than is necessary

    - do not automatically gather data to which they already have access, but rather rely upon its re-entry every time

    - have poorly designed workflow

    - do not adequately prevent erroneous data, thereby often corrupting subsequent data.

    With any of these in a critical process, scalability is compromised under stress, leading to it being bypassed because it takes too long or becomes inaccurate when entry errors are made.

    A lot may be because incident reporting is not seen as being a critical process, but something done as part of the 'paperwork', with only the occasional critical issues that require a rapid response.

    This attitude leads to:

    - most processes being chat-like, ponderous interactions

    - rapid response paths involving a lot of people to escalate through

    - a lack of the necessary, automated, realtime analysis to recognise higher-level patterns that may be occurring.

    This will not improve and be scalable unless ALL processes are:

    - as streamlined as possible

    - automatically get location, machine and other enviroment information

    - require the minimum of human entry

    - prevent erroneous data entry at each stage.