ACSC publishes first threat report, but... ho hum

The Australian Cyber Security Centre (ACSC) has released its first-ever unclassified cyber security threat report, but it's an opportunity missed. It's just another generic government cyber document.

Major General Stephen Day had warned us about yesterday's report, the "Australian Cyber Security Centre Threat Report 2015". I am disappointed to be telling you that he was right. Well, mostly right.

Day heads up the Cyber and Information Security side of the Australian Signals Directorate (ASD), and was the ACSC's first co-ordinator. Last month he told the Check Point Cyber Security Symposium in Sydney -- nearly a thousand infosec professionals plus a few media -- that the report would hold "few surprises" for us. Rather, it was intended to be a "comprehensive, authoritative document that you can use to speak to executives, to boards, to those who just don't get it -- yet."

Well, the report (PDF) has dropped, and indeed it contains few surprises. It tells the now-familiar story of serious and organised criminals, foreign state-sponsored actors, and other "cyber adversaries", all of whom are getting better at what they do.

"The cyber threat to Australian organisations is undeniable, unrelenting and continues to grow. If an organisation is connected to the internet, it is vulnerable. The incidents in the public eye are just the tip of the iceberg," begins the report's foreword.

"Cyber adversaries are aggressive and persistent in their efforts to compromise Australian networks and information. They are constantly improving their tradecraft in an attempt to defeat our network defences and exploit new technologies," it says later.

"Australia is an innovative country with a globally important resources sector. We are a regional leader with global interests and important partnerships. This makes Australia a target-rich environment for cyber adversaries."

All of which is true, of course, but all of which has been said so many times before.

The claim that all these cybers cost Australia AU$1 billion a year has also been said before -- because it's from Symantec's 2013 Norton Report. This fact is properly footnoted and sourced, but why we're seeing a two-year-old figure from a vendor -- hardly a disinterested source -- is an unsolved mystery.

There are a couple of useful charts, however.

Figure 1: Cyber security incident responses by ASD. Source: ACSC.

One shows the steady rise in the number of "cyber security incident responses" handled by the ASD, from 313 in 2011, to 1131 in 2014. But there's no analysis of whether that growth reflects a real increase in malicious activity, or merely an increase in the ASD's ability to detect and respond to incidents, thanks to increased budgets, increased awareness, and better processes. Nor is there any reflection on the fact that the rate of increase has been declining, from 119 percent between 2011 and 2012, to 20 percent between 2013 and 2014.

This chart also commits the sin of spin, by failing to start the vertical axis from zero.

The other chart shows how the attacks responded to by CERT Australia in 2014 were distributed across industry sectors -- with the energy sector in the lead, accounting for 29 percent of the total, compared with 20 percent in banking and finance, 12 percent in communications, and 10 percent each in defence and transport.

Figure 2: Incidents responded to by CERT Australia affecting systems of national interest and critical infrastructure in 2014. Source: ACSC.

That energy sector figure appeared to be related to one of the eight case studies in the report. These case studies could have been the report's highlight, but... well, here's that energy sector case study in its entirety.

Case study: Watering-hole

In October 2014, CERT Australia issued an advisory warning of watering-hole activity specifically targeting organisations in the energy sector. The advisory listed websites that had likely been compromised, and encouraged clients to report any suspicious activity. CERT Australia clients were able to use the information provided to successfully detect and block communications to watering-hole sites.

That's it.

So what did you learn from that?

Yeah, exactly.

Other case studies are a bit longer, but just as bland, and just as unspoiled by grubby, concrete details. Here's how the drama of fighting off the hacktivists is portrayed.

Case study: DDoS

A major Australian organisation was the victim of a sustained DDoS targeting its main website. An issue-motivated group purporting to oppose the work of this organisation claimed responsibility for the activity. The group had exploited poorly configured domain name system (DNS) infrastructure to conduct the activity.

CERT Australia provided advice to the organisation on how to protect itself from a DDoS activity, and analysed logs of the activity. As a result of the analysis, CERT Australia identified DNS servers utilised in the activity, and contacted the system owners to help them improve the configuration so that those systems would not be used in further DDoS activity.

Phphphphtttt..... zzzzzzzzzzz.

Oh sorry, where was I?

Yeah, hacktivists. Who where they? What did they want? Why were they attacking this organisation? How big was this DDoS attack? Where has the victim's IT teams failed? What damage did it do to the victim's bottom line? How long did all this take to fix? How did CERT Australia help? What lessons did we all learn?

"Cyber security is a quintessential team sport. If we are collectively to get ahead, we have to swap experiences and the lessons that we've learned," Day said last month.

"There is no doubt in my mind that we in government have to work much harder to declassify what we know, and to get it out there to the people who can actually use it."

Indeed. And in its report, the ASCS's natural reluctance to reveal any details that might help the bad guys, or embarrass the victim, have ended up draining the case studies of any emotional hook that might allow them to connect with the people who are presumably the target audience for this report -- the executives, boards, and those "who just don't get it -- yet".

Now, Australia's reputation for even more secrecy in national security matters than most other western nations has generally served us well. But if the steady stream of glossy, emotion-laden infosec threat reports from vendors hasn't won over the hearts and minds of corporate Australia to the cyber cause, then bland government-speak with an absence of concrete facts won't either. The kangaroo and emu on the front cover won't be any help, despite its supposed authority.

This report represented a wonderful opportunity for the spooks to open up a little, and tell us a few new cyber war stories. I'm disappointed. It's an opportunity lost.

The ACSC has a new coordinator. Clive Lines, a civilian, took over from Day last Monday, 20 July.

"Major General Day will retire later this year after over 30 years of distinguished service," a defence department spokesperson told me via email.

Will a civilian be better able to cut through defence reluctance to tell us stories? Or will it be harder for him?

Either way, at least this first ACSC threat report sets an initial benchmark.