ACSC Threat Report: The real messages

Total pwnage of the Bureau of Meteorology makes for some fine schadenfreude, but the Australian Cyber Security Centre's new threat report is really about separating hype from reality.
Written by Stilgherrian , Contributor

"Bureau of Meteorology [BoM] hacked by foreign spies in massive malware attack," reported ABC News. "Terrorists could launch a cyber attack within three years," reported the Sydney Morning Herald.

"Hacked by foreign spies" was the theme in most mainstream media coverage of the second unclassified threat report [PDF] from the the Australian Cyber Security Centre (ACSC), which was released on Wednesday.

Those stories caught the media's attention. They certainly made for dramatic reading.

The Australian Signals Directorate (ASD) investigated the BoM hack. Not only did they find a remote access tool (RAT) "popular with state-sponsored cyber adversaries", they also found CryptoLocker ransomware and other cybercrime-oriented malware, and evidence of significant data exfiltration over an extended period.

"The presence of password dumping utilities and complete access by the adversary to domain controllers suggested all passwords on the Bureau's network were already compromised at the time of the investigation," the ACSC wrote.

Meanwhile the Minister Assisting the Prime Minister for Cyber Security, Dan Tehan, talked up the threat of cyberterrorism.

"Islamic State is using social media for propaganda and recruitment but its skills to launch a genuine cyber attack are rudimentary," Tehan wrote at The Australian.

"That won't always be the case and the ACSC estimates that within three years terrorists will have the ability to compromise a secure network with destructive effect."

But such overblown headlines -- and especially Tehan's cyberscary soundbite -- seem to miss the main thrust of the ACSC's report.

For a start, the ACSC warned against using the term "cyber attack" as a catch-all.

"The broad adoption of the term has seen it often used in a sensationalist way -- similar to 'cyber war', 'cyber terrorism', and 'cyber weapons' -- with the term 'attack' generating an emotive response and a disproportionate sense of threat," the ACSC wrote.

"If a nation says it has been subjected to an 'attack', this is weighted with tremendous significance. As such, the Australian government's definition of cyber attack can be at odds with what the information security community, the public, and the media envisage cyber attacks to be."

The recent Census debacle is an example.

The Australian Bureau of Statistics (ABS) and IBM "temporarily disabled access to the Census website after experiencing multiple DDoS incidents," the ACSC wrote.

"However, this incident was initially described in some media reporting as being the result of a 'foreign cyber attack' -- a description that led to a heightened sense of threat and risk, increased concerns from the public about the security of their personal information, and triggered media speculation about nation state motivations, tradecraft, and the possibility of further 'attacks'."

As for cyberterrorism, well, here's what the ACSC wrote in its entirety.

"Terrorist groups that seek to harm Western interests currently pose a low cyber threat. Apart from demonstrating a savvy understanding of social media and exploiting the internet for propaganda purposes, terrorist cyber capabilities generally remain rudimentary and show few signs of improving significantly in the near future. They will continue to focus on DDoS activities, hijacking social media accounts, defacing websites, the hack and release of personal information, and compromising poorly-secured internet-connected services. It is unlikely terrorists will be able to compromise a secure network and generate a significant disruptive or destructive effect for at least the next two to three years.

Cyberspace will continue to present a target rich environment. With intent and investment, terrorist groups could potentially develop more sophisticated cyber capabilities. However, at this point in time, terrorist groups are more likely to embarrass governments, impose financial costs, and achieve propaganda victories by compromising and affecting poorly secured networks."

Let me repeat. Tehan claimed "the ACSC estimates that within three years terrorists will have the ability to compromise a secure network". But the ACSC wrote that such an event was "unlikely ... for at least the next two to three years."

This writer wonders whether Tehan's misinterpretation was deliberate spin, or merely reflected an inability to read the actual words on the page.

The bulk of the ACSC report is a solid overview of the cyber-threat landscape. The section "Trends in targeting and exploitation techniques" is one of the most readable, sober, and spin-free summaries of the state of play I've seen, unlike many similar overviews produced by infosec vendors.

When the ACSC released its first unclassified threat report last year, I called it a lost opportunity. This year's report is vastly different.

While the case studies still can't name the target organisations, for obvious reasons, there's more concrete detail, and more information on what can be done to mitigate the threats.

Here's one case study, titled simply "Persistent":

"The ACSC undertook a major incident response, investigation, and remediation of a government network compromised by a foreign state. ASD identified that the adversary had gained initial access to the network using malicious Microsoft Office macros -- small programs executed by Microsoft Office applications to automate routine tasks. On advice from ASD, the government agency implemented technical controls to mitigate the threat of malicious Microsoft Office macros on the network.

Since that time, the same adversary has repeatedly attempted to regain access to the government network, incrementally evolving their tradecraft. The adversary displayed the ability to use knowledge from the previous intrusion to target specific users, vulnerabilities, and systems. For example, the adversary sent a spear phishing email to a staff member from the account of a legitimate user from another foreign organisation with which the staff member had prior communication. The adversary provided advice to the staff member on how to circumvent security controls to enable Microsoft Office macros. The adversary referred accurately to the department's ICT service desk by acronym and had hardcoded the user's username, the domain and the IP address of their computer in the malicious Microsoft Office document.

This activity confirmed that the foreign state has an ongoing intelligence requirement against the government department and has most likely not regained access since ASD's remediation work. The later spear phishing activity demonstrates knowledge of the network, including that Microsoft Office macros had been disabled following the previous compromise."

And perhaps most importantly, a two-page action plan called "Preparing for and responding to cyber security incidents".

The first ACSC threat report was a by-the-numbers document of little value. This second effort is the opposite. It is, dare I say it, a must-read.

Editorial standards