Cyber threat Indicators point to another tough year for security staff, especially in the Defence sector. China and the US account for more than half of all observed attack traffic, according to Akamai’s ‘State of the Internet’ Report for the fourth quarter 2014.
It reveals that China remains well ahead of the other countries/regions (41 per cent), originating more than three times the observed attack traffic from the US (13 per cent).
Distributed denial of service (DDoS) attacks are still increasing. Akamai customers reported 327 attacks during the fourth quarter of 2014, an increase of more than 20 per cent over the third quarter.
IBM’s most recent X-Force Threat Intelligence Quarterly reports a surge in the “designer vuln” - a critical vulnerability that proved lethal for targeted attacks. They also come with branded logos, websites and call names. These include Heartbleed, Shellshock, POODLE, Ghost and FREAK. Heartbleed is especially toxic. Any attacker that exploited the bug prior to patching could spy on encrypted traffic between an affected host and a user. Also the secure data can be compromised without any trace. Yet Australian companies are "by far the most behind" at remediating the Heartbleed OpenSSL flaw discovered a year ago, according to a global analysis by Security and crypto firm Venafi released in April this year.
X-Force catalogued over 9,200 new security vulnerabilities affecting over 2,600 unique vendors in 2014. This covered roughly 1,400 Android SSL and represents a 9.8 percent increase over 2013. It is the highest single year total in the 18-year history of X-Force.
In response, US President Barack Obama declared a “national emergency”, ironically on 1 April, imposing financial and travel restrictions on “suspected” individuals or entities that engage in significant malicious cyber-enabled activities.
A month before, the US Justice Department began ramping up its ability to track down suspected cyber-criminals through the establishment of a new agency, the Cyber Threat Intelligence Integration Center.
In short, the US has now thrown down a challenge to these attackers and their sponsors, backed up with strong retaliatory measures. What is Australia doing?
For Australian agencies and enterprises the official advice (and action), remains that of embracing a check-list approach offered by the Australian Signals Directorate of June last year. This involves implementing the Top 4 strategies as a package as the core of this protection, said to mitigate at least 85 per cent of cyber intrusions.
Yet the security of an enterprise or agency is not only dependent on the organization itself, but also on the security of their IT supply chain and contractors. These represent potential weak points into the security of any organization.
Third-party contractors and suppliers have been used to compromise larger organizations. Target’s breach began with a breach of a contractor involved in heating, ventilation, and air conditioning (HVAC) solutions. A 2011 hack on Lockheed Martin was blamed in part on information stolen from a hack on RSA that compromised SecureID tokens.
Email is still a favoured infection vector, with both malicious attachments and links to sites used to lure in users. These messages are made to appear to come from other organizations (which are preferably relevant to the target).
Furthermore typical “sandbox” approaches to attachments which check for specific file types such as .SWF, .JAR, .PDF, can be sidestepped to include lines that will check the running environment of the exploit, or parameter/function calls from HTML. The exploit code won’t run if it is opened directly, or in an incorrect context.
Many enterprises and agencies need to accept the reality that breaches are inevitable and preparing proportionate responses. Moreover alerts of those breaches need to be shared far more swiftly through automated tools incorporating Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII).
Another reality is that sometimes the attacks come from “good” guys as well as “bad”.
The breach of trust through whistle-blower Snowden’s disclosures last year, led telecoms and networking equipment provider Cisco's security chief John Stewart to announce it will ship out boxes of equipment to empty houses in a bid to avoid the NSA intercepting its routers and installing backdoors to spy on companies and agencies.
These would be shipped to fake identities at vacant addresses for its “most sensitive of customers”, reports The Register.
From what is known, Government progress (at least publicly) to meet these evolving threats in Australia appears more glacial.
Back in late November 2014, Prime Minister Tony Abbott announced a sweeping review of the risk of cyber attacks in the public and private sectors with a view to making online systems more resilient to attack. It would examine how government and industry could better work together to reduce the risk of cyber attacks and assess how the Government protects its networks and information.
It was to be oversighted by a panel of experts including the chief executive of the Business Council of Australia, Jennifer Westacott; chief security and trust officer at Cisco Systems in the US, John Stewart; Mike Burgess, chief information security officer at Telstra, with Dr Tobias Feakin, director of the international Cyber Policy Centre at the Australian Strategic Policy Institute, assisting.
Due to report back by the end of May 2015, the panel will not deliver its full findings until the end of this year, according to Fairfax media. Apparently the panel only met for the first time in April, according to Cisco’s John Stewart.
Stewart is reported as stating the panel had spent five months working independently via an "email dialogue" on the key issues facing Australia's cyber security strategy.
Oversighted by the Department of Prime Minister & Cabinet, a PM&C spokesperson insists it will still “report to Government in mid-2015”. A new cyber security strategy with practical initiatives will be released after Government consideration of the Review.
Meanwhile the agency responsible for under-taking and managing national cyber threat issues, the Australian Cyber Security Centre (ACSC) was not included with this panel, at all. Formally opened in November 2014, the ACSC is due to release its own “unclassified threat report” in mid-2015 as well.
In keeping with this progress has been the tentative adoption of structured threat languages known as STIX and TAXII developed languages designed to automate cyber attack notifications.
Sponsored by the US Department of Homeland Security, most security software companies have agreed to incorporate STIX and TAXII in their products this year.
Some senior technical adviser positions with CERT Australia require the successful applicant to be able to support indicator management and threat indicator sharing using STIX/TAXII.
However ACSC advises Australian Defence Magazine it will only “explore” the use of STIX & TAXII reporting mechanisms with stakeholders during 2015.
This progress has been matched with the parlous state of cyber security expertise in Australia. Many of the best and brightest have been wooed overseas or to private industry.
Gregory Austin, visiting Professor at the Australian Centre for Cyber Security (UNSW) describes the Australian strategy as lacking a plan for globally competitive innovation in the digital economy. It was like building an ever-stronger wall while the building it protects gradually falls into disrepair.
“More importantly, the wall cannot even be secure if the home-grown talents do not match the rapidly evolving globally available digital technologies for attack,” he adds in his discussion paper for The Conversation (4 March 2015).
It is difficult to avoid the impression that our national cyber-security strategy maze appears confused and uncertain, if not stagnant. This is unlikely to slow the velocity of mischief by cyber attackers.
Missing in action is a coherent plan that Defence and other enterprises can work with, contribute and rally round.
This article first appeared in Australian Defence Magazine VOL.23 No.5, May 2015