Data Breaches & Threats | Operational resilience

June 22, 2020

On Friday 19th June, the Australian Prime Minister gave a press conference outlining an intense and persistent cyber attack against Australian organisations, allegedly originating from an overseas adversary. The Prime Minister confidently stated that a hostile nation-state was behind the campaign, refrained from naming the culprit. Other news outlets, however, suggested unnamed senior government officials  claimed the origin was China, but this remains unconfirmed by official sources.

Apparently increased levels of cyber attacks are being experienced across Australian government and businesses and the effectiveness of regular system patching and multi-factor authentication (MFA) were specifically highlighted as areas for improvement.

The Australian Cyber Security Centre (ACSC) released more detail in a 48-page advisory entitled “Copy-Paste Compromises – tactics, techniques and procedures used to target multiple Australian networks.” This advisory details the tactics, techniques and procedures (TTPs) the ACSC has identified during their investigation of this series of attacks. These TTPs listed in their advisory use the MITRE ATT&CK® Framework to categorise them, allowing security teams to immediately understand the nature of the attacks and the controls that may prevent further breaches.

ACSC strongly recommends implementing the ASD Essential 8 controls to help organisations prevent these sorts of attacks. In fact, by applying all eight of these controls to a maturity level of three or more, they have found prevents as many as 85% of targeted attacks.  There is no doubt that monitoring the implementation and ongoing effectiveness of each of these eight critical controls can be effective in improving an organisation’s security posture.

In parallel with the Essential Eight, the ACSC also recommends reviewing and implementing the ACSC guidance on Windows Event Logging and Forwarding and System Monitoring.

Using the Essential Eight

The Essential Eight is ACSC’s prioritised list of cyber mitigation strategies to help protect any organisation. Each of the eight controls can be tailored to meet specific organisational requirements, based on considerations such as the industry they are in, the risk profile and the most anticipated threat actors against whom they are defending.

eight strategies to mitigate 85% of targeted cyber attacks

The Essential Eight highlights implementing application control, ensuring applications are fully patched, configuring Microsoft Office macro settings and user application hardening as the most important of the eight controls, followed by restricting administrative privileges, patching operating systems, implementing MFA and comprehensive daily backups. You can find more in-depth technical insight into where these eight recommendations originated in the ASD ISM, Australian Government’s Information Security Manual.

MFA

Of the Essential Eight controls, a few of them will make a massive difference to the current attacks targeting Australian organisations, since these attacks are reliant on two weaknesses in our security defences. Firstly, a significant number of attacks begin with successful phishing campaigns, enticing users to give up credentials or install malware on their systems. You can all but remove account compromise from an organisation’s attack surface through the implementation of a trusted multi-factor authentication (MFA) solution, where you need additional authentication over usernames and passwords before the user being allowed to access systems.

Patching

Patching your OS systems and applications ensures they are protected from the latest vulnerabilities and exploits.  This significantly improves the resilience of your enterprise against this common and highly successful attack vectors.

MFA solutions provide a defensive barrier against account compromise by ensuring you include the input of something much harder than usernames and passwords in the authentication chain, such as biometrics (e.g. fingerprints) and tokens (RSA, Google Authentication, etc.). Even if the attacker intercepts the username and password, the biometric makes it almost impossible to hijack. In the same way, they need access to the token to authenticate since it provides a one-time use code that is impossible to guess.

Cyber security maturity model

ACSC has developed a cyber maturity model to allow organisations to gauge the current effectiveness of their controls against the Essential Eight security target, with detailed descriptions of what each maturity level means against each control. Maturity levels are defined as:

  1. Partly aligned with the intent of the mitigation strategy.
  2. Mostly aligned with the intent of the mitigation strategy.
  3. Fully aligned with the intent of the mitigation strategy.

For the best coverage, you should aim for maturity level three, since level three ensures the implementation fully protects the organisations in the context of its purpose. For example, at level three MFA protects all remote access users, authenticates all privileged users, and protects access to confidential or critical information stores.

Security Monitoring and the MITRE ATT&CK® Framework

It’s an inevitability of the modern business world that cyber attacks happen; securing your business against determined attackers is a complex and incredibly difficult challenge and a problem space that’s changing all the time.

ACSC has stated that while investigating cyber incidents, organisations have insufficient logs and records that show the visibility of activity occurring on their computer systems and networks. Deep insight into what’s happening on each system is needed for practical incident response activities since it offers insight into what happened. It helps reduce the impact of the attack, the time to respond and allows the organisation to determine how to prevent future attacks on this nature.

SIEM solutions

Every computer system and network device can log activity to a very detailed level. MFA solutions, for example, will show who logged on, when they logged on, and even what geographical location they are logging on from, so you can see how that is incredibly useful in an investigation. However, some systems may be configured to be less verbose, and in some cases logs may be overwritten within a matter of hours, depending on retention policies.

Security teams need a way to collect and analyse logs across the entire infrastructure, then collate that information into a useful report that prioritises their activities. A Security Information and Event Management (SIEM) system is the most effective way to meet this requirement as it can baseline normal behaviour and report at different management levels, such as technical security teams, operational managers and executives.

Huntsman Security supports the MITRE ATT&CK® Framework in its solutions; advisories such as last week’s one from ACSC, are used by security operations teams to develop correlation rules against known attack types, tied to the context of the logs collected from each of the organisation’s specific systems.

The MITRE Corporation defines the ATT&CK® Matrix as:

“… a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations [to be] used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cyber security product and service community.”

MITRE ATT&CK® …… the details

The value of the MITRE ATT&CK® matrix comes from how it normalises an approach for the security industry to defining attack tactics, techniques and procedures; meaning when ACSC says:

Lateral Movement: T1028 – Windows Remote Management

The ACSC identified the actor utilising Windows Remote Management (WinRM) via PowerShell to move laterally through victim networks.

Security teams can then refer to the details in the ATT&CK® Matrix, as follows:

Windows Remote Management

Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell.

Procedure Examples

Cobalt Strike: Cobalt Strike can use WinRM to execute a payload on a remote host.[4]

Threat Group-3390: Threat Group-3390 has used WinRM to enable remote execution.[5]

Mitigations

Disable or Remove Feature or Program: Disable the WinRM service.

Network Segmentation: If the service is necessary, lock down critical enclaves with separate WinRM infrastructure and follow WinRM best practices on use of host firewalls to restrict WinRM access to allow communication only to/from specific devices.

Privileged Account Management: If the service is necessary, lock down critical enclaves with separate WinRM accounts and permissions.

Detection

Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.

Defend against cyber attack – find out more

Protect your organisation from cyber attack.  Huntsman Security has mapped its technology’s capabilities to the MITRE ATT&CK® Framework to assist security teams in transforming threat advisories into actionable intelligence.

Explore how Huntsman Security can assist your organisation in the implementation and performance measurement of the Essential Eight security controls and how it fulfils MITRE ATT&CK® mitigation strategies.

Request More Info

MITRE ATT&CK Matrix

BLOG POSTS

Related Cybersecurity Content

SIGN UP TO RECEIVE CYBER SECURITY INSIGHTS

Read by directors, executives, and security professionals globally, operating in the most complex of security environments.