Comments on the ANU Incident Report
https://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf
A few people have asked my opinion on the ANU Incident Report. Given the extensive media coverage since its publication, I thought I’d pen some thoughts as I have a bit to say. I will emphasise that these are my opinions based purely on the information I have read online and in the report.
Firstly, I would like to commend ANU for publishing information on the breach. The industry as a whole is only going to improve if the lessons from such an incident are headed at every level.
I was however disappointed in the number of statements particularly this one;
“This report details the level of sophistication, the likes of which has shocked even the most experienced Australian security experts”.
Overall the information contained in the report, in my opinion, did not support such a statement or several of the other headlines in the media. Certainly, the attacks appeared to be competent to professional. However, I saw no techniques used, apart from one which I will address shortly, that have not been routine hacking techniques used over the last decade.
The reason I call this out is that this type of spin leaves an impression that these Cyber-attacks are impossible to defend against. I’m certainly not saying that establishing a strong security posture is easy, it isn’t, particularly on-scale and in 24x7 business critical operations. But there is a lot that can and should be done.
I will say that it appeared that whoever the attackers were, they had to work at it. They were there for a while being persistent to gain the necessary foothold and launch points. So, ANU must have had at least some half decent defences in place.
I want to comment on that one exception I mentioned above. This statement;
“Based on available logs this email was only previewed but the malicious code contained in the email did not require the recipient to click on any link nor download and open an attachment. This “interaction-less” attack resulted in the senior staff member’s credentials being sent to several external web addresses.”
Wow! If this did occur, then wow. But I don’t believe it. I’m happy to have my opinion changed, but I’d need to see further evidence before I believe it actually occurred that way. Based on that statement alone, it doesn’t make sense to me. Unfortunately, the report did not contain any supporting information on the lower level attack details or samples of the malware used. I will say that if I’m wrong, then this means the bar has been raised by an order of magnitude and the industry has some really big, new risks to start seriously managing.
The one most glaring omission from the lessons learned was the apparent lack of security visibility and monitoring. What was clear was the attackers were in this network for an extended period of time, making a lot of noise and it was not detected. While networks will get breached, what is vitally import these days is having sufficient security visibility and monitoring to detect anomalous or malicious activity. Likewise, a large amount of sensitive data walked out of a secured part of the network without detection! That in my opinion was the most significant failing on the part of ANU. Today, there are many tools which should have lit up like a Christmas tree on any of that type of activity. I would highlight to others the importance of security visibility and monitoring systems.
It appears that whoever the attackers were, they had a specific target in mind. Canberra being the heart of Federal Government and Defence I can only suspect the attack falls into a broader agenda, where the information gained may be used within other campaigns. From a risk management perspective, understanding the value of data is very important.
Personal cost and impact aside, since ANU have been to the trouble of preparing such a report, it would be very interesting to see a financial analysis of the attack. How much has the breach cost in terms of forensics and clean-up efforts? How much could have been saved if the investments they mention had been made earlier? Rightly or wrongly, much is driven by the dollars. So, understanding the financial impacts would be a very useful data point that could help others justify appropriate security investments.
_