Is your organisation equipped to withstand, fight back against and look out for newly emerging cyber threats?
Australia, we have a problem.
According to the Australian Cyber Security Centre’s most recent Annual Threat Report, one cyber incident is reported in Australia every 7 minutes (up 12.5% YoY) with over 76,000 cybercrime reports during FY2022 (up 13%).
And at last the Federal Government is starting to get serious about it. The Australian Government is investing heavily in beefing up our cyber defenses, including appointing a Coordinator for Cyber Security within the Department of Home Affairs, broadening critical infrastructure asset protections under new legislation, and honing the 2023-2030 Australian Cyber Security Strategy.
Why now the stronger push? Consistent ongoing messaging around cyber security, cyber maturity, and cyber safety to date, along with proactive organisations taking initial steps to improve their IT security protections – whilst welcome and essential – have not seemed to make a dent the number and impact of cyber incidents and data breaches reported each quarter. If we’re talking and doing more about cyber security than ever before, how can it be that the incident numbers, impact and scope just seem to be escalating year-on-year?
The answer is surprisingly simple – Imagine you’re swimming in the surf but get tossed underwater by a wave. This has happened to you before, so you know what to do. You hold your breath, orientate yourself, get your footing on the sand and stand up quickly. No sooner have you wiped the white water off your face, however, than an even bigger wave is about to break right in front of you. But you’re not ready for it, you can’t do anything to stop it, and no one is there to help.
The worsening cyber incident and data breach statistics are clearly telling us that we’re getting knocked off our feet by bigger and bigger waves – and it’s getting harder and harder for us to withstand the onslaught.
There was no greater example of this than in September and October 2022 when over a three-week period the personal data of 9.8 million Optus customers and 9.7 million Medibank customers was stolen by cybercriminals […] It became clear during these incidents that the government was ill-equipped to respond, and did not have the appropriate frameworks and powers to enable an effective national response given the number of Australians whose personal information, included identify data, was compromised.2023-2030 Australian Cyber Security Strategy Discussion Paper
Where does that leave Australian businesses and organisations? Yes, the Federal Government’s cyber initiatives are bolstering protection of our national critical assets – but what about your critical assets? Your data, your IP, your corporate brand, identity and financials, your people and client’s identities, personal and sensitive information?
As the cyber threat landscape changes and morphs into something new yet again, here’s what you need to know anew about the who and what of the cyber threat landscape, as well as the how of cybercriminal activity right now. We’ve also provided you with a head start in the form of our 4×4 checklist to help you prepare to stand your ground against those big waves forming on the horizon.
Who is targeting Australians and what are they after?
We’ve being working for many years now to debunk the myth that cybercriminals only target the top end of town. In the same way that each and every one of us is a valid target in an attacker’s eyes, threat actors themselves also come in all shapes and sizes. And while some recent breaches have been traced back to an individual or a small group, increasingly damaging and costly incidents are now being attributed to cybercriminal organisations or cybercriminals working together in highly coordinated and collaborative ways.
Whether lone wolf or corporate mis-enterprise, the vast majority of cyber criminals are surprisingly “aligned on purpose” – their objectives center around:
- Harvesting and monetizing personal, sensitive or high-value data/secrets
- Furthering a socio-political agenda through what’s referred to as hacktivism
- Flexing their technical skill set to become a bigger player in the attack marketplace
Organised cybercrime groups often employ a corporate-like structure, complete with KPIs, supervisors, operational staff, recruiters, marketing and tech support – even call centers offering “customer support” to would-be hackers buying attack kits “off the shelf” on the dark web. These groups can be incredibly sophisticated and operate with the professionalism of a “legitimate” business – albeit maliciously.
Some of these groups even receive funding, intel, protection, and other resources from rogue nation states. Where geopolitical tensions shift, nation states have been seen to covertly engage cybercriminals to infiltrate the systems of other nations including critical infrastructure, security, finance, supply chains, and health services with the intention of, stealing money or intellectual property, flexing their threat “reach”, or simply to seed fear and uncertainty more broadly. You can see evidence of this in recently issued ACSC threat alerts specifically calling out nation state-sponsored threats.
Increasingly though, global security experts are seeing a new breed of adversary emerge – the Active Adversary – the highly skilled lone wolf or pack of specialist threat actors that bring a new, more sophisticated, more collaborative approach to the table.
How is this new breed of cybercriminal working to evade detection?
Not only are cybercriminals more organised than they were, the ways they approach their targets, execute attacks, and evade detection have evolved rapidly too. The Active Adversary we are facing today profiles like this:
- They’re highly skilled: As cybercrime becomes more lucrative, many disenfranchised as well as highly talented security or technical resources are lured over to the dark side, where returns may far exceed average salaries in the countries where they’re based. These attackers know how to design, develop and deploy or repurpose legitimate tools to now serve malicious purposes, putting them way ahead of the game.
- They’re more targeted: From Facebook and LinkedIn profiles to glowing bios on company websites, there’s an unprecedented amount of personal data openly online these days, not to mention the endless data available for sale on the dark web. Rather than scatter gunning a blanket phishing email, sophisticated attackers will now deep dive on a specific target who has access to large amounts of sensitive information. They’ll then use publicly available information, perhaps even gaining access to systems and then sit covertly monitoring and learning communication patterns and styles, to create an email that appears legitimate and builds trust with the victim, making them much more likely to click the phishing link. These Spear Phishing tactics are the leading factor driving growing Business Email Compromise statistics in Australia.
- They’re more patient: Without managed cyber threat detection and response tools enabled, the average time it takes to detect a data breach sits at around 207 days. Think about all that your business has achieved over the past seven months – now imagine what a cybercriminal organisation could learn or find in your environment over that time? Rather than a “smash and grab”, cybercriminals today play the long game to identify high-value targets, extract data and gradually gain more control over critical systems. This patience pays off, especially when this intel provides the attacker what they need to access other connected systems or client organisations you provide service to, putting your organisation then at the centre of a Supply Chain Attack.
- They’re responsive: Remember we talked about talent earlier? While some ransomware and phishing attacks are designed for the “mass market” of entry level cybercriminals, a newer and far greater threat comes those highly talented attackers working hands on, reacting dynamically to attempts to discover or stop them. So as good as your systems and people are, they’re competing against a real, flesh and blood Active Adversaries who are intent on winning the game of cat and mouse.
- They’re highly collaborative: Modern cybercrime groups often work together to maximise the impact of their attacks. The dark web and other encrypted communication channels have made it easy for cybercriminals to collaborate, sharing information, tools and connecting with other groups and individuals. For example, a group who specialises in stealing credentials may work with another group who are experts in using those credentials to launch attacks. This increasingly collaborative and agile behaviour has increased the specialisation and return on attack “projects”.
- They’re at the forefront: Over the last year alone, AI has developed at such a rapid rate that even the “Godfather of AI”, Geoffery Hilton, resigned from Google due to concerns over the speed and lack of oversight. Hackers are already taking advantage of this powerful new technology, using machine learning and AI to streamline their attacks, to scan and process huge amounts of data to identify and target vulnerabilities, even using vocal deepfakes to imitate people and gain access to sensitive information.
What can businesses do now to stay ahead of this new breed of cybercriminal?
It might feel like a losing battle trying to stay ahead of threat actors, as sophisticated as these groups are. But help is at hand. Here is our 4×4 checklist of recommendations on how your organisation can work to fortify your baseline now and get ready to meet fire with fire.
Get your baseline fortified
- Strengthen access controls: Make sure that first line of defense is as robust as it can be. This means strong passphrase selection, good password management that avoids default saving in browsers, unique passwords that are not shared across systems, platforms or devices, Multifactor Authentication enabled wherever possible and for ALL users. This is the baseline so if you don’t have it right already, now is the time!
- Keep software & devices up to date: Software and device updates and patches contain critical security fixes to patch any weak points. With hackers constantly searching for these easy pathways in, make sure routine patching is in place, and that out-of-cycle patching is addressed early and often.
- Education is key: Robust cyber security training is integral to addressing the biggest risk factor – human error. By educating your people on common and emerging cyber threats, best practices and testing their ability to detect even complex phishing attacks, you can create a culture of collective responsibility for your cyber defence.
- Plan to fail: It’s not a matter of if, but when, and Australian regulations impose requirements on businesses to protect against and disclose data breaches that do occur. If you don’t have one already, you need a security incident/data breach response plan with clear contact points, accountabilities, escalation points, as well as reporting and recovery plans. Game it out first to stay in control.
Level up to meet fire with fire
- Revisit what “covered” means: Most organisations are surprised to find out that the IT security protections they have in place are only part of what they need to have in place to be “covered”. Review your IT Security provisions against a recognised framework, such as the NIST Framework, to understand where you need to complement IT security protections with identification, detection, response and recovery provisions.
- Get proactive and AI-enabled yourself: Talk to your Managed IT Services provider about levelling up to managed cyber threat detection and response options that leverage continuous 24/7 threat data collection, AI tools and machine-learning-driven intelligence to detect and respond to threats and breaches in minutes, not months.
- Plug the gaps you can’t see: It might surprise you to know that vulnerability scanning is not a default IT Support inclusion. This is because the scale of data required to quickly and accurately identify vulnerabilities across a bank of threat intelligence is beyond the scope of any human IT technician. Regular vulnerability scanning combines the findings of data-rich, machine learning-enabled scanning tools with human security-expert-led analysis and assessment.
- Stay informed and engaged: Security is never a set and forget proposition. You need to evolve your knowledge as well. Talk to Maxsum about the range of cyber security learning and networking initiatives we recommend for businesses, and as an ACSC Network Partner, Maxsum recommends you sign up your organisation today to start receiving threat alerts directly from the Australian Cyber Security Centre.
Reach out to talk about your Managed IT Support + Managed IT Security options under a next-level Managed IT Services engagement with Maxsum today. Give us a call on 1300 629 786 or send us a message to start a conversation.