Defence cannot ignore Australian government hack
Why the ASD breach should have defence companies standing to attention
In October it was made public that around 30GB of data was compromised in a hack on an Australian government contractor during 2016. The subject of the attack, the Australian Signals Directorate (ASD), has given it the codename "APT Alf" after the straight-talking aussie ‘bloke’ familiar to any Home and Away fans.
However, unlike the soap opera, the issues posed by this security breach are real. ASD lost documents on projects including the Joint Strike Fighter (JSF) program and the P-8 Poseidon “submarine killer” plane, as well as detailed designs of Australian Navy ships. Fortunately, the data that was stolen was commercial and not sensitive military information.
In that regard, those involved can breathe a huge sigh of relief although questions remain about how and why a company that specialises in security was so exposed. As it turns out, the hacker could probably have walked right in the front door because the ASD's investigation found that internet-facing services still had their default passwords, ‘admin::admin’ and ‘guest::guest’.
Not that hackers need a helping hand. The truth is that no organisation is impenetrable and the world we live in means hacks and cyber attacks are inevitable. Companies are acquiring huge volumes of valuable data that would-be perpetrators are finding increasingly intuitive ways to acquire.
The ‘major’ problems
This means defence organisations must be on guard at all times when it comes to protecting their data the way they are programme to protect their country. Above all else, this means being able to see and hear who is digitally coming in and out of the company at all times. Comparing it to the physical world, it’s like the security alarm vs the security camera. Most buildings have the alarm, but when it goes off, far too often an alarm get ignored. When a major breach does occur it's like fumbling around in the dark if you don't have a video tape to review how the burglar got in and what they took. How much quicker would the investigation be if you could review the video of what they walked out with in their hands?
In fact, this particular instance is a great example of how complicated and involved investigations become when analysts don't have access to packet level data - namely, the stored raw data that can be reviewed when a security breach occurs that will inform all the necessary information around what happened.
Organisations must look to ensure they can collect and store this information. Raw network data is indispensable in the case of a breach because it provides definitive evidence of what took place. It can be analysed to discover every aspect of a breach, giving companies the insight to see where in the network the breach originally occurred, exactly what data was taken, and how it was extricated. Perhaps more importantly, it will identify the chink in the security armour which can be fixed to prevent a similar breach from happening again.
Aside from preventing the preventable, it’s also key to identifying and minimising loss should a breach occur. Companies actively monitor their networks use tools such as Intrusion Detection (IDS), Behavioural Anomaly Detection, and Artificial Intelligence (AI) to analyse traffic on the network and raise alerts when potentially malicious activity is detected.
But when it comes to investigating the alerts that are raised such as this one, these analytics tools don’t provide the level of detail needed to determine definitively what took place. They’ll tell you something happened, but you need to investigate the event much more deeply to understand what that event was and whether it’s serious or not. In the event of a breach, knowing for certain what happened, how it happened and what the impact is, and doing that quickly, is critical.
‘The need for speed’
In the case of the ASD, the speed of the response time to this breach was far too slow, which meant that the investigation took a lot of effort, but was also not fully conclusive.
The hack began in July last year, but ASD was not alerted until November. This three-four month gap ultimately meant that reviewing and analysing the data to react accordingly took too long. Had network history been readily available ASD would have been able to investigate much quicker and head the attack off sooner, perhaps even before the attacker got their hands on any information. Speeding up investigations with network history also enables many more critical alerts to be examined thereby improving general security posture - not just the one being dealt with at a particular point in time.
The Future of Assessment
Being prepared to respond to a breach is becoming increasingly critical to all businesses. 2017 has been a year of major breaches, and the media attention they have attracted has caused many companies to start to think about whether they could respond to a breach adequately. ASD is just another name to add to the long list and it certainly won’t be the last.
However, companies can learn from ASD. By having greater visibility into what is happening, and what has already happened, on their networks dealing with a breach can become a much quicker and simpler process. The fact is that the evidence organisations need to quickly understand a breach and communicate accurately about it, is at their fingertips.
Cary Wright is VP Product Management at Endace where he leads development of network forensics products used by Gov, Telco and large enterprise to respond quickly and accurately after a breach.