Cyber crime is now more profitable than the global drug trade and some security experts believe the profit to effort ratio is 20:1. Cyber criminals are sharing increasingly sophisticated attack information, tools and techniques to fellow hackers around the world. Against this backdrop, how can Australian organisations keep pace and ensure the security of their assets if they don’t collaborate and share threat information, tools and techniques with one another too?
Cyber crime has been around for virtually as long as the Internet, but our exposure to it has significantly increased in recent years as we’ve shifted to an interconnected cyber-ecosystem. Big organisations are connected to little ones, international to local, organisations to individuals and individuals to other individuals. These interconnectivities are growing every day, making it easier for attacks to spread.
With cyber crime evolving into an increasingly profitable business, the barrier to entry has also been lowered dramatically, which is driving proliferation. In the early days, cyber criminals owned their own servers and built malware from scratch; both time-consuming and expensive. Now virtually anyone with basic computer literacy skills can get in on the game, with threats increasingly easy-to-access and easy-to-use. Exploits, ransomware, botnets and the like can be bought or rented and these days even technical support is available to hackers.
In April this year, the hacking group dubbed Shadow Brokers aided this proliferation by giving hackers around the world a leg up with the release of a set of highly effective weaponised software exploits. Many of the exploits target older, little-used or out-of-date systems, so hackers using them bank on individuals and organisations being lax when it comes to patching software and updating systems. This has unfortunately proven to be a good gamble, given the effectiveness of the WannaCry and NotPetya cybercrime campaigns, which propagated through networks using one of these exploits known as EternalBlue.
WannaCry and NotPetya highlight the slow pace at which public and private entities are addressing standard IT hygiene practices, such as patching software and applications for known vulnerabilities and training employees to be aware of phishing and other malicious incursions. This is no surprise given the constantly changing threat landscape and the low level of threat sharing in Australia. Organisations can’t patch up if they’re not aware of vulnerabilities in the first place. For example, the original patch for EternalBlue was distributed to the public on March 14, 2017, a month before the WannaCry attack, and yet there would still be machines out there that are unpatched.
Sharing of threat intelligence raises awareness and sounds the alarm about new attacks and data breaches as they happen. It also provides the security community with the necessary breadth of data to understand trends, new infections, how botnets are communicating, whether directed targeting is occurring, and even if different attackers are collaborating. Despite this, threat sharing is not the norm.
PwC's Global State of Information Security Survey released earlier this year shows Australian organisations are not only below average when it comes to threat sharing, they are also finding collaboration with others less effective than a year ago. Only 34 percent of responding organisations are reporting improvements in their threat intelligence and awareness, compared to 42 per cent one year ago.
There’s a critical need to improve our threat sharing capabilities across the public, private and academic sectors in Australia. The Government is trying to lead by example with the disclosure last year about the Bureau of Meteorology (BOM) being hacked, and this year’s disclosure that a defence contractor had been breached. We’re also making ground in developing a framework for threat sharing. The Attorney-General’s Department led Joint Cyber Security Centres that have opened and will open in the new year are a big step in the right direction. By physically co-locating, participants will be in a better position to collaborate.
The conversation is now rightly moving to the type of IT Platform needed to support threat sharing, and most importantly, the sort of sharing that would be effective. This is the crux of effective threat sharing, as bombarding organisations with lots of data, sometimes just raw, unevaluated data, will just put extra burden on cyber security teams.
Protecting businesses from cyber attacks is an ongoing challenge for all of us and we are doomed to failure if we each try to go it alone. As the famous military strategist and philosopher, Sun Tzu said: “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” In our increasingly interconnected cyber-ecosystem securing our assets means working together to know ourselves and our enemies.
Read CEDA's research report, Australia's place in the world.