The Prime Minister today publicly highlighted the increasing cyber security threats posed by state sponsored actors to Australian businesses and organisations. Alongside this announcement, the Australian Cyber Security Centre (ACSC) has released a report - Advisory 2020-008: Copy-Paste Compromises which details the tactics, techniques and procedures (TTPs) commonly used in these attacks.
The ACSC report is extremely detailed and essential reading for anyone on the frontlines of cybersecurity, we recommend taking a look at it yourselves. We also know that organisations are looking for immediate actions they can take in response to these threats, so we’ve been through it and have some steps you can take now to improve your cyber security posture and make it harder for attackers to breach the perimeter.
1. Audit your public exposure
You can't protect what you don't know you have, and too often legacy or unused services are left exposed to the internet. Perform a full audit of all internet facing systems and applications to ensure you know what attackers can see when attempting to target your network. If you don't know where to start, The Missing Link can provide assistance with External Vulnerability Assessments and Penetration Testing.
2. Update your software
According to ACSC, one of the most common ways attackers gain entry to Australian networks is by targeting unpatched applications such as Citrix, SharePoint and IIS. Even being just a few weeks behind in the patch cycle can mean the difference between an attacker gaining a foothold in your organisation or giving up and going after an easier target. For internet facing applications and systems identified in Step 1, ensuring that security patches and updates are installed within 48 hours of release is essential to preventing attackers from gaining easy access. If you are looking for more information, The Missing Link has an article just on patching available here.
3. Require 2-factor authentication
When attackers can't gain access from software vulnerabilities, they go after people. As described in Advisory 2020-008: Copy-Paste Compromises, phishing is an extremely common technique used to gain access to Australian organisations and networks. One of the most common phishing attacks involves sending an email containing a link to a fake login page, which will steal the credentials of anyone who uses it. Requiring 2-factor authentication, especially on domain accounts such as those used for Office365, makes it significantly more difficult for attackers to use stolen credentials. This gives your users and security teams time to respond and prevent an all-too-common mistake from becoming a breach. To learn more, read our blog about 'MFA: How it works & why you need it'.
4. Disable Microsoft Office macros
Another type of phishing attack involves attackers sending a document containing a malicious macro as an email attachment. Victims are deceived into opening and running the macro under the guise of a survey or urgent notice, which then runs code giving attacker access to the user’s computer. Disabling macros by default can prevent this type of attack from occurring and stop attackers from obtaining easy access to your user's systems.
This list is by no means complete, but it provides actionable, concrete steps your organisation can take today to prevent the kind of cyber-attacks described in Advisory 2020-008: Copy-Paste Compromise.
An effective, holistic cyber security strategy takes time and expertise to create. The Missing Link is a huge proponent of the Australian Signals Directorate’s “Essential Eight” framework, which includes the steps listed above, and we have proven experience in designing, securing and testing IT systems and services. If you would like more information on how to take implement these mitigations, design or update your cyber security strategy, or conduct a cyber security assessment please get in touch.
