​Terminating hackers on the Department of Chickens

David Lewis, the Technical Director of Cyber Security Analysis and Operations, Australian Signals Directorate, had perhaps the most "interesting" presentation title of the Oceania CACS conference.

He chose the "Department of Chickens" so no actual government departments would feel they were being outed in his presentation, which covered a "war story" regarding an actual cyberattack against a government agency.

Lewis says ASD finds out about incidents when their clients self-report, a partner organisation reports of they find something through a proactive operation - particularly when reported incidents aren't coming in.

Understanding an incident, says Lewis, starts with understanding the sensitivity of the victim or the affected systems. They then examine the impact and "success" of the malicious action. Finally, they try to identify the actor conducting the activity. Armed with this triage information, they develop and communicate an initial response. In some cases, that communication will come from the ASD, via the ACSC, to victims of a breach before the victim knows they have been attacked.

Lewis says reconnaissance is a much longer process than many organisations realise. In Lewis' fictitious but based on fact department, the ASD knew of a brute force attack well before the victim reported and knew the source servers of the attack and what was going on.

From a mitigation point of view, Lewis says victims should do reconnaissance, restrict access to key systems, and minimise exposure to the the Internet.

The attackers in Lewis' case study used three different attack vectors. All were email based but used different payloads using macros, executable files and HTML applications. And rather than using experience zero-day exploits, they used older, but unpatched, vulnerabilities.

From a mitigation point of view, he says patching, application whitelisting and putting controls around macro execution are important strategies.

Once the threat actor was inside the system, they used scripted reconnaissance tools, even employing commercial penetration testing tools. At some point, the actors also had access to some user credentials so they attempted to use these on a web-mail server. Interestingly, while there were account lockouts on internal systems, the web-mail server did not have that control.

The aim for the hacker was to gain local administrator access on one system, using a known and patched vulnerability (CVE-2014-1812). From there, it was a short time to elevating that to a domain administrator access level. That occurred when a system installed by a third party still had a default password that had been missed in a configuration review.

At this point, the hackers behaved like typical administrators to avoid detection. They moved laterally through systems, depositing highly specific malware for specific targets that avoided the end-point protection used by the department. This included the ability to create their own second factor in organisations that use two-factor authentication.

One of the detection and mitigation processes Lewis recommends is logging and reviewing all admin account usage and the use of administrative tools. But, at this point, detecting the bad guys is very difficult.

The threat actors also tried to exploit the department's trust relationship with other departments by sending email with more malware from within the attacked department.

Lewis, on several occasions, noted the importance of identifying anomalous behaviour - something that is very difficult.

The investigation and remediation process, says Lewis, may take as long as a year. They review logs and carry out intrusion forensics using a number of different tools.

Not surprisingly, Lewis says the best plan for dealing with intrusions is to avoid them completely. Prevention is the best cure, he says.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackers#CACScyber attacksasdOceania CACS#CACS2016cyber securityhacking

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place