AusCERT
Year in Review

2021

Curated by Marty Molloy

Foreward

Dr David Stockdale - Director, AusCERT

Each year when I sit down to write this foreword, I reflect on the year that has gone…the time that we have had, and how effectively we have used it!  In 2020, I talked about the level of cyber activity and the organised nature of the adversary, and at the time of writing had little understanding of the impact of COVID-19 and the impending pandemic.  In 2021 we knew of that impact, both on our personal well-being as well as to the increased cyber threat.  Now, in 2022, just when we think everyone is starting to come to terms with COVID-19 and life is returning to some normality, we face a new and to some extent, obscured threat that drives new cyber activity.  Whilst the Ukrainian conflict may seem to be a distant war that does not affect Australia, it is potentially the soft-start of a cyber-based conflict that may increase over time, and trickle on for months or years, especially as governments realise the potential to control events via economic leverage.  This puts many of our organisations at increased risk as we see a converging of cyber-crime and state-based cyber activity!

Whilst AusCERT still deals with many incidents around malicious email, malware, and other routine issues, 2021 was another year of big events.  The gravity of events such as the Exchange server vulnerabilities at the beginning of the year through to the year ending with the log4shell issues that still have many organisations vulnerable leads me to believe the issues are only going to get more frequent with higher levels of impact.

Setting aside the major vulnerabilities occurring in 2021, AusCERT continued to see the majority of activity in the Fraud: Phishing category followed by Malicious Code: Malware, with many requests for information coming from members.  Over the year we issued an increased number of AusCERT Security Bulletins and as we further tuned the services, we saw a significant rise in an activity where we proactively notified members about their increased exposure to risk.  

To deal with the increasing threats against a more uncertain world picture never has there been a more important time to have your people aware of what is happening and trained for when an event occurs.  No longer is it just the cyber team that needs to be aware, but all of the workforce, both technical and non-technical.  No longer is it acceptable to believe the technology will keep us safe and no longer is it worth having processes that are not tested and practiced.  The theme of the AusCERT2022 conference was “Rethink, Reskill, Reboot” and I believe the old mantra of “People, Processes & Technology” needs to come of age and be replaced with “People, People, People, Processes & Technology”.  It is time to rethink how our organisations are tackling the cyber threat, reskill ALL the workforce, and reboot to a new level of awareness and protection.

Membership Matters

As of March 2022, AusCERT is made up of 656 member organisations comprising several tiers of membership levels (small to enterprise).

Members are grouped into defined Australian and New Zealand Standard Industrial Classification categories and the top three industries represented by our members are from the following sectors:

- Education & Training 115 members
- Financial & Insurance Services 87 members
- Health Care & Social Assistance 86 members
- All other industries 357 members

In 2021, AusCERT continued its growth over the last few years by welcoming 72 new member organisations, while retaining 96% of members from 2020.

Incident Management

AusCERT invests in the skillsets of its Cyber Security Analysts to provide members with a trusted, expert partner for a range of services. The membership fee is barely a portion of the cost of building such advanced capabilities in house, and the services are designed to work with commercial IT providers.

Our data processing systems have been engineered to search for indicators of compromise and vulnerability, providing thousands of timely notifications and remediation advice each week across our member base. For incidents requiring the additional expertise and individual attention of a skilled cyber security analyst, AusCERT is available 24/7.

We provide analysis of malware including ransomware, general advice on cyber security topics, and take action against threats such as phishing. During 2021 AusCERT serviced 2,823 individual tickets for member requests, an average of approximately 11 tickets per business day.

The diagram to the right is the statistics of incidents that required handling for the calendar year of 2021.

Security Bulletins

AusCERT distributes security advisories and bulletins to its members by email and publishes a portion of them to its public website.

Bulletins are published in a standardised format with a consistent approach to classifications of vulnerabilities, impacts and affected operating systems.

In 2021, 4,564 External Security Bulletins (ESBs) and 279 AusCERT Security Bulletins (ASBs) were published.

The ESBs are made publicly available immediately however the ASBs are available only to members for a period of one month after which they become available for public consumption.

In recent times, AusCERT has made a conscious move to make ASBs publicly available (apart from a minor few that will be exclusively locked off to members), especially when the data is critical to Australia and not found elsewhere - part of our team's greater good philosophy.

MEMBER SECURITY INCIDENT NOTIFICATIONS (MSINs)

AusCERT members benefit from its considerably large overseas and local threat intelligence feeds with respect to incidents that have been detected by other parties but concern the members.

There are several categories of incidents, with many more types of indicators being added in 2021, as seen below:
Availability
Information Gathering
Intrusion Attempts
Intrusions
Malicious Code
Other
Vulnerable

This service has been running for members for several years and saw 3,238,762 pieces of information has been sent out to members in 2021.

These notifications are a mix of Indicators of Vulnerabilities (IoV) and Indicators of Compromise (IoC).

Achievements and Milestones

"SOARing with Cyber"

In 2021, the conference was delivered in a hybrid format for the very first time and focussed on the theme of "SOARing with Cyber" - Security Orchestration, Automation, and Response.

In total, the conference saw over 800 registrations with 480 in person and 347 virtual attendees and featured:

- 3 keynotes
- over 70 speakers
- 30+ sponsors

You can relive or, experience for the first time, the range of engaging and informative presentations, the speed debate and other highlights from AusCERT2021 on our YouTube channel: Watch Now.

"Share Today, Save Tomorrow"

In planning for more than a year, AusCERT's very own podcast series became a reality in mid-2021.

Featuring fantastic guest speakers, including attendees at AusCERT2021, and with ongoing support from Anthony and Kathryn at Media-Wize, a range of topics were discussed aimed at engaging our members to empower their people, capabilities, and capacities.

We encourage and welcome ideas for future episodes from our members and look forward to providing more content to listen to.

In the meantime, you can browse our library on Soundcloud, SpotifyApple Podcasts and Google Podcasts.

Happy listening!

Closing Remarks

Over the past few years, plenty of world-impacting events has moved cyber security discussions even further into boardrooms and even general water-cooler talk. Although the events themselves are quite serious in some cases, I’m optimistic that the world’s increased cybersecurity awareness will help reduce the frequency and severity of incidents.

I’ll admit that part of my optimism may be my internal coping mechanism; let's acknowledge that this industry can lead to burnout and that we all should do our part to save ourselves and others from that fate. However, I can see tangible strategies forming in many areas which I believe will positively contribute to this. For example, our training programs offered to members teach concepts such as baseline cybersecurity skills for IT professionals, cyber risk management, and how to write your incident response plan. Just ten to fifteen years ago, these were the skillsets of only a select few, in a select few industries.

Managed cybersecurity services have become big business in recent years and threat intelligence is now seen by senior management of all industries as a necessity, although I’m not convinced our industry has it right. Here’s the thing: it’s not purely a technical matter, but we (the cyber security industry) are often geared up and hard-wired that way.

Sure, you can hook into AusCERT’s MISP (Malware Information Sharing Platform) or our legacy Malicious URL Feed and retrieve a stream of tactical indicators of compromise, manually or machine-to-machine, depending upon your capability. This is an effective way to defend yourself from what’s happening right now. Although, traditional risk management tells us we should “identify threats” which means you need to look beyond what’s happening now and effectively predict the future. Technology can only help with that to a small extent, humans must do the rest.

If you look at our Security Bulletins (the “ASBs” rather than the more voluminous vendor vulnerability notification “ESBs”) you’ll find examples of AusCERT’s Analysts helping you do just that, and it’s an area we’re actively working on improving for you. If you haven’t the time to do anything else, at least read those ASBs – if you’ve set up a mail filter to send everything from us to the “AusCERT” folder, consider alerting yourself to those ASBs in some way. We’ll SMS you the critical ones, of course.

This is where the non-technical aspects of cyber security come into play. You might need to consider a particular threat, assess your risk appetite and adjust your response which might be completely non-technical, such as addressing stakeholder awareness of a new type of cybercrime.

We know this is a challenging evolution for many of our members and we hope to make this as easy as possible for you. We want to share our intel and know-how through training, our annual Conference, our Member Slack channel, and all our services including good old-fashioned 24x7 IR. The world may have changed, but our core values and reason for existence remain the same: not-for-profit cybersecurity services complimenting existing industry and government offerings.

Speaking of world changes, the work-from-home and online shift have made “catching up to have a rant about cybersecurity” more challenging. Don’t forget to reach out to us, your team members and colleagues to keep those lines of communication open. “Are you ok?” and “hey what’s your biggest cybersecurity threat, how can we help each other” are great ways to open a conversation!

We wish you all the best for a productive and successful year ahead.

Mike Holm – Senior Manager

TopBuilt with Shorthand