In May, the Australian Cyber Security Centre (ACSC), Australia’s national-level cybersecurity authority, released the 2019-2020 cyber attacker tradecraft trends, an artifact which exposes the tactics, techniques and procedures noted as being used against Australian networks. This report is especially interesting for several reasons.
First, it shows how Australia has embraced Mitre ATT&CK as its de facto framework for expressing known adversary behavior. This is clearly a sign of things to come for other nations that have developed cybersecurity programs. If only the United States could hurry up and settle the NCTCF vs ATT&CK conundrum and do more like this via US-CERT CISA (whose advisories largely only focus on early kill chain software vulnerability-based bulletins).
Second, and for likely causality of what ATT&CK enables in disclosure, the government can release reports such as these to drive defensive behavior across its communities without disclosing the sensitive, national level defensive apparatus used to learn what TTPs attackers are using. The ability to protect the methods behind the national security defensive program has historically conflicted with the benefits of releasing information gained from it. For example, the sensitive IOCs collected from the DHS US-CERT Einstein program had to be held at the Top Secret-level, under a shroud of secrecy that operationalizes it via DHS Enhanced Cyber Security Services (ECS). This is a truly complex, expensive, and suboptimal way to share threat information. ATT&CK affords an open-source, common body of knowledge that is invaluable to a defender, not sourced from classified intelligence, and can obfuscate attacker methods to protect against collection attribution. TTP’s are just more valuable.
Third, If these are the top attacks against Australia (that are publicly disclosable), there’s a high likelihood that they’re top attacks against many others. Attackers are known for reusing TTPs because they lower their offensive execution operation costs. Said differently, attackers are lazy and will use the lowest common effective denominator of attack. These are the most observed TTps, basically because they still work.
One of the best ways to take advantage of these kinds of reports is to test them yourself. Modern breach and attack simulation platforms like AttackIQ allow you to emulate these attacker behaviors across the spectrum of the attacker kill chain. These are the attack techniques you are most likely to experience, which you can use to extrapolate the most important security capabilities for your organization’s defenses. Don’t just assume your security works because you did a regulator required passive audit last year; exercise your controls just like the attacker would and answer the “am I covered?” question with objective authority.
AttackIQ has already created a template that, with a push of a button, can emulate 61 of the annotated TTPs in the ASCS report. Use this out-of-the-box functionality to assess where you stand today.