As cybercrime evolves, organisational resilience demands a mindset shift
29 Jun 2023|

Facing the threat of state-sponsored cyberattack groups, the financial motivations of organised cybercrime gangs and the reckless ambitions of loosely knit hacktivist collectives, Australian organisations are fighting a cybersecurity battle on multiple fronts.

While an attacker’s goals can be amorphous and hard to define, the tools, tactics and procedures deployed against private and public organisations are constantly evolving.

Nowhere is this more apparent than in malicious emails. A tell-tale giveaway used to be poorly written and grammatically incorrect correspondence urging the user to click a link or open an attachment. With the advent and large-scale adoption of generative artificial intelligence platforms such as ChatGPT and Bard, the malicious is getting harder to distinguish from the mundane.

As AI-enhanced attackers continue to target Australian organisations, is it possible to be completely secure?

No, it’s not.

Short of taking your operations entirely offline, no silver bullet, no enchanted widget, no magic bean will stop all cyberattacks.

Although it’s impossible to completely inoculate your organisation from cyberattacks, it’s entirely possible to limit the impact of the inevitable breach.

With attackers honing their craft to inflict maximum damage, businesses need to build resilience to ensure that an attack is a relatively minor inconvenience rather than a catastrophic incident.

It’s clear the stakes are high. A recent ransomware attack took an Australian financial services firm offline for five weeks. The cost of this downtime and remediation has been forecast to reach $95 million to $105 million.

While threats range from compromising business email and man-in-the-middle interventions to distributed denial-of-service (DDoS) attacks and zero-day exploits, attackers appear to favour ransomware—the Swiss army knife of attacks. Not only can denying an organisation its data further political, financial or activist aims, but ransomware-as-a-service operations significantly lower the barriers to entry for cybercriminals.

In its purest form, a ransomware attack seeks to make critical data unavailable to the victim. This is traditionally achieved by encrypting the data and demanding a ransom be paid to receive a decryption key. Unfortunately, even paying the demand is no guarantee. Recent Rubik research found that only 14% of Australian organisations that paid the ransom were able to recover all their data.

Governments and law enforcement agencies around the world are increasingly urging organisations not to pay ransom, and organisations have improved their use of backup data to recover business operations.

But attackers have adapted. We’ve seen an evolution in how they try to force their victims to negotiate. They first seek to destroy or corrupt backup data before the ransom demand is made.

Of the Australian organisations that experienced a cyberattack last year, 98% saw the malicious actors attempt to compromise their backup data. In 87% of cases, they were at least partially successful.

This tactic is designed to hamper recovery efforts, since up-to-date backup data enables a victim to rapidly restart operations from the latest ‘save point’ prior to the infection.

Data backups are so fundamental to cyber resilience that it’s the only measure in the Australian Signals Directorate’s essential eight to address recovery. While the other seven measures are all important, they relate to prevention before the fact, rather than recovery after an attack.

At maturity level one, the essential eight guidance recommends:

  • performing regular backups of important data, software and configuration settings with a frequency and retention timeframe in accordance with business continuity requirements
  • retaining backups of important data, software and configuration settings in a secure and resilient manner
  • preventing unprivileged accounts from modifying and deleting backups.

Organisations subject to the Security of Critical Infrastructure Act that use the essential eight model as the framework for their critical-infrastructure risk-management program must meet these minimum requirements. Realistically, they should exceed them and aim for maturity level three, which calls for immutable backups that cannot be deleted, modified or accessed, even by users with privileged accounts.

These measures help to ensure that if a ransomware attack denies an organisation access to its data, shutting down its operations, it can recover rapidly by restoring from backups.

With resilient copies of critical data, services can be restored within a matter of hours rather than organisations facing the prospect of days, weeks or even months offline.

As cyber resilience increases, attackers have adopted different strategies—attacking backups, and data exfiltration.

Rather than encrypt data, malicious actors seek to steal high-value material like financial details, medical records, personally identifiable information and other sensitive information.

A ransom is then demanded on the threat of that data being published or sold to other attackers. This has played out recently with high-profile attacks against major organisations, including a law firm that reportedly had 4 terabytes of data stolen. Just under half of the data was reportedly published on the dark web in a bid to force the victim to negotiate.

These devastating attacks succeed for two reasons.

First, one of the greatest challenges organisations face today is data sprawl. Employees can work from anywhere and more applications and digital platforms to help them do so are implemented every day.

As workers disperse and platforms proliferate, sensitive data is scattered and duplicated across an immense digital footprint. How can you protect sensitive data if you don’t know what or where it is?

Second, too much faith has been placed in organisations’ ability to keep attackers out. A ‘digital fortress’ mentality has been pursued in an attempt to thwart 100% of cyberattacks and the convincing marketing of cybersecurity vendors has lulled many into a false sense of security.

That 100% safety target cannot be achieved.

If organisations shift their focus away from risk minimisation and heavy investment in trying to stop every attack and towards cyber resilience to limit the impact of an inevitable breach, these intrusions will continue but their impact can be much less severe than has been witnessed in recent years.

The most sensitive data is typically highly formatted. Passports, drivers’ licences, credit card numbers and the like all follow conventions. AI and machine-learning models can be trained to scour an organisation’s digital footprint, locating all sensitive data so that appropriate protection and access protocols are in place before a breach occurs.

With such a strategy in place, if exfiltration occurs the data taken can be minimised to what you might find in the Yellow Pages rather than banking details, medical history and personal identifiable information.

As cyberattackers hone their tradecraft, Australian organisations need a shift in mindset. It is indeed true that it’s a matter of when not if a cyberattack will occur. Once that has been accepted, the way sensitive data is protected changes drastically. With investments in cyber resilience and armed with a well-defined and well-rehearsed recovery strategy, the impact of a ransom attack can be reduced from catastrophic to merely inconvenient.