2021 Cyber security trends and response by GCSB Director-General Andrew Hampton, 13 December 2021

Speech to 18th International Conference on Privacy, Security and Trust (PST): 2021 Cyber security trends and response by GCSB Director-General Andrew Hampton

13 December, 2021

Good morning, and thank you for the opportunity to be part of today’s workshop session.

A special hello and thank you to Hilary from Kordia and Frans from Aura, it is always great to be able to join colleagues from the industry for conversations like this.

I will start off by providing a bit of context around the Bureau and our role, before talking a bit more about our cyber security focus, and the cyber threat scape as we see it through our lens of focusing on building resilience and supporting incident response for New Zealand’s significant organisations.  As one commentator put it recently the Bureau and our National Cyber Security Centre focuses mostly on cyber security at “the bigger end of town” rather than on the threats targeting small to medium enterprises and individuals. CERT NZ and Netsafe work more in that area.

The increasingly complex and inter-connected nature of supply chains mean size does not always determine who is a nationally significant organisation.  Sometimes the compromise of a relatively small but important organisation can have national impacts.

Two particular features of the current threatscape, both here and globally, are the rise of ransomware and supply chain attacks, each of which I will cover in a little more detail.  I’ll then touch on new malware detection and disruption capability, Malware Free Networks, which we are offering in partnership with private sector providers.

I will finish of by touching briefly on the work we do to help organisations of national significance build resilience before taking a few questions.

Let’s start by looking at the role of the Government Communications Security Bureau.

GCSB is a signals intelligence (or SIGINT) agency.

We are mandated under the Intelligence and Security Act, 2017 to “protect New Zealand as a free, open and democratic society”.

We have two principal roles, collecting primarily foreign intelligence, by electronic means, in accordance with Government priorities and, through the National Cyber Security Centre (NCSC), provision of cyber security services to New Zealand organisations of national significance.

The focus of this session is mainly about our cyber security role, but the fact that we are also an intelligence agency is important, as it gives us access to technical capabilities, legal authorities and international cyber threat intelligence not available to other cyber security service providers.

Given the focus of this event on privacy, I feel it is also important to provide some background to our authorising environment and oversight structures.

We are a public service agency with a difference.

Just like every other public agency we are accountable to the Government of New Zealand and required to act in accordance with the Government’s security and intelligence priorities and New Zealand’s international human rights obligations.

But we are an agency with a difference – we have intrusive powers and much of what we do needs to be done in secret.

The Intelligence and Security Act 2017 provides a strong authorising framework to ensure our intelligence activities are not only legal, but also necessary and proportionate. Any intelligence warrant for the purpose of collecting intelligence against a New Zealander needs to be issued by both our Minister and the Commissioner for Security Warrants – a former High Court Judge.

Independent oversight is provided by the Inspector-General of Intelligence and Security, who has strong investigative powers and can access all of our files and records. The intelligence and security agencies also report to Parliament’s Intelligence and Security Committee. This is done at both an unclassified and classified level to give the Committee greater oversight.

Internally we promote a culture of strong legal compliance and we have strong systems to ensure we are meeting our compliance obligations.

For public service agencies in general, public trust and confidence is important – for us it is essential.  One way we build public trust and confidence is by being as open as we can about the nature of the threats New Zealand faces, our role in responding to those threats, and how we are held accountable to the people of New Zealand.

This is one of the reasons engagements such as this workshop are really important for us.  Now let’s move on to the primary focus of today – cyber security.

The Bureau’s cyber security mission is primarily delivered through our National Cyber Security Centre, or NCSC.

The NCSC works closely with hundreds of nationally significant organisations to understand their cyber resilience and vulnerability to attack, providing advice, support and cyber threat alerts to help organisations lift their overall cyber security resilience.

We also contribute to New Zealand’s overall security resilience through the security policy leadership function the Director General of the GCSB plays as the Government Chief Information Security Officer (or GCISO).  Supported by an information security policy team based in the NCSC, the GCISO provides system level information, security policy, strategic advice and support across government agencies.  This includes establishing the New Zealand government information security standards and guidance as set out in the New Zealand Information Security Manual (NZISM).

Through the GCISO function we support the Government’s digital transformation programme.  Most recently in this area we have worked with major cloud service providers to develop templates for the implementation of their cloud products.  These templates help increase the base line security of those products by building core New Zealand Government information security standards into their basic implementation.

We also contribute more broadly to national security through our regulatory roles. 

In the telecommunications sector we engage with network operators to identify security risk in network changes they propose under the Telecommunications Interception Capability and Security Act 2013 (or TICSA).  Under the Outer Space and High-altitude Activities Act 2017 we, along with the NZSIS, conduct risk assessments relating to New Zealand’s burgeoning space industry.  Also with the NZSIS, we now have a role in scrutinising certain foreign investment proposals from a national security perspective.  The regulatory function is, in fact, a growing part of our business.

Then we have our cyber defence capabilities that are made available to organisations of national significance. We developed and implemented a range of malware detection and disruption capabilities as part of our CORTEX initiative several years ago.  These capabilities, which operate alongside services provided by commercial vendors, enable us to bring insights from our international relationships to help protect New Zealand’s important networks and organisations. We have also recently publically launched a new capability called Malware Free Networks.  I will talk in more detail on that a little later. 

Finally, we provide an incident response capability through the NCSC to assist organisations respond to potentially high-impact cyber security incidents. Our incident responders help organisations evict malicious cyber actors from their networks, restore service and recover from malicious events. Our response capability – which is intended to supplement the support you can access from commercial providers – can include on site incident response, forensic analysis, threat intelligence including information sourced from our international relationships, and even communications advice and guidance.

So what does that look like in terms of delivery? Here is a snap shot of some of the numbers from our recently released annual cyber threat report.

In the 2020/21 year the NCSC & GCSB the helped increase Aotearoa New Zealand’s collective cyber resilience through customer 1872 customer engagements and facilitating 22 sector-based Security Information Exchanges. We published 23 reports and advisories for general customers and delivered 94 incident reports to customers.

During the year we also:

• Received 141 notifications of network change proposals under The Telecommunications (Interception Capability and Security) Act 2013 (TICSA),
• Conducted 29 assessments of regulated space activities under the Outer Space and High-altitude Activities Act 2017 (OSHAA), and
• Conducted 69 assessments under the Overseas Investment (Urgent Measures) Amendment Act 2020 (OIAA).

Our annual cyber threat report highlighted some concerning trends and provides useful insights into the cyber threats impacting New Zealand organisations and globally.

Our report shows that in spite of all of our efforts, and the efforts of private sector specialists, the range and impact of malicious cyber activity continues to grow.

We recorded 404 incidents in 2020-2021, up from 352 in 2019-20. Of these incidents 28% indicate links to suspected state sponsored actors.  GCSB, on behalf of the New Zealand government, has previously attributed malicious cyber activities to actors linked to China, North Korea and Russia. Another 27% of incidents were likely criminal and financially motivated.  This is something I will return to in more detail later.

Both of these aspects are reflected in our assessment of the value of harm prevented through the operation of our CORTEX cyber defence capabilities.

Using an independently developed and validated calculator we assess the value of harm prevented to New Zealand organisations of national significance in the 2020-2021 year to be around $119 million.  This is a significant increase on the figures for the previous few years and contributes to a total of $284 million since 2016.

The report also noted that even in the limited scale mode our new Malware Free Networks capability was operating in, it was achieving real impact disrupting more than 2000 threats in the reporting period. (Since then that number has increased significantly as we have been able to scale the service to more partners – again, I will cover that in more detail later.)

The report also provides commentary on the national and international cyber threat trends observed by our cyber threat analysists.  These include changes in the way in which malicious actors operate, what we call the Tactics, Techniques and Procedures (TTPs).

We are seeing an increase in the speed and scale of scanning and mass exploitation of recently disclosed vulnerabilities.  Malicious actors are quickly taking advantage of newly discovered vulnerabilities by targeting every device and organisation that is potentially vulnerable to exploitation. They do this to establish a foothold into networks, and then selectively pick their targets for further compromise. A recent example of this was the targeting of Microsoft Exchange vulnerabilities which was publically attributed by the New Zealand Government and international partners to the Chinese state.

Malicious actors are also shifting to establishing more strategic access, for example through the compromise of critical supply chains. A recent example of this was the SolarWinds Orion attack, which involved compromising a legitimate security update prior to it being distributed by the software provider.  This malicious activity, which had widespread impact particularly in the United States, was publically attributed by the New Zealand Government and international partners to the Russian state.

We are seeing greater use of malware “as a service” models that reduce technical barriers to entry.  They enable increasingly complex and impactful campaigns to be carried out by malicious actors with a much lower technical skill base.

Another trend that is becoming more pronounced is the blurring of the lines between state sponsored and criminally motivated actors. For example, we now see criminal actors using capabilities that a few years ago were mainly in the hands of sophisticated state actors.  Similarly some criminal groups appear to be provided “safe havens” to operate from without sanction in their resident countries.

All this contributes to making the global cyber threat picture more complex, and attribution more difficult.

There are two significant cyber threat trends that I will spend a bit more time on.  They are the significant change in the nature of ransomware attacks, both in their complexity and frequency, and, the increasing indirect targeting of organisations via supply chains as the means to achieve compromise.

Ransomware attacks

The use of ransomware, typically by financially motivated criminal actors, has gained prominence both here and internationally due to multiple high profile incidents. 

For example, in just one month, May of this year, we saw:

• 07 May Colonial Pipeline – USA
• 14 May Health Service – Ireland
• 19 May Waikato DHB – New Zealand
• 30 May JBS meat processing company – Australia.

All of these ransomware attacks had significant impacts.

Reporting suggests that from mid-2019, malicious actors have been shifting their ransomware targeting strategy.  The volume of broad-based campaigns indiscriminately encrypting the computers of individuals has declined. These are replaced by “big-game hunting” – in which malicious actors focus on high-profile organisations, who are potentially more vulnerable to extortion because of the criticality of their services and therefore potentially more willing and able to pay significant ransoms.

Malicious actors are putting considerable effort into researching the sensitivity of the data, operating environments, and financial information of their victims. This knowledge helps leverage pressure on victims to pay ransom demands.

Malicious actors’ tactics have evolved further with hybrid or “double extortion” attacks. Actors exfiltrate sensitive data before encrypting IT systems and threaten (and in some cases do) publish such data to increase pressure on victims to pay the ransom. Organisations holding particularly sensitive personal or commercial information are especially at risk.

Another hybrid extortion tactic is to also use distributed denial of service network (DDoS) attacks to increase pressure on victims to pay a ransom. Some malicious activity may not even involve encryption, the actors may just focus on simple data-theft extortion. Some cyber criminals judge that victims will pay more to avoid their sensitive data being leaked than they would to avoid disruption from encryption of their IT systems.

One of the drivers of the growth in ransomware attacks is the relative ease that technically savvy cyber criminals - with access to the necessary funds - most likely in a crypto currency – can purchase “ransomware as a service” tools off the “dark web”. Ransomware as a service enables a cyber criminal or other malicious actor to purchase a ransomware kit and tools to manage it, with some even offering a service desk function, much like your organisations’ own IT support.

Another driver of ransomware is availability of anonymous payment systems such as Bitcoin and the range of other crypto currencies.   They make it extremely difficult even for international law enforcement agencies to “follow the money” to track down the people behind these attacks. In situations where ransoms are demanded, the GCSB advises against making payments – paying the ransom does not guarantee that data will not be exploited in the future, in fact it could just encourage them to come back again.

Because phishing attacks and exploitation of unpatched vulnerabilities are key vectors of attack for ransomware actors, basic cyber security hygiene like, regular patching, system segmentation and ensuring frequent offline backups of key systems and data are organisations first line of defence.  Also, make sure you have robust contingency plans in place to enable you to continue to deliver your most important services in the event you are compromised. Unfortunately, according to the Chief Executive Officer of our NCSC’s equivalent agency in the UK, most organisations she works with report being underprepared for the scale of the impact these attacks create.

Supply Chain attacks

Another change in the way malicious actors are compromising organisations is through what we term “supply chain” attacks.  These days it is not sufficient to just ensure the cyber security resilience of your own organisation, you need to consider how secure your suppliers are also.  And you need to reflect that consideration into your supplier contract and reporting arrangements.

Outsourcing of technology services has been an increasing trend in recent years.  When implemented effectively it can increase efficiencies and enable greater security, but it can also expose you to increased risk.  However, organisations need to keep in mind that while you can outsource the service, you are not outsourcing the risk.  In fact you may just be increasing your potential attack surface by providing another vector for malicious actors to compromise an aspect of your operation.  

When the NCSC surveyed around 250 significant organisations about a range of cyber security resilience measures we found that, while 72 percent of organisations surveyed used some type of managed service provider, more than a third of those had no method in place to assess whether the agreed level of IT security was being delivered. Organisations need to ensure you have provisions in place to assess, manage and report on how IT security risk is being addressed by suppliers.

A recent development in supplier attack has been compromising software updates as a means of establishing a presence in customer systems. One of the top controls recommended to help increase cyber security resilience in CERT NZ’s Critical Controls of 2021 and the GCSB’s Australian equivalent agency, the ASD’s Essential Eight are patching – applying the latest security updates to your system in much the same way as you do for your personal devices.  However the high profile SolarWinds Orion attack illustrates that even when you’re are applying the appropriate controls, you can still be vulnerable through your supply chain.

That is why it is even more critical to ensure organisations is well prepared to respond to an attack when it happens. 

Part of our response to this constantly evolving range of threats has been to find ways to increase the span of organisations who can receive our services.    We recognised that the key to scaling our cyber defence capabilities to help defend a broader range of New Zealand organisations was to work in partnerships with private sector network operators and security services providers.

We developed the Malware Free Networks service – publically launched earlier this month - to help us achieve this.

MFN is a threat detection and disruption service curated from a range of sources available to the NCSC.

These include the NCSC’s international cyber security partners, and information drawn from the NCSC’s cyber defence capabilities.

It provides near real-time threat intelligence reflecting current malicious activity targeting New Zealand Organisations

MFN helps organisations defend their networks against a broad range of high-impact malicious activity and generally reflects signs of activity from advanced threat actors.

It has been engineered to enable it to be integrated with other systems and platforms provided by ISPs and cyber security service providers.

For most customers, the MFN service will be available through their network operator or primary cyber security service provider. The NCSC is working with these organisations to enable the MFN service to be accessible within the IT security market to new customers.

Some providers will provide feedback (telemetry) back to the NCSC to help increase MFN’s value and effectiveness. This feedback will improve the NCSC’s knowledge of threats targeting New Zealand organisations and help to lift New Zealand’s overall cyber security resilience.

MFN is additional to other cyber security products and services, including the existing threat detection and disruption services provided by the NCSC to New Zealand’s nationally significant organisations.  MFN is currently available through nine private sector partners – either Internet Service Providers (ISPs) or cyber security service providers. Our current MFN partners are: Cassini, CRNZ, Datacom, Defend, InPhySec, Kordia, Spark, SSS, and Vodafone.  We are also in discussion with a number of other providers so you can expect to see the range of partners grow in the New Year.

Even though we have only had a limited deployment of MFN since September last year as we have grown the number of partners offering the service, we see real promise in what is being achieved – both from the perspective of the increasing number of disruptions and the speed at which we are able to get indicators deployed.

Some of the key figures today provide a bit of a snapshot in time.

MFN now has more than 40,000 IOCs and the pace at which they are being added in increasing.

We have already had more than 12,000 disruptions and we anticipate this increasing exponentially as partner capabilities come on stream and scale to their customers.

We have put a huge effort into the engineering and technology challenges behind taking indicators identified as being relevant to the New Zealand threatscape and making them available through MFN as quickly and as seamlessly as possible.

The process is now largely automated, with critical checks build in to reduce the risk of false positives.  We now have near real time deployment of indicators (generally less than 10 minutes between IOC confirmation and availability to the MFN service?) with a real effort to ensure the IOC reflect current threats facing New Zealand systems.

MFN is intended to provide an additional layer of protection, over and above other commercial services and in conjunction with good practice and governance.  If you are interested finding out more about whether your organisation could benefit from the MFN service talk to your current cyber security service provider or one of the partners I mentioned earlier.

Another part of our approach to building resilience is through engagements like this and the production of cyber security guidance products.  These products, which draw from research conducted by the NCSC of 250 nationally significant organisations reflect the key focus areas for building cyber security resilience identified in the research.  Those areas were; cyber security governance, incident management and preparedness, supply chain security, and investment. 

These products are intended to support discussion and dialogue between cyber security practitioners and their executive and governance suites to help identify ways they can work together to help increase an organisations resilience. The first three of these resources are already available on the NCSC website and the fourth – our investment guidance will be published in the New Year.

These are not technical documents and I encourage you to check them out via https://www.ncsc.govt.nz/guidance

That is the end of my presentation, thank you for your attention, I am very happy to take questions.