The changing landscape of cyber threats and organisational responses

Posted September 09, 2021
Director-General Speeches

A briefing by Andrew Hampton, Director-General of the Government Communications Security Bureau (GCSB) to business leaders

August 2021

Introduction

Thank you for the opportunity to talk with you today and share a view of the evolving cyber threat landscape and discuss elements of the response to it. I will cover off both what the GCSB is doing in our cyber resilience work and provide suggestions for what you as leaders should be doing in your organisations.

By way of context, GCSB has two principal roles, gathering primarily foreign intelligence in accordance with Government priorities and, through the National Cyber Security Centre (NCSC), provision of cyber security services to New Zealand organisations of national significance. I will talk today mainly about our cyber security role, but the fact that we are also an intelligence agency is important, as it gives us access to technical capabilities, legal authorities and international cyber threat intelligence not available to other cyber security service providers.

Before I get on with my presentation though, I do want to note events unfolding in Afghanistan given one of the Bureau’s key intelligence functions is to provide support to New Zealand’s military operations overseas. Over the years the GCSB has deployed a number of staff to Afghanistan as part of New Zealand’s effort there and so our thoughts are very much with the people of Afghanistan. Over the past week we have also been preparing to support any New Zealand operations to evacuate New Zealand citizens, permanent residents and visa holders from Kabul.

Now back to my presentation – I will begin by outlining some of the cyber threat numbers that NCSC reports on an annual basis and also provide an update to them given there have been some important developments since our last annual cyber threat report was released. This will include ransomware and supply chain attacks.

Against that background I will talk about what the GCSB and the NCSC are doing to help organisations be more resilient and be more prepared for the kinds of threats we are seeing. Here I will outline what we are doing to expand the reach of our cyber defence capabilities to more sectors and organisations.

I will conclude by talking about some specific actions that you as leaders can take to engage with your organisation, not just with your IT and security teams, but with your organisation more broadly to ensure you are more resilient and better prepared to respond effectively should you be impacted by a cyber security event.

Threatscape

So let’s start with the threatscape. There is no doubt that cyber security is particularly topical at the moment. You just need to look at media headlines, both here and internationally, to see that there is an increase in the number, sophistication and impact of malicious cyber attacks.

In December the NCSC released its annual cyber threat report, which provides an overview of the incidents we recorded in the 2019-20 year. Overall, the report reflected a small increase in the number of incidents recorded by the NCSC.

352 incidents in 2019-20, up from 339 in 2018-19. Keep in mind that our focus is on incidents affecting New Zealand’s nationally significant organisations, and on incidents likely to have a national impact, which means these numbers represent just a small proportion of the total incidents affecting New Zealand.

Incidents that can be linked to state-sponsored actors were down slightly as a percentage at 30 percent, down from 38 percent.

A change we remarked on at the time was an increase in the proportion of these incidents being detected at the post-compromise phase. This is the point where malicious actors have had an opportunity to establish persistence on a network and to potentially extract information or cause other harm.

Recent cyber threat trends

While we provided some commentary on the trends we were seeing in the report, since its release some of those trends have become even more pronounced.

The way in which malicious actors operate, what we call the Tactics, Techniques and Procedures (TTPs) are changing:

We are seeing an increase in the speed and scale of scanning and mass exploitation of recently disclosed vulnerabilities. Malicious actors are quickly taking advantage of newly discovered vulnerabilities by targeting every device and organisation that is potentially vulnerable to exploitation. They do this to establish a foothold into networks, and then selectively pick their targets for further compromise. A recent example of this was the targeting of Microsoft Exchange vulnerabilities, which was publically attributed by the New Zealand Government and international partners to the Chinese state.
Malicious actors are also shifting to establishing more strategic access, for example through the compromise of critical supply chains. A recent example of this was the SolarWinds Orion attack which involved compromising a legitimate security update prior to it being distributed by the software provider. This malicious activity, which had widespread impact particularly in the United States, was publically attributed by the New Zealand Government and international partners to the Russian state.
We are seeing greater use of malware ‘as a service’ models that reduce technical barriers to entry. They enable increasingly complex and impactful campaigns to be carried out by malicious actors with a much lower technical skill base.

Another trend that is becoming more pronounced is the blurring of the lines between state sponsored and criminally motivated actors. For example, we now see criminal actors using capabilities that a few years ago were mainly in the hands of sophisticated state actors. Similarly some criminal groups appear to be provided ‘safe havens’ to operate from without sanction in their resident countries.

All this contributes to making the global cyber threat picture more complex, and attribution more difficult. I’ll return to the question of attribution shortly.

There are two significant cyber threat trends that I will spend a bit more time on as I think they are particularly relevant for this audience. They are the significant change in the nature of ransomware attacks, both in their complexity and frequency, and, the increasing indirect targeting of organisations via supply chains as the means to achieve compromise.

Ransomware attacks

The use of ransomware, typically by financially motivated criminal actors, has recently gained prominence both here and internationally due to multiple high profile incidents.

In just one month, May of this year, we saw:

07 May Colonial Pipeline – USA
14 May Health Service – Ireland
19 May Waikato DHB – New Zealand
30 May JBS meat processing company – Australia.

All of these ransomware attacks had significant impacts.

Reporting suggests that from mid-2019, malicious actors have been shifting their ransomware targeting strategy. The volume of broad-based campaigns indiscriminately encrypting the computers of individuals has declined. These are replaced by ‘big-game hunting’ – in which malicious actors focus on high-profile organisations, who are potentially more vulnerable to extortion because of the criticality of their services and therefore potentially more willing and able to pay significant ransoms.

Malicious actors are putting considerable effort into researching the sensitivity of the data, operating environments, and financial information of their victims. This knowledge helps leverage pressure on victims to pay ransom demands.

Malicious actors’ tactics have evolved further with hybrid or ‘double extortion’ attacks. Actors exfiltrate sensitive data before encrypting IT systems and threaten (and in some cases do) publish such data to increase pressure on victims to pay the ransom. Organisations holding particularly sensitive personal or commercial information are especially at risk.

Another hybrid extortion tactic is to also use distributed denial of service network (DDoS) attacks to increase pressure on victims to pay a ransom.

Some malicious activity may not even involve encryption, the actors may just focus on simple data-theft extortion. Some cyber criminals judge that victims will pay more to avoid their sensitive data being leaked than they would to avoid disruption from encryption of their IT systems.

One of the drivers of the growth in ransomware attacks is the relative ease that technically savvy cyber criminals with access to the necessary funds, most likely in a crypto currency, can purchase ‘ransomware as a service’ tools off the dark web. Ransomware as a service enables a cyber criminal or other malicious actor to purchase a ransomware kit and tools to manage it, with some even offering a service desk function, much like your organisation’s own IT support.

Another driver of ransomware is availability of anonymous payment systems such as Bitcoin and the range of other crypto currencies. They make it extremely difficult even for international law enforcement agencies to ‘follow the money’ to track down the people behind these attacks.

In situations where ransoms are demanded, the GCSB advises against making payments – paying the ransom does not guarantee that data will not be exploited in the future, in fact it could just encourage them to come back again.

Because phishing attacks and exploitation of unpatched vulnerabilities are key vectors of attack for ransomware actors, basic cyber security hygiene like regular patching, system segmentation and ensuring frequent offline backups of key systems and data are an organisations first line of defence. Also, make sure you have robust contingency plans in place to enable you to continue to deliver your most important services in the event you are compromised. More on this soon.

Unfortunately, according to the Chief Executive Officer of our NCSC’s equivalent agency in the UK, most organisations she works with report being underprepared for the scale of the impact these attacks create.

Supply chain attacks

Another change in the way malicious actors are compromising organisations is through what we term ‘supply chain’ attacks. These days it is not sufficient to just ensure the cyber security resilience of your own organisation, you need to consider how secure your suppliers are also. And you need to reflect that consideration into your supplier contract and reporting arrangements.

Outsourcing of technology services has been an increasing trend in recent years. When implemented effectively it can increase efficiencies and enable greater security, but it can also expose you to increased risk. You need to keep in mind that while you can outsource the service, you are not outsourcing the risk. In fact you may just be increasing your potential attack surface by providing another vector for malicious actors to compromise an aspect of your operation.

When the NCSC surveyed around 250 significant organisations about a range of cyber security resilience measures we found that, while 72 percent of organisations surveyed used some type of managed service provider, more than a third of those had no method in place to assess whether the agreed level of IT security was being delivered. You need to ensure you have provisions in place to assess, manage and report on how IT security risk is being addressed by your suppliers.

A recent development in supplier attack has been compromising software updates as a means of establishing a presence in customer systems. The top controls recommended to help increase cyber security resilience in CERTNZ’s Critical Controls of 2021 and the GCSB’s Australian equivalent agency, the ASD’s Essential Eight are patching – applying the latest security updates to your system in much the same way as you do for your personal devices. However the high profile SolarWinds Orion attack illustrates that even when you are applying the appropriate controls, you can still be vulnerable through your supply chain.

That is why it is even more critical to ensure your organisation is well prepared to respond to an attack when it happens. I will come back to some of the steps you can take to help increase your resilience to attacks and be better prepared to respond when an incident occurs a little later. But before I do that, let us quickly look at some of the instances where this type of malicious activity has been publically called out.

Calling out bad behaviour

As part of New Zealand’s commitment to upholding the rules-based international order the Government will, from time to time, publically call out actors responsible for particular malicious cyber events where it is seen as in New Zealand’s interest to do so. The decision to publically attribute malicious cyber activity is made by the New Zealand Government, based on its own assessment and independent of New Zealand’s international partners.

The GCSB’s primary role in this process is conducting a technical attribution of the malicious cyber activity to ensure an independent, sovereign technical assessment is made. This technical assessment feeds into the consideration of a range of other factors including the scale of the activity and the activity’s impact on New Zealand.

Often it is me, as Director-General of the GCSB, who is the Government spokesperson for such attributions. But on several occasions recently it has been our Minister, the Honourable Andrew Little who has spoken. This is in part because of the impact the event being called out has had in New Zealand and also may reflect the level at which our international partners’ statements have been made.
On behalf of the New Zealand Government, I have publically attributed five cyber campaigns, which were designed to generate revenue, disrupt businesses, undermine democracy, or for the theft of intellectual property:

The WANNACRY campaign was attributed to North Korea. This was a significant international ransomware campaign, which exploited a known vulnerability for which patches had been released.
The NOTPETYA attack was attributed to Russian state actors. While NotPetya masqueraded as a criminal ransomware campaign, its real purpose was to damage and disrupt systems. Its primary targets were Ukrainian financial, energy and government sectors however its indiscriminate design caused it to spread around the world affecting these sectors world-wide.
A collection of other campaigns have been attributed to Russian Military Intelligence (GRU). The attributed activity included targeting overseas political institutions, business, media and sporting organisations.
The CLOUDHOPPER global campaign of cyber-enabled commercial intellectual property theft was attributed to the Chinese Ministry of State Security (MSS). This long-running campaign targeted the intellectual property and commercial data of a number of global managed service providers, some operating in New Zealand.
A series of malicious cyber-attack against Georgia. These attacks by Russian state actors impacted over 2000 Georgian websites and the Georgian national television station.

New Zealand also added its voice to international condemnation of malicious cyber activity targeting COVID-19 research and various nation states’ response to the COVID-19 pandemic. Towards the end of last year I also spoke out in response to a cyber security advisory issued by the United Kingdom, United States and Canada regarding state sponsored malicious cyber activity targeting organisations involved in COVID-19 vaccine development.

More recently, in April, the Minister Responsible for the GCSB, Andrew Little called out Russian state actors for their exploitation of the SolarWinds Orion platform. And subsequently last month he added New Zealand’s voice to the condemnation of Chinese state-sponsored malicious cyber activity, over a number of years, relating to the work of a cyber threat group known as APT 40, and for the exploitation of Microsoft Exchange vulnerabilities.

We are aware of other countries which are involved in state-sponsored cyber attacks both internationally and on New Zealand networks. The examples I have referenced are the ones which have gone through New Zealand’s public attribution process.

Public attribution can be accompanied by private diplomatic engagement, and in some instances, the laying of criminal charges by partner countries against the threat actors identified as being responsible.

Our Cyber Security Focus

While there is clearly a lot of malicious activity out there that could potentially impact your organisation there is also a lot you can do, with the support of your security service providers and government agencies such as the NCSC and CERT NZ, to bolster your resilience to these evolving threats.

The NCSC works closely with hundreds of nationally significant organisations to understand their cyber resilience and vulnerability to attack, providing advice, support and cyber threat alerts to help organisations lift their overall cyber security resilience.

In the 12 months to 30 June 2020, the NCSC recorded 1,770 engagements with customers across public and private sector organisations. The NCSC published 24 reports for general customers identifying specific vulnerabilities, providing mitigation advice and reinforcing cyber security best practice to raise cyber resilience.

In the same period the NCSC facilitated 20 security information exchanges where participants share information in a confidential and trusted environment on cyber security challenges and opportunities across all sectors.

We also contribute to New Zealand’s overall security resilience through the security policy leadership function my role as Director-General of the GCSB has as the Government Chief Information Security Officer (GCISO). Supported by an information security policy team based in the NCSC, the GCISO provides system level information, security policy, strategic advice and support across government agencies. This includes establishing the New Zealand government information security standards and guidance as set out in the New Zealand Information Security Manual (NZISM).

Through the GCISO function we support the Government’s digital transformation programme. Most recently in this area we have worked with major cloud service providers to develop templates for the implementation of their cloud products. These templates help increase the base line security of those products by building core New Zealand Government information security standards into their basic implementation.

We also contribute more broadly to national security through our regulatory roles. In the telecommunications sector we engage with network operators to identify security risk in network changes they propose under the Telecommunications Interception Capability and Security Act (or TICSA). Under the Outer Space and High-altitude Activities Act we, along with the New Zealand Security Intelligence Service (NZSIS) conduct risk assessments relating to New Zealand’s burgeoning space industry. Also with the NZSIS, we now have a role in scrutinising certain foreign investment proposals from a national security perspective. The regulatory function is, in fact, a growing part of our business.

Then we have our cyber defence capabilities. We developed and implemented a range of malware detection and disruption capabilities as part of our CORTEX initiative several years ago. In a typical month we detect 12 cyber intrusions affecting one or more organisations of national significance through our CORTEX capabilities. While we are only able to directly protect a limited range of organisatons of national significance via those capabilities we are achieving real measureable effect.

Using an independently developed and validated calculator we assess the value of harm prevented to New Zealand organisations of national significance in the 2019-2020 year to be around $70 million. This is a significant increase on the figures for the previous few years where the value has been approximately $30 million annually. Our cyber defence capabilities have now helped reduce harm to New Zealand's organisations of national significance by more than $170 million since we started making an assessment of that benefit in 2016.

We are also working on scaling the defensive benefits of these capabilities through an initiative called Malware Free Networks, of MFN. More on that in a moment.

Finally, we provide an incident response capability through the NCSC to assist organisatons in responding to potentially high impact cyber security incidents. This response capability, which is intended to supplement the support you can access from commercial providers, can include on site incident response, forensic analysis, threat intelligence including information sourced from our international relationships, and even communications advice and guidance.

Malware Free Networks

As I just noted we recognise that we are always going to be limited in the span we can achieve through malware detection and disruption capabilities developed under the CORTEX initiative. That is why we have developed the Malware Free Networks (MFN) initiative.

MFN is a malware detection and disruption service that enables us to significantly scale our cyber defence effort across a much larger range of New Zealand organisations.

The MFN threat intelligence feed contains indicators of malicious activity generated from a range of sources including the operation of our CORTEX capabilities and specialist information from domestic and international partnerships.

It provides a unique threat intelligence feed, tailored to the New Zealand threat environment, enabling an additional layer of security to complement existing security services and settings. It also complements existing threat detection and disruption services provided by the NCSC to consenting organisations.

MFN can be provided to organisations either via a managed service provider, or through their internet service provider.

The service has been live since June this year and the NCSC is working with network operators and commercial security service providers to enable the MFN service to be offered to their existing customers, and to be accessible within the IT security market to new customers.

Cyber Security Guidance

Talking to groups like you provides really valuable opportunities for us to reinforce the importance of an organisation-wide focus on cyber security resilience. These sessions provide an opportunity to talk about the tools and resources we can provide to you to help you understand the dialogue that you need to have with your technical providers and more broadly across your business.

This brings me to the guidance that the NCSC has produced and published over the past couple of years that is designed to address the gap between cyber security professionals’ understanding and approach to addressing resilience and the executive and board room table. There is a range of guidance available on the NCSC website including material on cyber security governance but I particularly want to talk about two of those areas. The first is to return to supply chain security the second is incident management, or ‘preparedness’.

Supply chain

We’ve created a guidance document to help organisations begin the process of managing supply chain cyber risk, which as I indicated earlier is one of the fast emerging cyber threat areas.

To keep things simple, we’ve divided the guidance into three phases (Identify, Assess and Manage), but it’s important to note that managing risk should be an ongoing process, and not one with a specific end point.

In the Identify phase, organisations should take stock of the range of suppliers and other supply chain entities touching every part of their business. They should build a picture of the security measures in place with their suppliers, and ensure their internal supplier management processes are defined and understood, with cyber security teams well-integrated. A key factor here, reflected in the survey I mentioned earlier, is making sure you have clearly established your expectations with suppliers regarding the cyber security measures they put in place to protect any of their systems which interface with yours. This should include reporting and auditing requirements to ensure the agreed security measures are being delivered.

Also in this phase is the process of identifying which of the organisation’s key assets and services are most vulnerable to threats in the supply chain and ensuring you have additional resilience built in.

In the Assess phase, the gathered information can be used to determine which supply chain entities are most critical to the organisation. This can help with allocating cyber security resources to the right areas, and assist with business continuity planning if important suppliers are disrupted. In this phase, specific risks in the supply chain are analysed and understood. When organisations have built a picture of their key assets and services, the threats they face, and the impact that supplier relationships can have on threat levels, it is possible to determine the controls in place to help identify, protect, detect, respond, and recover from these threats.

Finally, the Manage phase involves maintaining a dedicated and ongoing programme of supply chain cyber risk monitoring. This includes assessing and revalidating the cyber security performance of suppliers on a regular basis. This programme should be integrated with wider organisational risk management processes. Organisations should begin to embed a culture of cyber risk awareness, so that cyber security is viewed as a business-wide responsibility and not one managed in isolation by a single team.

Incident Management

The NCSC’s incident management resource sets out five key steps organisations can take to ensure they are better prepared to identify, respond to and recover from a cyber-security incident. They are:

Define Roles and Responsibilities
Identify Assets and Threats
Have a Plan
Logging, Alerting and Incident Automation, and
Maintain Awareness, Report Progress and Continually Improve.

Define Roles and Responsibilities

During an incident, an organisation must know who needs to be involved, what their responsibilities are, and at what point in the process they should assist. Staff members should understand which actions they are authorised to perform and when to escalate an issue.

Identify Threats and Assets

Every organisation must understand its assets and the potential threats these face.

Assets - the services and information your business relies on—will be more vulnerable to some threats than others.

Threats - defining threat scenarios and doing so in a consistent way is fundamental to cyber resilience.

Identifying threats and assets gives scope to your incident management programme.

Have a Plan

At the core of effective incident management is a well-established and tested plan. This plan describes the actions required when something does go wrong, and details the resources needed to resolve the incident. Creating a plan should be the primary focus for improving incident management.

Consider your critical process and systems and have a plan for how you would continue to deliver your products and services if they were not available. Think about how important internet connectivity and website availability are to your key functions and how you could continue to deliver them if you had reduced capacity.

Logging, Alerting and Incident Automation

Rapid detection and response relies on having the right data. An architecture and capability to manage logs, events, alerts, and incidents should be defined. Identifying sources of data and determining their value ahead of an incident will expedite the processes of detection, containment, and remediation.

Maintain Awareness, Report Progress and Continually Improve

All organisations should maintain an ongoing programme of work to develop and improve incident management. Through a committed and continual process, even organisations with limited resources can steadily improve their capacities and cyber security resilience.

Incident Response Communications

I want to finish by touching on another aspect of incident response that we have seen become increasingly important over the past 18 months. That is incident response communications. These days part of our incident response support can involve working closely with affected organisations around communications management. Communications is increasingly a key consideration in any incident response, particularly the approach taken to inform stakeholders and customers about possible impacts.

But a caution here - be aware that the malicious actors behind some incidents could be following and exploiting what is reported publically. The actor behind the campaign that impacted the New Zealand Stock Exchange – NZX and other New Zealand organisations at this time last year (August) was monitoring media reporting and using that as an indicator of how successful they were in having an impact on organisations’ systems. They were also referring to media reporting as a way of establishing their credibility, and malicious actors may change their behaviour based on reporting. We have also seen parallels of this in other more recent incidents we have provided support to.

Thank you for taking the time to listen to this cyber security update. I appreciate I have covered quite a range of material, and I am very happy to take some questions.

-END-