As Australia counts cost of Kaseya attack, should industry be doing more?

As Australia’s business community continues to assess the damage from the major Kaseya ransomware attack, some in the security community are pushing for stronger industry collaboration that would speed response to such attacks with stronger threat intelligence and tailor-made incident-response advice.

The attack—apparently instigated by Russia’s REvil gang and exploiting the company’s cloud-based VSA remote monitoring and management software tool—emerged over the US Fourth of July holiday weekend, rapidly planting ransomware into the company’s software supply chain worldwide.

By implanting ransomware in more than 30 of Kaseya’s managed service provider (MSP) customers, the malicious code propagated down its supply chain to their customers — ultimately affecting more than 1,000 companies in 17 countries.

A worrying shift in attack profile

The attack was a worrying escalation in ransomware tactics because it coupled supply-chain techniques with the “incentives and devastating impacts of ransomware,” said Casey Ellis, founder of Australian cybersecurity provider Bugcrowd and a 20-year security-industry veteran.

“Only eight months after SolarWinds—a relatively nondestructive nation-state supply chain attack—it looks as though cybercriminals, or smaller financially motivated nation-states, are deploying these techniques,” Casey said. “This means they have the resources to create or procure the necessary tooling, possibly out of the proceeds of other ransomware operations.”

The Kaseya attack “also raises the [question] of whether you’d prefer to get hacked by Russia or the REvil gang.  Nation state attacks have national security and economic implications, while cybercriminals tend to be more destructive and impactful to the affected business themselves,” Ellis said.

Although it wasn’t the first time VSA had been attacked, REvil’s latest attack vector is novel—but one, threat detection vendor Varonis’s ANZ country manager Adam Gordon has warned, that is likely to become more common as cybercriminals exploit the ‘blast radius’ that sees the average employee account given access to millions of sensitive company documents. All of these can be stolen if just one employee laptop is compromised.

“This attack hits home that no company is too small to fly under the radar forever,” Gordon said, noting that small businesses in particular “stood no chance” in blocking or fighting the Kaseya compromise. “Small businesses typically can’t afford all the tools, consultants, and in-house experts they need,” Gordon noted, “making them easy targets.”

Australia put on high alert, with greater coordination across the government

Because it was planted upstream of so many companies, the attack spread quickly through a range of industry sectors—many MSPs specialise in serving companies in specific verticals—putting Australia’s cybersecurity authorities on high alert.

The Australian Computer Emergency Response Team (AusCERT) offered its own update on the attack, publishing a security bulletin informing its network of the attack. Similarly, the early involvement of the Australian Cyber Security Centre (ACSC) led to a formal update in which the organisation noted that it was monitoring the situation and “working with victims to assist and to better understand the extent of impact”.

The organisations’ increasingly proactive response has been credited with helping many Australian government bodies head off potential vulnerabilities, with a recent Australian Signals Directorate (ASD) report noting that Commonwealth entities “continued to improve their cybersecurity in 2020” despite a “deteriorating threat environment”.

Cyber Hygiene Improvement Programs (CHIPs), which proactively protect Commonwealth government domains, had helped agencies improve Essential Eight compliance as well as detecting and averting compromise through emerging threat vectors – boosting coverage by 320% during the year—while a Protective Domain Name System (PDNS) pilot program had blocked over 150,000 threat events.

Ongoing collaboration between the ACSC, ASD, Attorney-General’s Department, and Department of Home Affairs is increasing government attentiveness to cybersecurity issues, providing agencies with a strong backstop as they fight the growing scourge of ransomware and other malware.

Businesses need to collaborate too for common cybersecurity

Yet for all their engagement with Australia’s business community, the organisations’ broad remit means their ability to proactively engage with specific businesses is constrained—particularly given its necessary focus on supporting Commonwealth government bodies with proactive programs like CHIPs.

Other government bodies, such as AustCyber, have promoted industry development through local capabilities such as its growing network of Cyber Security Innovation Nodes—which expanded into Brisbane earlier this year as the latest facility to engage with Australia’s community of cybersecurity innovators.

Such limitations have led some in the security community to propose Australian industries follow overseas models by formalising a range of industry-focused cybersecurity threat-intelligence centres—known as information sharing and analysis centres (ISACs)—capable of better supporting interrelated communities of interest during major cybersecurity events.

Introduced in the US a decade ago, the ISAC concept “was designed to speak to people in an industry sector and become its trusted avenue for discussion and information sharing,” cybersecurity academic and Sycon Security Consultants managing director Scott Ainslie noted during an Australian cyber conference earlier this year.

“They do that through threat alerts, aggregation, briefings, conducting exercises,” he said, noting that the ISACs’ “all-hazards approach” had made them quite popular as a way of focusing cybersecurity collaboration within industry verticals where MSP-like service organisations are increasingly focusing on enabling industry sectors. “Members can submit information about what they’re seeing in cyber threats, looking at the way threats are constructed.”

After the Obama administration expanded the scope of ISACs to include more than just critical infrastructuresectors, there are currently more than 25 ISACs in the US—covering industries such as retail and hospitality, healthcare, electricity, information technology, election infrastructure, research and education networks, and even the space sector.

The approach has been validated and embraced overseas through efforts such as India’s high-level ISACand the European Energy ISAC. “Industries recognise that they need to be talking to other parts of the industry to collaborate and protect themselves collectively,” Ainslie said.

In Australia, a similar approach was adopted in 2003 with the establishment of a Trusted Information Sharing Network (TISN) focused on critical infrastructure—which, Ainslie said, “is not a bad model and works quite well” but “is looking just a tad dusty at the moment. … we’re moving quickly, and it hasn’t changed.”

Even as Australia’s Department of Home Affairs positions itself as the sector-specific agency of record by declaring 11 industries as being of critical national importance, the ISAC model has been tentatively embraced by other sectors, with initiatives such as the university-focused CAUDIT ISAC taking shape in recent years.

However, as increasingly targeted cybersecurity threats continue to leverage the interconnectedness of industry supply chains, Ainslie said, Australian industry sectors needed to look past government mandates to more proactively engage with each other for a strong, common cybersecurity defence.

Doing so would help Australian industry bypass the gatekeepers in Canberra—who, Ainslie said, often introduce “vexatious” delays in reporting and formal advisories due to the sheer weight of the bureaucracy that runs them.

That response “is constrained over on the hill, where there are some people who might not quite understand how cyber operates,” Ainslie said, flagging similar complications in the interface between state and federal cyber policymakers—and a government that “is not demonstrating respect for those people who are running our economy. This is a problem. But collaboration and respect of all parties in a negotiation, by all parties, will ease application and transition,” he said. “We have to use less stick, and more carrot, when start to talk about a public-private partnership. The key to this is collaboration—but we currently don’t have a model that meets what we need as fit-for-purpose.”