Clobbering Collaboration

Today I would like to share with you something that has been considerably intriguing me; The repercussion of the ASD talk at the ASIA National Conference 2017. I want to talk about how people tend to get things wrong and just can’t appreciate a novel collaborative initiative.

I was looking forward to attending the conference, and when the day finally came, people came together under a flag of collaboration. What a great theme: Collaboration! I said to myself, It is a great call for change in a market where competition still dictates the game rules. I wasn’t alone in this spirit, everybody seemed to be prizing the idea of collaboration in InfoSec, including the private-sector, the government and, the most unusual of all, the Intelligence Community, which was also willing to share the lessons they have learned.

The ASD talk was appealing, so I hurried to make sure I would get a seat. A few minutes before the talk started, one of my work colleagues said in a not very hopeful tone: “I hope they actually share something we can make use of, or learn from.”

His poor expectations were very understandable, since it’s common knowledge that secrecy plays an important role in the intelligence community, and that legislation prevents them from talking to non-cleared people, and that the intelligence community has a history of not sharing information even between themselves; the “need to know” has always suppressed the “need to share.”

What got me pleasantly surprised however, was the fact that ASD was collaborating for real, for once they were actually sharing. The presented case study, which at the beginning looked a little fictional to me, was highly redacted, sanitized, and arranged to look funny and, I would risk saying, ready to be safely disclosed to the conference delegates present.

The presentation showed how seriously ASD takes the matter of information security. They are finally opening up and sharing something to guarantee that we can get a more secure cyberspace, or at least more secure business space. It reminded me of the 2017 AUSTRAC Fintel Alliance initiative, where the Australian intelligence community is pioneering a partnership with the financial sector to fight cyber money laundering. Openness might become a trend. But instead of appreciating their candour, some people instead left the event intent on blaming and shaming the ASD for adopting the underlying theme of the entire conference.

Another wrong impression some writers have presented is that ASD was blaming the hacked company for the breach. The presenter actually made very good points and argued that we should pay attention to the basics as cybercriminals are exploiting well-known simple vulnerabilities, and they don’t need sophisticated state-sponsored tools for that. His message was : Don’t blame your IT team! Senior management is mostly responsible for a strong InfoSec culture in organizations. But no one is to be blamed at all, he remarked, the focus should be in responding adequately to incidents, reporting, and working on mitigation; denying the attacker the changes to regain access to the systems in the future through the same vulnerabilities.

ASD’s purpose was clearly to educate those who are willing to learn. He shared some tips on threats, tools, actors, the importance of protecting evidence and other forensics details.

He also explained that for breaches which include defense related data, ASD and CERT-AU will get involved and how one should proceed in these cases, never delete malware and other attack traces from the system. However, the breach in question involved only commercially sensitive data.

He was not finger pointing to the hacked organization in the case study, neither calling them stupid, as some articles about the ASD talking suggested. We are all susceptible to hacks like this, there is not such a thing as being 100% secure.

My understanding is that he was trying to open everyone’s eyes, so we don’t fall for similar threats, which, according to him, have victimised hundreds of companies in Australia.

At a certain point of the presentation, he mentioned social engineering and, trying to entertain the public with a funny version of the facts, he cited the difficulties of being a “secret service special agent” who cannot have his credentials confirmed by the agency, which obliged him to employ social engineering techniques on the target company’s employees to get access to the facilities, and eventually walk out carrying all the data he wanted. Which was nothing but a joke. Neither a claim of additional security malpractice by the hacked company.

But let’s get back to the point. I have a question for those that have read this far: Do you think the ASD will feel encouraged, or easily get the needed authorizations to share more information with us, given that the prevailing reaction seems to be either blaming and shaming ASD itself for sharing, or blaming the target organisation for allowing the breach to happen?