Mark Anderson, National Security Officer, Microsoft Australia and New Zealand
In a world where there are 4,000 password attacks per second, a nearly quadrupling in two years, defenders continue to battle ever-evolving cybersecurity threats. We also observed the first examples of malicious activity exploring the use of large-scale language models (LLMs) and generative AI to research and plan cyberattacks. This puts us at a pivotal moment when every Australian has a role to play in protecting our country from cyber threats.
Promoting a nation's state of cyber resilience requires skills, technology, infrastructure, and a cyber-smart culture. But most importantly, it requires an extraordinary level of collaboration. Deep and lasting partnerships across the public and private sectors are essential to ensuring a more secure future for Australians.
Threat actors are collaborating at an unprecedented level
One of the major changes we've seen among cyber attackers over the past few years is the rise of cybercrime-as-a-service and unprecedented levels of collaboration. Increasingly, adversaries without specific capabilities are collaborating with adversaries with such skills, enabling them to scale their operations and destructive impact in ways never seen before.
Government, industry, and other ecosystem partners must work together more effectively than threat actors to have a chance of outperforming them. It's often said that cybersecurity is an asymmetrical battle. While attackers only need to get it right once, we defenders need to get it right every time.
The Australian Signals Directorate (ASD) plays a key leadership role in this respect in Australia. ASD's Australian Cyber Security Center (ACSC) analyzes cyber security threats from a variety of regional and global sources around the clock, including governments, businesses, Computer Emergency Response Teams (CERTs) and interactive threat intelligence partners. We are monitoring it 24/7. Through the Cyber Threat Intelligence Sharing Program (CTIS).
Simple threat intelligence sharing
CTIS enables Australian businesses, government agencies and critical infrastructure organizations to proactively send and receive real-time information, insights and technology to ASD and each other to combat cyber threats in Australia's ecosystem. Every month, an average of 129,000 unique compromise indicators are shared with partners through his CTIS. Since its launch in 2022, the CTIS platform has grown significantly. By July 2023, the CTIS platform had successfully shared 50,216 cases of cyber threat intelligence, increasing the number of partners by almost seven times. But there is more we can do to strengthen this important program.
Today, as part of the Microsoft-Australian Signals Directorate Cyber Shield (MACS) initiative, we are announcing jointly developed features to help Microsoft Sentinel customers easily integrate into their CTIS programs. Sentinel is a cloud-native SIEM (Security Information and Event Management) that allows customers to benefit from Microsoft's global threat analysis of over 78 trillion signals daily.
This is the first collaboration in the world with Sentinel to enable the exchange of threat intelligence between the public and private sectors. This is a free-to-download feature that allows Microsoft customers who are (or will be) partners with CTIS, including some of Australia's largest government and commercial organizations, to contribute and consume threat intelligence at machine speeds. You will be able to do it.
It takes just 72 minutes from the time a phishing link is clicked until a threat actor gains access to an organization's personal data, so it's clear that every minute counts.
Eliminate threat actors
There are numerous examples of collaborative efforts across government, industry, and borders to proactively disrupt and dismantle threat actors, demonstrating the value of iterative efforts and ongoing partnerships. One example is our work with the Australian government to provide evidence supporting the identification of threat actors involved in the 2022 Medibank attack.
ASD's CTIS program also provides an example of high impact. In one example, a partner reported a Microsoft Office 365 phishing domain to her ASD. ASD analyzed the activity and identified an additional 129 related malicious domains. The analyst immediately disseminated the breach to all her registered ASD partners to be able to block or monitor the attack. ASD also issued a domain removal request to the Australian Protected Domain Name Service (AUPDNS) to remove the phishing activity from the Australian government agency's IP range.
Another example is ransomware, the most destructive cybercrime threat we face today. Within CTIS, multiple contacts reported sightings and monitored malicious activity by the Black Basta Ransomware Group. By sharing this with partners on the CTIS platform, ASD was able to provide detailed information about group operations and tailored mitigation advice in near real-time. This enabled our partners to quickly stop and protect against Black Basta Group's ongoing and persistent ransomware threat.
The CTIS program has quickly proven its value in protecting the nation from cyber threats, and will be further enriched with the addition of new contributing organizations.
Cybersecurity is a team sport, and protecting our country requires the combined efforts of both the public and private sectors. We are focused on working with organizations like Microsoft to make it easier for local customers to become bilateral threat sharing partners for his CTIS. We are actively working with industry stakeholders to emulate such approaches. By fostering partnerships like this, we can more quickly identify threats, combat threat actors and have a lasting impact on Australia's security state.
Rachel Noble, PSM Director of the Australian Signals Directorate, said of this cooperation:
We are proud to continue to evolve our partnership with ASD and work more deeply with Sentinel customers through CTIS. Enabling our customers to contribute to and utilize this real-time, Australian-specific intelligence is extremely powerful. Lessons are learned every time a cybercrime infrastructure is disrupted, showing that rapid coordination among defenders can have a broader impact and protect more people and organizations.
If you are an Australian Sentinel customer and are not already a member of ASD's Cyber Security Partnership Program, please visit www.cyber.gov.au to become an ASD Partner. You can subscribe to join CTIS here.
