//Blogs - 5 Nov 2020

AusCERT case study: an insight into our Incident Management service

November 2020 

AusCERT case study: an insight into our Incident Management service

Featuring Sean McIntyre, AusCERT Senior Info Security Analyst

You recently assisted a client who came to us via Chris Gatford, a long-time AusCERT supporter and contributor to our annual conference. Can you tell us a little bit more about the incident and what service category/categories did this fall under?

Sure thing!

A few weeks ago AusCERT was called upon to assist Chris with a cyber security incident he was dealing with on behalf of a client. We won’t be able to disclose too many specific details out of respect for the client; but basically, the incident  involved a new threat actor that has popped up – Egregor (we recently shared an article about this on our ADIR) – a Sekhmet ransomware spin-off, also linked to the Maze threat actor group.

We started off without knowing too much information on this particular ransomware nor its threat vectors; but with some research and a thorough scan of our various OSINT resources, I was able to find samples of the malware and some IOCs proved useful in assisting this client. 

Another channel we tapped into was our connection with the various CERTs around the world. In particular, the APAC region – thanks to our international liaison expert, Geoff Thonon, who is also our Operations Manager here at AusCERT. 

Quite a few Egregor malicious URLs were discovered over this period of investigation and Chris had also provided a few more to be taken down. These requests were sent off to a number of  hosting and domain providers as per our routine Phishing Take-Down service procedure. And last but not least, we added these URLs to our Malicious URL Feed and IOCs to our MISP instance as a way of sharing the details with (i.e. protecting) our members. 

I would say that this particular request falls under our Incident Management (although on the “lighter” side of a scale), Phishing Take-Down and Malicious URL Feed service categories. 

Between receiving this request and to the time that the incident was resolved, can you outline the time it took our incident response team to resolve the issue? What do you think sets AusCERT apart from a service delivery point of view?

From AusCERT’s perspective, we always initiate action on any request that comes through as soon as possible and definitely within a 24-hour period. In this instance, our expertise was sought after in regards to this new ransomware/threat actor. We were able to provide Chris with some of this threat intelligence and information over a couple business days of research work.

Take-down requests for the initial URLs that were provided to us by Chris were submitted instantaneously, with follow-ups done whenever additional URLs were submitted on behalf of his client.  

Even though these take-down requests were actioned promptly on our end, it’s important to note that we were reliant on the hosting providers to action them. Thankfully, most of the URLs seemed to stop functioning/existing within 1 business day or so after the request(s) was/were submitted. 

I think what sets AusCERT apart is our reach and connection with the CERT community, and also the fact that our member incident hotline is open 24/7. There’s a saying here at AusCERT, “We exist for the greater good” – and we really try and showcase this with our members.

Sean, what do you think are the 3 key takeaways from this incident, what can members or clients do to avoid something similar happening to them in the future? 

  1. Review your operating system (OS) compliance. It is super important to make sure unmaintained OSs such as Windows XP are taken off the network where possible. If an outdated OS is supplied by a vendor on a core system/endpoint – please work with them to upgrade all products. This is a super simple yet most effective way to avoid such incidents from happening within your SME.

  2. Ingest IOCs of known malware into firewalls/SIEM. These can be found via various OSINT sources or via a trusted partner such as AusCERT. If you’re a member, utilise our 24/7 Incident Hotline or email us at auscert@auscert.org.au.

  3. Where possible, implement the “Essential 8” as outlined by the ACSC. This protocol provides a baseline for cyber security incident mitigation. Implementing these strategies as a minimum makes it much harder for adversaries to compromise systems.