Inside Australia’s turbocharged battle against hackers
Max Mason covers insolvency, courts, regulation, financial crime, cybercrime and corporate wrongdoing. A Walkley Award winner, Max's journalism has also received awards from the National Press Club of Australia, the Kennedy Awards and Citibank. Connect with Max on Twitter. Email Max at max.mason@afr.com
Australian Signals Directorate boss Rachel Noble says the agency’s $5 billion threat sharing partnership with Microsoft is a “force multiplier”.
Hackers leave fingerprints, Australia’s top cyber spy Rachel Noble says. The voluntary but confidential sharing of those tiny little markers that a cybercriminal has broken into a company allows the Australian Signals Directorate to see more attacks coming and stop them in their tracks.
As part of Microsoft’s $5 billion investment in Australia over two years, the ASD has become the first government agency anywhere in the world to integrate its own intelligence platform – Cyber Threat Intelligence Sharing (CTIS) – with the US technology giant’s Sentinel threat monitoring software in Australia.
Australian Signals Directorate director general Rachel Noble and Microsoft Australia national security officer Mark Anderson.
The agreement is turbocharging the digital spy agency’s ability to monitor cybercrime. ASD’s CTIS program allows Australian organisations to confidentially share information with the cyber agency, so it can better view and understand threats as well as warn other businesses.
Ms Noble, ASD director-general, said these types of public-private partnerships are invaluable in the fight against cyber threats.
“It positions ASD because we can see patterns in the noise,” Ms Noble told The Australian Financial Review.
Some of these criminal actors, for example, they go about their business in a way that is like a fingerprint. When you can look at and see all this data you can start to identify criminal fingerprints, the sort of things that they start to position to do on networks before they initiate an actual ransomware note or the final part of these attack.”
Sharing with businesses, in one instance, allowed the ASD to warn more than 150 organisations that were about to become ransomware victims.
“For ASD, that’s a dream come true,” Ms Noble said.
In another case, an Australian organisation sharing information with ASD’s CTIS – where data is anonymised – reported a number of Microsoft Office 365 phishing domains, which are fake sites and emails used to trick people into handing over personal or confidential information.
“We had a look at that input and were able to identify a further 129 malicious domains. That enables us to push that out [to say]; ‘look out everyone, there are 129 malicious domains you might not have detected, block, block, block’,” Ms Noble said.
“Then the company chooses whether they want to block, so they have complete control of what they choose to do on their network.”
ASD’s partnership with Microsoft gives it an even greater view of potential threats by plugging its CTIS system into Microsoft’s Sentinel, which does analysis of 65 trillion signals of global threat intelligence daily. Microsoft’s customers in Australia can choose what information they share with Sentinel and ASD, and it is anonymised, preventing concerns about sharing information with rival companies.
Mobilising an ‘army of customers’
“It’s a force multiplier of what benefits people were already getting from CTIS by big companies and ASD already sharing everything bad we can see coming at us that’s bad in cyberspace. With the scale that Microsoft has, this really put the whole thing on steroids,” Ms Noble said.
Microsoft Australia national security officer Mark Anderson said Sentinel customers can join the CTIS platform after the US tech giant and ASD engineers worked together to make the system as easy as plug and play.
“For us, this is about how we mobilise that army of customers we have across Australia to say look ‘you want to be a part of this, you want to be a part of the collective defence, we’ve now got a way for you to do it that minimises the amount of work that you’re required to do’,” Mr Anderson said.
Mr Anderson said even though Microsoft analyses those 65 trillion signals per day, it’s still not everything that is out there that could cause harm.
“Through something like CTIS, for example, you have an Australian bank that signed up to it, and they happen to be the first initial target of either a nation state or a cybercriminal gang, and they spot that, and they see that they can – through this connector, highlight it, and Sentinel will automatically pick it up, and send it to CTIS, and then CTIS will at machine speed push that back out to the whole economy,” Mr Anderson said.
“The whole economy would then get flagged in their system if that threat was present there. The more people that participate, the stronger it becomes and the faster we get to respond to threats.”
