ASD urges early incident intel sharing following LockBit takedown lessons

Infamous ransomware gang LockBit was seized in February in a coordinated takedown called Operation Cronos, led by the UK’s National Crime Agency alongside the FBI and global law enforcement, including the Australian Federal Police (AFP).

At the time of the takedown, international agencies celebrated the global collaboration, with the AFP saying that dealing with cyber crime requires a united global response.

“Cyber crime is not restricted by borders, and tackling this crime type requires a united, global response from law enforcement,” Assistant Commissioner Scott Lee said in a statement.

“This latest takedown is yet another example of the powerful outcomes that can be achieved through a united law enforcement front.

“This investigation has not only taken down the world’s most prolific ransomware group but also damaged the group’s reputation and credibility beyond repair.

Speaking at Senate estimates alongside the national cyber security coordinator this week, Home Affairs’ cyber and infrastructure security group deputy secretary Hamish Hansford said that there was much to be learnt from the LockBit takedown, particularly the value of earlier intelligence sharing, adding that the operation was used as a case study demonstrating the efficacy of IR intel sharing at a counter-ransomware initiative (CRI) meeting just weeks ago.

“One of the key lessons [from Operation Cronos] that was shared by the UK was around the fact that if IR firms and people had reported much earlier, there might have been an earlier interdiction of that particular group,” Hansford said, as seen by ITNews.

“Certainly, that’s an example that we’ve all been seized to come back to our own countries and say, ‘Early reporting is gold’.

VIEW ALL

“It’s absolutely essential in understanding what criminals and other actors are doing and how we can get on top of things much earlier in a way that other jurisdictions are thinking of.”

Hansford said Australia is looking to establish a “limited-use obligation”, which would encourage hacked parties to share findings with the Australian Signals Directorate (ASD) and the National Cyber Security Coordinator.

The limited use obligation, which was outlined in the 2023–2030 Australian Cyber Security Strategy, would limit the way the ASD uses information shared in incident disclosure, only being able to use information provided by entities outside of cyber security purposes. It also assures entities how much information revealed in an incident can be used.

This, in turn, encourages organisations to report incidents, knowing that the information collected is purely for mitigating cyber incidents. Hansford said that at this stage, affected entities are only reporting what is mandatory, which is harmful for incident response and future mitigation.

Public concerns regarding notifying government entities have been a barrier, according to national cyber security coordinator Lieutenant General Michelle McGuinness.

“I’ve certainly spoken to some entities who still ask the question, ‘Well, why would I talk to government, and what could you do for us?” LTGEN McGuinness said, as seen by ITNews.

“The limited-use legislation will provide greater clarity on and trust on how myself and ASD will use that information, which in the first instance we often talk about an emergency response or the fire brigade – we’re here to put out the fire, contain the damage.

“The immediate actions and focus are on reducing the harm and minimising the consequences and containing it from both an operational and technical perspective and then from a consequence management perspective.

“We know that time is of the essence in both the consequence management and on the technical remediation or identification of what the threat is to ensure that it’s not sector-wide, it’s not a vulnerability that impacts many, that it’s being contained, and the consequences are identified rapidly, and we put immediate measures in place to minimise harm.”

Hansford added that the limited-use obligation was to ensure affected entities that anything they report through it wont be used to catch them out, but to better incident response and collaboration with international agencies.

“It is an attempt to say, actually collaboration with intelligence, with early information, things that won’t be used by a regulator for an investigation, that’s separate to all of this work, and what we’re trying here is effectively something that countries are grappling with around the world,” he said.

“So, we’re trying to legislate – assuming the Parliament considers the legislation – a limited-use requirement to deal with that really early engagement to try and build a much more resilient country and get onto things much quicker.”

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.