Microsoft and ASD Join Forces: Uniting Sentinel and CTIS for Enhanced Cyber Resilience

In a world where there are 4,000 password attacks per second – an almost four-fold increase in two years – defenders continue to fight a battle against relentless and constantly evolving cybersecurity threats. We’ve also observed the first examples of bad actors exploring the use of large language models (LLMs) and generative AI to research and plan cyber-attacks.  This puts us at a pivotal moment where every single Australian has a role to play in protecting our nation against cyber threats.

Advancing the state of the nation’s cyber resilience requires skills, technology, infrastructure, and a cyber-smart culture. But most importantly, it requires extraordinary levels of collaboration. Deep and enduring partnerships across public and private spheres are essential to ensure a safer future for Australians.

Threat actors are collaborating at unprecedented levels 

One of the major shifts we’ve seen among cyber threat actors over the past few years is the rise of cybercrime-as-a-service and the unprecedented levels of cooperation. Increasingly, we’re seeing instances where threat actors that lack a specific capability are teaming up with those that have such skills, enabling them to scale their operations and destructive impact in ways we haven’t seen before.

Governments, industry, and other ecosystem partners need to work together more effectively than threat actors to stand a chance of outperforming them. We often talk about cyber security being an asymmetric battle – threat actors only need to get it right once, while we as defenders need to get it right every time.

The Australian Signals Directorate (ASD) plays a critical leading role in this in Australia. ASD’s Australian Cyber Security Centre (ACSC) monitors cyber security threats 24 hours a day, seven days a week from a range of local and global sources, including government, business, Computer Emergency Response Teams (CERTs), and bi-directional threat intelligence partners through its Cyber Threat Intelligence Sharing program (CTIS).

Simplified threat intelligence sharing

CTIS enables Australian businesses, government agencies and critical infrastructure organisations to proactively send and receive real-time information, insights and techniques with ASD and each other to combat cyber threats in Australia’s ecosystem. Each month, an average of 129,000 unique indicators of compromise are shared through CTIS to its partners. Since it launched in 2022, the CTIS platform has grown significantly. By July 2023, the CTIS platform had successfully shared 50,216 pieces of cyber threat intelligence and the number of partners had increased almost seven-fold. But there is more we can do to bolster this critical program.

Today, as part of the Microsoft-Australian Signals Directorate Cyber Shield (MACS) initiative, we are announcing a jointly engineered capability for Microsoft Sentinel customers to more easily integrate into the CTIS program. Sentinel is a cloud-native SIEM (Security Information and Event Management) where customers benefit from Microsoft’s global threat analysis of more than 78 trillion signals every day.

This is the first time globally that such a collaboration has been created with Sentinel to enable public-private exchange of threat intelligence. It is a free capability to download, and will enable Microsoft customers who are (or become) partners of CTIS – which include some of the largest government and commercial organisations in Australia – to contribute and consume threat intelligence at machine speed.

Dismantling threat actors

There are many examples of where coordinated collaboration across government, industry and borders has actively disrupted and dismantled threat actors, demonstrating the value of iterative efforts and ongoing partnerships. Our work with the Australian Government in providing evidence to support the identification of the threat actor involved in the Medibank attack in 2022 is one example.

ASD’s CTIS program has also seen great examples of impact. In one instance, a partner reported a Microsoft Office 365 phishing domain to ASD, who analysed the activity and identified a further 129 related malicious domains. The analyst immediately disseminated the compromise to all registered ASD partners, to enable blocking or monitoring the attack. ASD also issued a domain take down request to Australian Protective Domain Name Service (AUPDNS), who deleted the phishing activity from the Australian IP range for government entities.

Another example is around ransomware, which remains the most destructive cybercrime threat we face today. Within CTIS, multiple contacts reported sightings and monitored malicious activity by the Black Basta Ransomware Group. Sharing this with partners on the CTIS platform, ASD were able to offer detailed information on the group’s operations and tailored mitigation advice, in near real time. This enabled partners to quickly deter and protect against the persistent and ongoing ransomware threat of the Black Basta group.

The CTIS program has quickly proved its value in helping protect the nation from cyber threats, and it will become even richer as new contributing organisations onboard.

We are proud to continue to evolve our partnership with the ASD, and to collaborate more deeply with Sentinel customers through CTIS. To give our customers the ability to contribute and consume this real-time Australian-specific intelligence is incredibly powerful.  Each disruption of cybercrime infrastructure brings forward lessons learned, and we have seen that faster collaboration between defenders drives a much broader impact, protecting more people and organisations.

If you’re a Sentinel customer in Australia, and not yet a member of ASD’s Cyber Security Partnership Program visit www.cyber.gov.au to become an ASD partner. From here you can subscribe to join CTIS.