Security overseers at last year’s Commonwealth Games on the Gold Coast blocked 40,000 command-and-control connection attempts and identified 39,000 distinct pieces of malware in the fortnight the Games ran.
The numbers were revealed by Glenn Maiden, a national security officer at Cisco A/NZ, on the sidelines of the annual Cisco Live! event in Melbourne last week.
Maiden - whose background traverses cyber security roles at Defence, Lockheed Martin and the ATO - said Cisco had assumed a security role at the Games through its supply of network infrastructure in partnership with Optus.
It also wound up having a say on cybersecurity by involving Doug Dexter, a Cisco advisor that worked on network security at the Rio Olympics and other major events, in the Games preparations.
With a year almost passed since the Games ended, Cisco revealed some of the numbers it saw on its network setup for the event.
“We served up just under 400 million DNS requests over the two week period, but of that 400 [million], there was about 176,000 pieces of malware that we blocked,” Maiden said.
“If you imagine you've been hit by Wannacry or some ransomware, it'll reach out to its command and control server and try and get a key so it can encrypt all your traffic. So we blocked that, which could [otherwise] have caused availability issues.
“We blocked 40,000 of those command and control connections coming out. We [also] identified 39,000 distinct pieces of malware. It was the Wild West.”
Maiden said that most of the problems were caused by unmanaged devices connecting to the Games network, but said some infected machines were used by news crews covering the event.
“It could have been a malware-infected user and in many cases it was; it could have been a news crew that are connecting their news network to a system which had malware on it, and that was the case a couple of times as well,” he said.
“Just a whole bunch of unmanaged devices that we had zero control over apart from stopping it at that network layer.”
Maiden said that Cisco saw just about every imaginable security problem in the fortnight of the Games.
“We saw everything,” he said.
“We saw malware, we saw spam relays, we saw botnets, we saw phishing attacks, we saw ransomware attacks.”
Cisco relied on three of its own security tools - Umbrella, Stealthwatch and Threat Grid - to keep tabs on the Games network infrastructure.
It’s worth noting the Games employed Symantec officially as its security information and event management (SIEM) provider; Maiden said Cisco “didn't have a formal security role” to play at the event, but wound up playing one anyway.
Maiden said Cisco’s tools caught threats that he believed would otherwise have gone undetected.
“With Stealthwatch, we were seeing [traffic] flows go to known bad sites,” he said.
“One good example was we saw a time request go to a time server so a computer could get its time - very, very normal, apart from the fact that this was a very multiple megabyte connection.
“All the rest of the security systems would have just said, ‘Well, this is just normal, the computer just wants to know the time’.”
Watching flows became important because, in Maiden’s words, “one of the big eye openers for us was that almost 50 percent of the traffic that we saw on the network was encrypted.”
“So a lot of that traffic wasn't very visible to a lot of the security analysts,” he said.
Maiden said Cisco’s tools were also used to identify network users that visited terrorism and hate speech sites.
“I'd come in early in the morning - we were doing 12 hour shifts, and if there was nothing happening - and there was some quiet periods - I started digging around the network,” he said.
“Umbrella's got an add-on called Umbrella Investigate. So I started looking at what some people were doing and almost took a bit of an anti-fraud or enforcement type of perspective.
“I could tell if people were going to example to terrorism websites or hate sites. So that was really valuable for some of the law enforcement professionals up there [at the event].”
Maiden said that infosec professionals overseeing the event used a collaboration tool - though not Cisco WebEx - to stay connected to each other.
“That did highlight the importance of a good collaboration system,” he said.
“If there was an issue that was being worked on by one or more security analysts, we were aware of it. That was really, really successful.”
He also said that all parties involved in cyber security for the event came together well to deliver.
“We had our partner Optus in the Security Operations Center, Gold Coast Council, CERT Australia, and other vendors - it was really an amalgamation of a whole bunch of security professionals,” Maiden said.
“There was no animosity, there were absolutely no agendas. We were all there just to do the right thing.”
Correction: Symantec were the official SIEM provider to the Games, not Enosys as previously stated. Enosys provided SIEM and security services for Gold Coast City Council's separate network run during the Games.