In an era of unprecedented uncertainty, with so many devices scattered throughout enterprise networks, it’s challenging for security professionals to keep pace with demands.

Recent incidents and the large-scale disruptions and cost of ransomware operations illustrate the growing impact of cyber threat activity on enterprise risk across all industry segments. This risk is increasingly difficult to control and mitigate across both IT and OT environments.

While virtualization in the cloud and the advance of internet-connected devices ease the burden on industrial systems, these technologies are also introducing new vulnerabilities and risks. In particular, edge devices such as Internet of Things (IoT) objects, switches and routers control data flowing in and out of the organization. Bordering IT and OT environments, they are critical to OT security, and breaches can provide direct access into OT environments, completely bypassing IT networks.

Security leaders must demonstrate to the C-suite and the board that they understand the importance of both the continuity of operations and working in partnership with the whole business to effectively manage risk.

Key trends

Accenture Cyber Threat Intelligence’s analysis of the first half of 2021 identified four trends that are affecting the IT and OT landscape:

Ransomware actors test new extortion methods

Ransomware actors are expanding data leak extortion and devising new methods to pressure victims. Response options are becoming more complicated.

View All
  • Targets are shifting: The first months of 2021 targeted critical infrastructure and upstream providers, such as data-rich insurance companies.
  • Tactics are toughening: Ransomware negotiator Coveware reported multiple cases in late 2020 where data was destroyed rather than just encrypted, preventing data retrieval even after ransom payment.
  • Extortion is becoming personal: New exposure tactics, pioneered in 2020, have gathered speed, compounding data-leak extortion damage, adding reputation damage to victim liability lists.
  • Tactics, Techniques and Procedures (TTPs) are more advanced: Accenture Cyber Threat Intelligence identified notable defense evasion tactics with Hades ransomware operators using tooling and hands-on-keyboard actions to disable endpoint defenses.

Organizations should focus on preparation, prevention and pre-encryption defenses.

Cobalt Strike is on the rise

The current high-profile success of Cobalt Strike abuse means the tool’s popularity is growing—a trend that will almost certainly continue through 2021.

View All
  • Cobalt Strike is proliferating: Recent Cobalt Strike versions are increasingly accessible and more customizable than previous versions.
  • Attack tools are evolving: Threat actors are evolving their own custom loaders to deliver Cobalt Strike.
  • Malware is merging: For the first time, Accenture Cyber Threat Intelligence has identified overlaps between the infrastructure of the information-stealing malware EvilGrab and Cobalt Strike Beacon in early 2021.

Organizations need to adopt new defensive tools that can counter this growing threat to penetration testing in critical production environments.

Commodity malware can invade OT from IT space

High-volume crimeware is a danger at the endpoint, enabling further intrusions within a victim network that can threaten both IT and OT systems.

View All
  • First-stage commodity malware enables the deployment of further malware at the endpoint.
  • Threat actors’ use of follow-on commodity malware or tools, such as pirated and abused Cobalt Strike instances, increases the risk of infections spreading throughout the organization’s infrastructure and even to OT assets.
  • Active malware campaigns observed include Qakbot and IcedID, DoppelDridex and Hancitor.

Organizations need to consider prevention, rather than response, as the most effective defense against commodity malware threats.

Dark Web actors challenge IT and OT networks

Threat actors meet in forums to increase their pressure tactics, learn how to bypass security protections and find new ways to monetize malware logs.

View All
  • CLOP and Hades ransomware actors are changing the game: Public reporting in early 2021 tied CLOP ransomware actors to a series of global data breaches exploiting a recently discovered vulnerability in the widely used Accellion File Transfer Appliance (FTA). Hades ransomware actors also gained traction in early 2021 and demonstrated their ability to bypass Endpoint Detection and Response tools and reach edge devices.
  • Information is easy to buy and even easier to use: Accenture Cyber Threat Intelligence observed a slight but noticeable increase in threat actors selling malware logs, which constitute data derived from information stealer malware.

Organizations need to share information among defenders to understand, prevent, identify and respond to threat activity.

About the Authors

Joshua Ray

Managing Director – Accenture Security


Howard Marshall

Managing Director – Accenture Security


Valentino De Sousa

Senior Principal – Security Innovation


Christopher Foster

Senior Principal – Security Innovation


Jayson Jean

Senior Manager – Accenture Security

MORE ON THIS TOPIC

Ransomware response and recovery
The importance of cloud security

Subscription Center
Stay in the know with our newsletter Stay in the know with our newsletter