In an era of unprecedented uncertainty, with so many devices scattered throughout enterprise networks, it’s challenging for security professionals to keep pace with demands.
Recent incidents and the large-scale disruptions and cost of ransomware operations illustrate the growing impact of cyber threat activity on enterprise risk across all industry segments. This risk is increasingly difficult to control and mitigate across both IT and OT environments.
While virtualization in the cloud and the advance of internet-connected devices ease the burden on industrial systems, these technologies are also introducing new vulnerabilities and risks. In particular, edge devices such as Internet of Things (IoT) objects, switches and routers control data flowing in and out of the organization. Bordering IT and OT environments, they are critical to OT security, and breaches can provide direct access into OT environments, completely bypassing IT networks.
Security leaders must demonstrate to the C-suite and the board that they understand the importance of both the continuity of operations and working in partnership with the whole business to effectively manage risk.
Accenture Cyber Threat Intelligence’s analysis of the first half of 2021 identified four trends that are affecting the IT and OT landscape:
- Targets are shifting: The first months of 2021 targeted critical infrastructure and upstream providers, such as data-rich insurance companies.
- Tactics are toughening: Ransomware negotiator Coveware reported multiple cases in late 2020 where data was destroyed rather than just encrypted, preventing data retrieval even after ransom payment.
- Extortion is becoming personal: New exposure tactics, pioneered in 2020, have gathered speed, compounding data-leak extortion damage, adding reputation damage to victim liability lists.
- Tactics, Techniques and Procedures (TTPs) are more advanced: Accenture Cyber Threat Intelligence identified notable defense evasion tactics with Hades ransomware operators using tooling and hands-on-keyboard actions to disable endpoint defenses.
Organizations should focus on preparation, prevention and pre-encryption defenses.
- Cobalt Strike is proliferating: Recent Cobalt Strike versions are increasingly accessible and more customizable than previous versions.
- Attack tools are evolving: Threat actors are evolving their own custom loaders to deliver Cobalt Strike.
- Malware is merging: For the first time, Accenture Cyber Threat Intelligence has identified overlaps between the infrastructure of the information-stealing malware EvilGrab and Cobalt Strike Beacon in early 2021.
Organizations need to adopt new defensive tools that can counter this growing threat to penetration testing in critical production environments.
- First-stage commodity malware enables the deployment of further malware at the endpoint.
- Threat actors’ use of follow-on commodity malware or tools, such as pirated and abused Cobalt Strike instances, increases the risk of infections spreading throughout the organization’s infrastructure and even to OT assets.
- Active malware campaigns observed include Qakbot and IcedID, DoppelDridex and Hancitor.
Organizations need to consider prevention, rather than response, as the most effective defense against commodity malware threats.
- CLOP and Hades ransomware actors are changing the game: Public reporting in early 2021 tied CLOP ransomware actors to a series of global data breaches exploiting a recently discovered vulnerability in the widely used Accellion File Transfer Appliance (FTA). Hades ransomware actors also gained traction in early 2021 and demonstrated their ability to bypass Endpoint Detection and Response tools and reach edge devices.
- Information is easy to buy and even easier to use: Accenture Cyber Threat Intelligence observed a slight but noticeable increase in threat actors selling malware logs, which constitute data derived from information stealer malware.
Organizations need to share information among defenders to understand, prevent, identify and respond to threat activity.