Looking back to see the future: CIFR DeLorean—2021 edition
February 10, 2021
Last year, we made some bold predictions in our CIFR DeLorean 2020 edition.
Well, it’s that time of year again—with 2020 behind us, we’d like to analyze the past year’s incident response and intrusion data collected by our Cyber Investigations and Forensic Response (CIFR) team and look forward to predict trends for 2021. We’ll also jump back to see how we did with our 2020 predictions. Spoiler alert: A global pandemic took us for a spin, but we still managed to get a lot of things right.
But before we engage our flux capacitor, we’ve had some debates over the years on the “superior” time travel mechanism—which one are you riding into 2021 and beyond?
It’s once again time to go back to see the future in our CIFR DeLorean. Jump in and buckle up!
We thought 2019’s disruptive technology agenda and the booming acquisitions market was driving a rate and scale of change we had never seen before across almost every industry. Well, it turns out 2020 was about to up the ante—thanks to a global pandemic that changed the world we once knew. However, despite some unprecedented events… when looking back at 2020, we can’t help but say… whoa!
We didn’t get it all right with our 2020 predictions, and some were all but guaranteed and easy to see—Ransomware! Fraud! BEC! Oh my!
Looking back, here are the top three (3) predictions we are most proud of from our 2020 edition, with some publicly disclosed events from the year to take you back:
The CIFR team responded to a variety of incidents across our G2000 clients and industry verticals. While we observed threat actors taking advantage of changes resulting from a global pandemic, one underlying theme persisted: Cybercrime affiliate networks are the new hotness!
<<< Start >>>
<<< End >>>
CIFR saw a significant uptick in incident volume in 2020, especially in the second half of the year. From an industry perspective, we saw the Financial Services industry (26%) slightly overtake Health & Public Service (25%) as the top impacted industry in 2020 as measured by volume of incidents. Of note, CIFR observed a 50% YoY increase in Business Email Compromise (BEC) events, a 160% year over year (YoY) increase in Ransomware events, and an almost 200% YoY increase in Third Party and Supply Chain intrusions. In addition, greater than 60% of CIFR’s engagements involved one or more cloud platform as a means of intrusion or a monetization opportunity.
As the largest incident type by volume for CIFR in 2020, lets dig into the years ransomware intrusions with some 2020 front line observations:
“New Kid on the Block”: Mount Locker Ransomware—first observed by CIFR August, 2020. The use of Mount Locker was of particular interest as it was the first time CIFR had seen two (2) variants used in the same attack—a Maze variant for targeting individual hosts while Mount Locker was used to encrypt network attached storage filesystems.
<<< Start >>>
<<< End >>>
The evolution of cybercrime affiliate networks and Ransomware as a Service (RaaS) models have created an ecosystem that helps scale and streamline operations, while accelerating time to payment—the figure below provides a simplified illustration in the context of a Ransomware attack.
<<< Start >>>
<<< End >>>
Prediction 1: More ransomware, with 2021 innovation:
We expect an increase in ransomware targeting critical business applications in an attempt to cripple revenue generating operations, specifically with increased impact across the following:
Prediction 2: Increase in OT/ICS impact:
We expect a continued increase in OT/ICS incidents during 2021 with two (2) primary drivers:
Prediction 3: Less Windows, more Linux and Cloud:
Threat Actors will gravitate toward Linux and cloud workloads for higher-efficacy evasion and persistence operations.
Prediction 4: “Webshells Everywhere”
Prediction 5: “All your Bots are Belong to us”
Our macro-level trends are relatively consistent with prior years, with some amplification thanks to a global pandemic and recent supply chain events. Our clients dramatically increased their shift to the cloud, and we highlighted some pretty remarkable trends from CIFR incident response data. This is a new normal—enterprises looking to be cyber-resilient, in the face of the predicted landscape and our expectations for 2021, should have a good handle on the following:
Congratulations, you made it to the end of the blog and for that you get some bonus content!
CIFR observed the following MITRE ATT&CK Tactics and Techniques most frequently throughout 2020. In terms of prioritization, consider these 98 (52%) ATT&CK techniques to guide your collection management framework, and environmental and threat detection analytics roadmap. For additional content, see our recent blogs Win the Hearts of Incident Responders with Windows Logging and Active Defense-Sweep the Leg!
<<< Start >>>
<<< End >>>
If you have an incident or need additional information on ways to detect and respond to cyberthreats, contact a member of our CIFR team 24/7/365 by phone 888-RISK-411 or email CIFR.firstname.lastname@example.org.
Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture help organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
This document makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademark.
Copyright © 2021 Accenture. All rights reserved.