Last year, we made some bold predictions in our CIFR DeLorean 2020 edition.

Well, it’s that time of year again—with 2020 behind us, we’d like to analyze the past year’s incident response and intrusion data collected by our Cyber Investigations and Forensic Response (CIFR) team and look forward to predict trends for 2021. We’ll also jump back to see how we did with our 2020 predictions. Spoiler alert: A global pandemic took us for a spin, but we still managed to get a lot of things right.

But before we engage our flux capacitor, we’ve had some debates over the years on the “superior” time travel mechanism—which one are you riding into 2021 and beyond?

  • DeLorean… or team Tardis?
  • Hot tub or the phone booth?
  • What about the Time Jumper (if you know, you know)?

It’s once again time to go back to see the future in our CIFR DeLorean. Jump in and buckle up!

2020 year in review: “All your data are belong to us”

We thought 2019’s disruptive technology agenda and the booming acquisitions market was driving a rate and scale of change we had never seen before across almost every industry. Well, it turns out 2020 was about to up the ante—thanks to a global pandemic that changed the world we once knew. However, despite some unprecedented events… when looking back at 2020, we can’t help but say… whoa!

How did we do in 2020?

We didn’t get it all right with our 2020 predictions, and some were all but guaranteed and easy to see—Ransomware! Fraud! BEC! Oh my!

Looking back, here are the top three (3) predictions we are most proud of from our 2020 edition, with some publicly disclosed events from the year to take you back:

  1. “M&A and Supply chain weaknesses will continue to provide attackers with an easy foothold into enterprise networks”
  2. “Attack on domain registrars. But who will save the Internet?!”
  3. “Proliferation of new technology will continue to drive the evolution of DDoS attacks with a 2020 twist”
CIFR Incident Response—2020 “by the numbers”

The CIFR team responded to a variety of incidents across our G2000 clients and industry verticals. While we observed threat actors taking advantage of changes resulting from a global pandemic, one underlying theme persisted: Cybercrime affiliate networks are the new hotness!

<<< Start >>>

Exhibit 1: CIFR Incident Response in review. Copyright © 2021 Accenture. All rights reserved.

<<< End >>>

2020 highlights

CIFR saw a significant uptick in incident volume in 2020, especially in the second half of the year. From an industry perspective, we saw the Financial Services industry (26%) slightly overtake Health & Public Service (25%) as the top impacted industry in 2020 as measured by volume of incidents. Of note, CIFR observed a 50% YoY increase in Business Email Compromise (BEC) events, a 160% year over year (YoY) increase in Ransomware events, and an almost 200% YoY increase in Third Party and Supply Chain intrusions. In addition, greater than 60% of CIFR’s engagements involved one or more cloud platform as a means of intrusion or a monetization opportunity.

As the largest incident type by volume for CIFR in 2020, lets dig into the years ransomware intrusions with some 2020 front line observations:

  • Top five (5) ransomware variants observed by CIFR (representing >65% of total volume):
Rank Type Percentage
1 Maze 18%
2 Sodinokibi (REvil) 16%
3 Netwalker 14%
4 Ryuk 12%
5 Doppelpaymer 7%

Exhibit 2: CIFR Incident Response in review. Copyright © 2021 Accenture. All rights reserved.

New Kid on the Block”:  Mount Locker Ransomware—first observed by CIFR August, 2020. The use of Mount Locker was of particular interest as it was the first time CIFR had seen two (2) variants used in the same attack—a Maze variant for targeting individual hosts while Mount Locker was used to encrypt network attached storage filesystems.

<<< Start >>>

Exhibit 3: CIFR Incident Response in review. Copyright © 2021 Accenture. All rights reserved.

<<< End >>>

  • Breakout times observed, from initial access to domain compromise, ranging from a few hours to approximately 10 days, with tools and vulnerabilities, such as BloodHound, SharpHound, and "ZeroLogon" (CVE-2020-1472), acting as accelerators.
  • Observed Operational Technology / Industrial Control System (OT/ICS) impact in approximately 1/3 (33%) of ransomware intrusions.
    • OT Impact observed included both network or system level impact (e.g., malware on HMIs or OPC server/client) and operational impact, such as shutting down operations due to safety concerns.

The evolution of cybercrime affiliate networks and Ransomware as a Service (RaaS) models have created an ecosystem that helps scale and streamline operations, while accelerating time to payment—the figure below provides a simplified illustration in the context of a Ransomware attack.

<<< Start >>>

Exhibit 4: CIFR Incident Response in review. Copyright © 2021 Accenture. All rights reserved.

<<< End >>>

Predicting 2021: “If My Calculations Are Correct…”

Prediction 1: More ransomware, with 2021 innovation: 

We expect an increase in ransomware targeting critical business applications in an attempt to cripple revenue generating operations, specifically with increased impact across the following:

  • Cloud environments, including containers and orchestration platforms
  • Virtualization management infrastructure and Linux based DevSecOPs supporting systems (e.g., ransom the hypervisor)
  • Average dwell time will continue to decrease with the uptake in Ransomware-As-A-Service (RAAS). Attack execution speed = faster time to payment, at scale.

Prediction 2: Increase in OT/ICS impact:

We expect a continued increase in OT/ICS incidents during 2021 with two (2) primary drivers:

  • Ransomware: As stated before, in approximately 1/3 of the ransomware investigations CIFR responded to in 2020, there was an OT/ICS impact, and we expect that to increase in 2021. While ICS aware ransomware variants are already in circulation, we expect traditional ransomware to be the primary driver—i.e., it’s important to note that adversary intent does not necessarily equal impact.
  • Supply Chain: The SolarWinds supply chain compromise had downstream impact on OT networks across our clients. In addition to OEM vendor relationships, this event could be a wakeup call from a third-party risk and asset visibility perspective on the operations side of the house.

Prediction 3: Less Windows, more Linux and Cloud:  

Threat Actors will gravitate toward Linux and cloud workloads for higher-efficacy evasion and persistence operations.

  • We foresee more situationally aware threat actors moving off, or away from, windows endpoints to Linux systems, and even endpoints altogether where possible. Linux production systems are often less controlled, protected and understood than a typical enterprise windows domain—providing an easy defense evasion technique for attackers.
  • Threat Actors (TA) will continue to move their infrastructure and tools into legitimate cloud platforms to blend in, and as a result, detection and prevention will be more difficult. Third party cloud applications and OAuth tokens—a toxic combination.
  • With rapid Journey to Cloud (J2C) during the year, we have seen a significant uptick in cloud adoption, with downstream implications seen in the form of cloud intrusions. Most commonly observed by CIFR in 2020: webshells, coinminers, and unauthorized access via stolen keys or misconfiguration of cloud resources.

Prediction 4: “Webshells Everywhere”

  • The CIFR team noted an uptick in the use of web shells within a number of engagements in 2020. We expect this trend to continue into 2021 as web shells can be notoriously difficult to detect due to the signal to noise ratio within a moderately busy webserver as well as their often small sizes (24 bytes!!!). Web shells observed both on Linux and Windows systems in nearly equal measure.
  • Web shells are often deployed via the use of default credentials, exploitation of a known vulnerability, or via a server misconfiguration.

Prediction 5: “All your Bots are Belong to us”

  • Are your privileged Robotic Process Automation (RPA) service accounts securely managed and APIs hardened? CIFR observed multiple instances of RPA bot accounts being leveraged in ATO and ransomware events in 2020. We expect this to be more prominent in 2021 as the adoption of RPA continues to expand and the opportunity presents itself to situationally aware threat actors.
So now what? 2021 Edition

Our macro-level trends are relatively consistent with prior years, with some amplification thanks to a global pandemic and recent supply chain events. Our clients dramatically increased their shift to the cloud, and we highlighted some pretty remarkable trends from CIFR incident response data. This is a new normal—enterprises looking to be cyber-resilient, in the face of the predicted landscape and our expectations for 2021, should have a good handle on the following:

  1. The beautiful basics
    Underlying security posture and cyber hygiene practices will define who thwarts the ransomware affiliate networks… and who has an unexpected digital transformation to steward.

  2. Secure the cloud
    As many organizations have seen benefit in the pivot to cloud services, threat actors too are honing their skills both targeting cloud services, and using them to their benefit. While this may seem obvious, the pivot to cloud initiatives need to include a foundational understanding of the shared responsibility model, and consistent implementation and proactive oversight of the security controls and configurations applied to those services. For more information, see our latest Secure Cloud Research Report.

  3. M&A and third-party risk – focus on supply chain and third-party data.
    While the SolarWinds hack and surrounding events highlighted the supply chain in an alarming fashion, there is also a quieter threat building with threat actors trading in information to enhance the effectiveness of fraud efforts by the Vendor Email Compromise (VEC) trend. Resilient enterprises should ensure their mergers and acquisitions processes include security in the M&A transaction lifecycle—from due-diligence, IT inventory and compromise assessments, through capability rationalization and secure IT integration plans. Additionally, business owners should ensure that all third-party and supply chain contracts appropriately address security responsibilities.
BONUS CONTENT: MITRE ATT&CK and Detection Analytics

Congratulations, you made it to the end of the blog and for that you get some bonus content!

CIFR observed the following MITRE ATT&CK Tactics and Techniques most frequently throughout 2020. In terms of prioritization, consider these 98 (52%) ATT&CK techniques to guide your collection management framework, and environmental and threat detection analytics roadmap. For additional content, see our recent blogs Win the Hearts of Incident Responders with Windows Logging and Active Defense-Sweep the Leg!

<<< Start >>>

Exhibit 5: CIFR Incident Response in review. Copyright © 2021 Accenture. All rights reserved.

<<< End >>>

If you have an incident or need additional information on ways to detect and respond to cyberthreats, contact a member of our CIFR team 24/7/365 by phone 888-RISK-411 or email CIFR.hotline@accenture.com.

 

References:

 

Accenture Security helps organizations build resilience from the inside out, so they can confidently focus on innovation and growth. Leveraging its global network of cybersecurity labs, deep industry understanding across client value chains and services that span the security lifecycle, Accenture help organizations protect their valuable assets, end-to-end. With services that include strategy and risk management, cyber defense, digital identity, application security and managed security, Accenture enables businesses around the world to defend against known sophisticated threats, and the unknown. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

This document makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademark.

Copyright © 2021 Accenture. All rights reserved.

 

Jeff Beley

Security Innovation Principal


Heather Larrieu

Security Delivery Manager


Ryan Leininger

Senior Manager – Accenture Security

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog