In a previous blog, we stepped into a real-life scenario to show how our Cyber Investigation and Forensics Response (CIFR) threat hunting operations can disrupt advanced adversaries. Now, with 2019 behind us, we’d like to analyze the year’s incident response data while also looking forward to predict trends for 2020. So jump in and buckle up. It’s time to go back to see the future in our CIFR DeLoreanTM.
2019 in review: What's old is new, what's new is old
Thanks to the disruptive nature of technology innovation and a booming mergers and acquisitions market, the world seems to be experiencing change at a faster pace and scale. Yet when looking back at 2019, we can’t help but feel a bit stuck in the past. In fact, for CIFR, the headline for 2019 might read ‘Déjà Vu.’
Our team responded to a variety of incidents across our G2000 clients and industry verticals. While we observed steady innovation by threat actors throughout the year, one underlying theme persisted: Follow the data (ahem, money).
<<< Start >>>
<<< End >>>
Similar to 2018, CIFR saw ransomware, business email compromise (BEC), account takeover (ATO), and advanced persistent threat (APT) events dominate the incidents we responded to in 2019. While the types of attacks remained relatively consistent from a macro perspective year over year (YoY), we saw a significant increase (almost 60 percent YoY) in threat actors targeting the health and public sector, including state and local governments as well as HIPPA-covered entities. This accounted for approximately 34 percent of our volume by industry in 2019.
Predicting 2020: Our CIFR DeLorean gives us '20/20' vision
Prediction 1: More of the same (sigh)
We’ll likely see more ransomware, more BEC, more ATO, and more data privacy implications. CIFR saw an approximately 25 percent increase in ransomware investigations from 2018 to 2019. In 2019, almost 60 percent of our investigations involved client cloud platforms such as Azure/O365 and AWS. Unfortunately, unless there is a major shift in the industry, we don’t see these numbers improving in the near-term as the adoption of cloud continues to increase.
Another contributing factor: steady innovation. Cybercriminals continued to find new ways to expose organizations that had not properly invested in cybersecurity and resilience, and this innovation drove an increased likelihood of ransom payment, possibly with assistance from cyber insurance policies. Until external factors change — for example, potential regulation — we expect this trend to continue into 2020 and possibly beyond.
Prediction 2: Increased insider threat and cyber fraud
Almost 20 percent of the incidents we responded to were related to insider threats. The reasons? It’s difficult to say for sure, but in 2019, Accenture saw a concerted effort by clients to invest in insider threat programs, which we believe increased detection efficacy. We expect that trend to carry over into 2020, driven upward by regulatory pressure in highly regulated industries such as banking. Another factor is an increased focus on protecting company and customer data due to recent insider threat industry events and related losses.
Part of this is driven by technology investments in solutions such as user and entity behavior analytics, which can improve detection of insider threats. We believe that as organizations improve their insider threat programs, the efficacy of those programs should also improve and thus, lead to increased detection and response.
In addition to insider threats, almost 15 percent of our IR engagements involved some form of fraud, including wire payments. In our experience, most organizations struggle with this concept and with the fact that fraud risk has evolved to include cyber as a major component. Unfortunately, large corporations often lack the agility from a governance perspective to bring fraud and cyber together in a meaningful way. This raises numerous questions for companies, including:
- Where do your cyber controls start and fraud controls begin? Are those controls integrated?
- Can you detect fraud propagated via technology and business process control subversion?
- Can you correlate or link the two?
- If you have a domain compromise or ATO scenario, would your fraud controls and passive monitoring perform?
- Can you make attackers ‘stick out’ if they’re using legitimate credentials to bypass controls and action on objectives?
- How can your tech stack or platform(s) be manipulated or abused for profit? How do you model those scenarios to stay ahead of the threat?
Prediction 3: 2020, a year of disruption
Jumping back into our CIFR DeLorean for a glimpse into the future, we believe a number of factors will play a role in the types of incidents we see in 2020. This could be especially true in the latter half of the year because of geopolitical influence and possible amplification of events due to global economic uncertainty.
In addition to a focus on world events, we also predict disruption coming in other forms, mostly reminding us of days past. We see the ‘year of disruption’ propagating via the following ‘old is new, and new is old’ trends:
- Destructive malware and wiper attacks will return to the headlines (tensions in the Middle East).
- Back to the 90s! ‘King of the Hill’ will return to its glory days.
- Attacks on domain registrars will continue. But who will save the internet?
- Denial of service (DDoS) will still be thing with the proliferation of new technology driving the evolution of DDoS attacks with a 2020 twist. Remember that IPV6 thing everyone used to talk about?
- Information operations: New methods will emerge for weaponizing data to attack consumers.
- M&A and supply chain weaknesses will continue to provide attackers with an easy foothold into enterprise networks.
Cue the eye roll. So now what?
Believe it or not, there are things to look forward to in 2020. We truly believe the industry is better off today than it was last year. We’ve seen steady improvement in our clients’ detection and response as well as some astonishing innovation, primarily driven by smart, targeted investments that are reducing unnecessary complexities. As we like to say: “Keep it simple and focus on the beautiful basics.”
Every organization is different, but based on trends we see via analysis of IR data from the last three years, three macro-level items stick out to us that organizations of all shapes and sizes should consider:
- The beautiful basics. Time and again, we see the same types of attacks, which are all preventable with a little more focus on three fundamentals: hygiene, governance and capabilities (people/process/technology).
- Secure the cloud. Attackers are good at following the data ($$$). Most attacks we see are due to a lack of fundamental control (i.e., #1 above). For example, deploying multifactor authentication for all cloud services and disabling legacy services that threat actors can manipulate to bypass controls are significant steps in the right direction. These two factors — or lack thereof — contributed to the majority of cloud intrusions we responded to in 2019.
- M&A and third-party risk. 2019 was a big year for M&A activity, which means a hot year for cyber-attacks. Many of the incidents we encountered involved an acquisition or a third party as a means of intrusion (e.g., MSPs). Proactive cyber due diligence of acquisitions (pre- and post-merger) and risky third parties — for example, via our Cyber Resilience Diagnostic (CRD) service — is imperative for M&A targets.
Predicting the future is hard, but we have faith in our DeLorean. Now, let’s see where 2020 takes us.
Have an incident or need additional information? Contact a member of our CIFR team 24/7/365 by phone at 888-RISK-411 or via email at CIFR.firstname.lastname@example.org.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks