Swimming in the cyber seas places business owners in all manner of danger but if they know the facts, they can better mitigate cyber-shark attacks. So, let’s talk sharks.

According to the Shark Research Institute, there are more than 400 varieties of sharks, each differing in size, shape, color, and temperament. The whale shark, for instance, can grow to a massive 21 meters long, but swims slowly and peacefully about, filling its massive maw with plankton. By contrast, the cookiecutter shark, at a mere 50 centimeters, is relatively tiny, but voracious. And of course, there is the great white. Considered a “super predator,” the great white shark can reach up to eight meters in length and tends to explore the world around it . . . with its teeth.

While each species has its peculiarities, swimmers will do better to know why sharks attack in general—and less so why a shark may be interested in a specific swimmer. See, sharks rarely, if ever, differentiate at the individual level. Rather, sharks attack:

  1. When they are hungry and distressed. Researchers have proven sharks are not robotic killing machines; they only attack to feed or in self-defense. Technically speaking, the exploratory biting done by some sharks is not so much an attack as a palatability test—in short, a learning experience.
  2. When they detect vulnerable victims. Sharks have incredible sensory capabilities. According to Shark Trust, in addition to having super-sized versions of the normal five senses, sharks can sense pressure changes and electrical currents.
  3. When they find palatable items. According to Sharks-World, sharks eat what they need to eat. While the shark may prefer some types of prey, they will eat what is available. Sometimes, they eat things they can swallow, but not digest—most likely by accident and out of innate curiosity to try new things.

While knowing the species of a shark, its preferred meal, and how it attacks is interesting, it’s far more important that a swimmer know how not to look, act, or smell like prey to avoid an attack. In other words, become unpalatable and hard to swallow.

Ransomware is today’s great white cyber-shark

At Accenture, we’ve seen the rise in ransomware attacks across the board. Initially, threat actors were targeting certain industries—in clusters and with specific ransomware variants—somewhat like a shark might home in on a specific ocean beach. But after exploring both the industry and ransomware variants in the attacks in search of similarities or causality, we concluded that neither told the full story.

Although informative, focusing on an actor, technology, or malware was not enough to be broadly helpful. We found that the malware used was merely the manifestation of the intrusion and the victim industry or attacking threat group was only relevant to the specific instance at hand. In the end, no industry is immune to attack from an ever-increasing list of malicious actors and thus, more information is needed to devise security plans or postures that keep us safe in the water.

Lately, we’ve seen three strong currents impacting our reefs:

  1. Most attacks are not unique. The use of 0-day exploits is rare and reserved for when the easy prey is gone or if there is a specific purpose behind the attack. While 0-days do happen and new exploits are developed daily, 0-days are rare in the context of the number of attacks.
  2. Most attacks target an identified weakness, not a company. The uptick we’ve seen in particular industries is the result of weaknesses such as technical gaps, persistent lack of sufficient patching, and the identification and broad sharing of security controls across malicious actor networks, like blood in the water.
  3. Notable attack trends are feeding frenzies. Once a vulnerability scent is released, it notifies other lurking sharks of a type of victim available for attack. All manner of attackers rush in to take advantage before the gap is closed, resulting in a frenzy of data and access to victim environments becoming available on the deep, dark web.

To stay afloat, information security leaders should understand current conditions and threats, specifically how trends are relevant to their environment. For example, Accenture has observed this common attack scheme:

<<< Start >>>

Copyright © 2020 Accenture. All rights reserved.

<<< End >>>

Factors to consider with ransomware attacks

Threat actors often:

  • Compromise environments using password-spray attacks, exploiting weak credentials of third-party service providers via an exposed RDP server without multifactor authentication (MFA).
  • Search for, scan, and exploit operational technology (OT) companies, initiating compromises from both the IT and OT environments.
  • Use UAC bypass or Mimikatz to escalate privileges of compromised credentials.
  • Use DCSync to facilitate Active Directory (AD) account compromise and ransomware deployment.
  • Exfiltrate data using file transfer protocol (FTP) before ransomware detonation.
  • Detonate ransomware on thousands of endpoints via remote scheduled tasks using credentials captured with DCSync.
  • Detonate ransomware after objectives are met, collateral opportunities are mined, or upon detection.

Once an attack has occurred:

  • OT companies can suffer immediate, significant, and dangerous impacts when plants experience total, uncontrolled shutdowns from ransomware attacks.
  • Meaningful recovery can be difficult; more so when threat actors have encrypted backups. 
  • Some ransomware decryption keys are flawed when decrypting files larger than 50 MB. In these circumstances, victims not only pay the ransom but also lose their data.
Knowing is good, but taking action is better

You can begin to evaluate how vulnerable your environment may be to today’s cyber-sharks by asking questions. What are your environmental details? How are you understanding and addressing the current school of weaknesses?

  • Strong passwords?
  • Third-party standards?
  • Adequate credential management?
  • Functional MFA?
  • Understanding of your attack surface?
  • Proper segmentation?
  • Modern privilege management?
  • Secure backups?
  • Useful recovery plans?
  • C-level and business stakeholder buy-in?

One of the keys to defusing ransomware-attack risk is closing gaps as you identify them and having an agile, defense cycle. Step one: Avoid attack by not appearing as bait and being unpalatable! Step two: If attacked, respond quickly and keep swimming.

For further information, please contact the Cyber Investigation and Forensics Response (CIFR) team at CIFR.hotline@accenture.com.

 

Accenture Security

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.  Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security

Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.

Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks

Eric Welling

Security Delivery Senior Manager


Jeff Beley

Security Innovation Principal

Subscribe to Accenture's Cyber Defense Blog Subscribe to Accenture's Cyber Defense Blog