Virtualisation in the cloud and the advancement of Internet-connected devices have made running industrial systems much more manageable, writes Clive Brindley, Security Lead for Accenture in Africa. However, these technologies are also introducing operational environments to new vulnerabilities and risks.
The global ransomware crisis has entered a new phase, as threat actors adopt more potent and pressure tactics targeting new victims – especially in manufacturing and critical infrastructure. Ransom impact is more widespread, with attacks often highlighting weaknesses in a company’s security posture.
Accenture’s Cyber Threat Intelligence report for 2021, reveals that software supply chain security and third-party compromise vectors are in the crosshairs of attackers. Ransomware deployment is faster and more diverse, making pre-infection defence extremely difficult.
To overcome these challenges, we need to be well-informed of the security trends and know how to tackle them and adapt to changing conditions. In this article, I discuss the four security trends affecting the IT and OT landscape as identified in this year’s Accenture CTI report.
Four key security trends for 2021
1. Ransomware actors test new extortion methods
Ransomware actors are devising new methods to pressure victims by targeting operational resilience – which the disruptive forces of the pandemic have already tested. Small manufacturers remain typical targets, targeted critical infrastructure, and upstream providers, including data-rich insurance companies. They disrupt production in organisations that cannot afford downtime to feel the pressure and pay ransoms. They generally promise to decrypt their victims’ systems and destroy stolen data after receiving ransoms, but these promises are unreliable. Ransomware negotiator Coveware reported multiple cases in late 2020 where data was destroyed rather than just encrypted, preventing data retrieval even after ransom payment and adding reputation damage to victim liability lists.
To help tackle the impact of ransomware, organisations should focus on preparation, prevention, and pre-encryption defence. Segregation and zero-trust measures can also limit threat actor movements if breaches occur. It is also important to collaborate with industry partners, consortiums and law enforcement for greater threat awareness. Lastly, apply an appropriate risk mitigation strategy that includes data protection controls implementation.
2. Cobalt Strike is on the rise
Although in use for more than a decade, the number of Cobalt Strike-enabled attacks reportedly increased by 163% between 2019 and 2020. Cobalt Strike is a commercial penetration testing framework widely adopted by security researchers and ethical security testing professionals. The emergence of pirated Cobalt Strike being abused as a superior commodity alternative to malware has occurred for numerous reasons. In addition to being increasingly accessible, recent Cobalt Strike versions are more customisable than previous versions. Threat actors exploit Cobalt Strike’s malleable command-and-control features to customise the framework’s Beacon backdoor default settings and defeat detection.
Organisations need to adopt new defensive tools that can counter this growing threat. It starts with network analysis – monitor for discovered Beacon watermarks in Cobalt Strike samples to find and understand emerging Cobalt Strike campaigns and better defend against trending TTP. Secondly, get familiar with the Cobalt Strike activity and learn how past experiences can help tackle the threat. Lastly, strengthen your defence posture by employing new defence tools to keep pace with evolving challenges.
3. Commodity malware can invade OT from IT space
QakBot, IcedID, DoppelDridex, and Hancitor are examples of commodity malware (or “high-volume crimeware”) threats active in February and March 2021. Accenture CTI’s team seldom has, if ever, seen threat actors sell these malware types on the Dark Web because relevant threat actors hold onto the malware closely, reducing opportunities to identify spam campaigns early. Organisations need to consider prevention, rather than response, as the most effective defence against commodity malware threats. First-stage commodity malware is a significant threat because it enables the deployment of further malware at the endpoint, such as pirated and abused Cobalt Strike instances. This increases the risk of an infection spreading throughout an organisation’s infrastructure and even to OT assets.
To help tackle the impact of commodity malware in OT environments, patch endpoint systems, firewall potential infection vectors, update anti-virus software, keep offline or air-gapped backups and use application whitelists. Be sure to conduct regular phishing awareness programs for all staff, segment Active Directory domains by function or criticality and maintain a principle of least privilege for each user group and account. Lastly, remove or disable commonly abused and non-essential services, if appropriate.
4. Dark Web actors challenge IT and OT networks
As threat actors congregate in Dark Web forums to share and trade tools, TTP and victim data, they increase their pressure tactics, learn how to bypass security protections, and find new ways to monetise malware logs. Organisations need to share information among defenders to understand, prevent, identify and respond to threat activity. The danger is, a threat actor can use malware logs to masquerade as a legitimate network user and avoid detection, gaining initial access to a victim system by using valid credentials.
To help tackle the impact of the Dark Web, seek early warning of potential unauthorised access through responsible Dark Web monitoring, whether directly or through a cyber threat intelligence provider. Share information to identify threat signatures and attribution, plan and execute defence and response and prepare network defence and business operations for future threat activity. Anticipate and develop contingency plans for potential theft of administrator credentials, a bypass of Endpoint Detection and Response systems and physical shutdowns (either as preventive or reactive measures), to prepare network and business operations for the future occurrence of ransomware or similar event.
On the Edge of security
Edge devices such as Internet of Things (IoT) objects, switches and routers operate at the boundary of a network to control data flowing in and out of the organisation. Therefore breaches can mean direct access into OT environments, completely bypassing IT networks. However, low rates of network monitoring make it difficult for OT incident responders to identify attack vectors and causes of intrusion and unable to advise on how to secure OT systems. Therefore, securing edge devices has become as crucial as securing ICS themselves.
Here are some familiar security capabilities organisations can use to increase their edge device security:
• OT Security Operations Center (SOC): Unlike a traditional SOC that focuses primarily on IT assets, an OT SOC monitors security events in the IT and OT environments to visibility threats and risks.
• OT Incident Response (IR): OT IR is essential in uncovering how threat actors access OT environments via edge devices if a breach occurs. Insight into how threat actors access edge devices and traverse into an OT environment enables an entity to secure its IT and OT boundaries.
• Cyber Threat Intelligence (CTI): Traditional cyber threat intelligence provides information on threat actors targeting IT or OT but often only addresses edge device security during the deployment of highly specialised systems.
Cyber threat intelligence offers improved visibility into overall network threats and informs decision-makers how to prioritise security around potential targets and threats. As edge device vulnerabilities and targeting are on the rise, organisations must start changing their security cultures from being reactive to adopting a proactive approach to security “on the edge”.