While virtualisation and the advancement of connected devices have made running industrial systems far more manageable, they are introducing operational environments to new vulnerabilities and risks.
So says Clive Brindley, security lead for Accenture in Africa.
According to him, the ransomware crisis has entered a new phase, as bad actors adopt “potent and pressure tactics” targeting new victims, particularly in manufacturing and critical infrastructure.
Ransomware actors are also testing new extortion methods, he says. They are devising new methods to pressure victims by targeting operational resilience, which the disruptive forces of the pandemic have already tested.
Evolving ransomware
Small manufacturers remain typical targets, with criminals targeting critical infrastructure and upstream providers, including data-rich insurance companies, says Brindley.
"They disrupt production in organisations that cannot afford downtime to feel the pressure and pay ransoms. They generally promise to decrypt their victims’ systems and destroy stolen data after receiving ransoms, but these promises are unreliable.”
He says ransomware negotiator Coveware reported a slew of cases late last year, where data was destroyed instead of encrypted, and couldn’t be retrieved even if the ransom was paid.
To combat this scourge, Brindley advises to focus on preparation, prevention, and pre-encryption defence.
“Segregation and zero-trust measures can also limit threat actor movements if breaches occur. It is also important to collaborate with industry partners, consortiums and law enforcement for greater threat awareness. Lastly, apply an appropriate risk mitigation strategy that includes data protection controls implementation.”
Cobalt Strike is on the rise
Brindley says the number of Cobalt Strike-enabled attacks reportedly increased by 163% between 2019 and 2020. Cobalt Strike is a commercial penetration testing framework widely adopted by security researchers and ethical security testers.
As malefactors get together in dark Web forums to share tricks [...] so should organisations share information among defenders to understand, prevent, identify and respond to threat activity.
Clive Brindley, Accenture.
Pirated Cobalt Strike is being used as an alternative to malware because it is increasingly accessible, and recent version of the tool are even more customisable. He says attackers are exploiting Cobalt Strike’s malleable command-and-control features to customise the framework’s Beacon backdoor default settings to avoid detection.
Businesses need to adopt defensive tools that can counter this growing threat, and should get familiar with the Cobalt Strike activity to learn from past experiences how to tackle the threat. Lastly, they should strengthen their defence posture by employing new defence tools to keep pace with evolving challenges.
Commodity malware
Brindley says QakBot, IcedID, DoppelDridex, and Hancitor are examples of commodity malware (or 'high-volume crimeware') threats that were active in February and March of this year.
He says Accenture CTI’s team seldom has, if ever, seen bad actors sell these malware types on the dark Web because their authors hold onto the malware closely, limiting opportunities to identify spam campaigns early.
Companies should focus on prevention instead of response, he says. First-stage commodity malware enables the deployment of additional malware at the endpoint, which increases the risk of an infection spreading throughout an organisation’s infrastructure and even to operational technology (OT) assets.
To fight this scourge, Brindley says to patch endpoint systems, firewall potential infection vectors, update anti-virus software, keep offline or air-gapped backups and use application whitelists. He also urges companies to conduct regular phishing awareness programs for all staff, segment Active Directory domains by function or criticality, and enforce the principle of least privilege. Finally, remove or disable commonly abused and non-essential services.
The threat of the dark Web
Brindley says as malefactors get together in dark Web forums to share tricks, trade tools, TTP and victim data, so should organisations share information among defenders to understand, prevent, identify and respond to threat activity.
To help tackle the impact of the dark Web, organisations should seek early warning of potential unauthorised access through responsible dark Web monitoring, whether directly or through a cyber threat intelligence provider. They should share information to identify threat signatures and attribution, plan and execute defence and response and prepare network defence and business operations for future threat activity.
On the Edge
Edge devices operate at the boundary of a network to control data flowing in and out of the business, and breaching them could give cyber crooks direct access into OT environments, completely bypassing IT networks. This means securing edge devices must be a priority, says Brindley.
Concurrently, low rates of network monitoring make it difficult for OT incident responders to identify attack vectors and causes of intrusion and unable to advise on how to secure OT systems.
To boost edge device security, companies should have an OT security operations centre (SOC), which unlike a traditional SOC that focuses primarily on IT assets, monitors security events in both IT and OT environments.
In addition, OT incident response is vital in uncovering how threat actors access OT environments via edge devices if a breach occurs. Insight into how threat actors access edge devices and traverse into an OT environment enables an entity to secure its IT and OT boundaries, he says.
Finally, cyber threat intelligence is needed, he says. Traditional cyber threat intelligence provides information on bad actors targeting IT or OT but often only addresses edge device security during the deployment of highly specialised systems.
“As edge device vulnerabilities and targeting are on the rise, organisations must start changing their security cultures from being reactive to adopting a proactive approach to security on the edge,” Brindley ends.
Share