Cybersecurity is a growing practice area for CPA firms, and at Summit 2021 in San Diego in November, Allinial Global featured a member-hosted session focused on ransomware. During the session Joseph Sarkisian and Michael Kanarellis from member firm Wolf & Company, P.C. shared their firm’s experience in growing cybersecurity risk management from a regional to a national practice.

How Ransomware Happens

Growing a cybersecurity practice requires a strong understanding of current threats and how they affect clients. As Sarkisian shared in the session, there is a general pattern of activity that hackers follow with a ransomware attack.

1. Initial access. 90% of the time, initial access is gained through one of these three issues: 1) a phishing campaign, 2) weak passwords, or 3) Office 365 misconfigurations. Pandemic or remote work–related emails have been used to obtain user credentials through phishing.
2. Execution. This activates the threat on the compromised device. The malware acts as the compromised user(s) to see what they have access to.
3. Credential access. The malware obtains credentials to get into the network and starts to move laterally.
4. Lateral movement. The malware moves through the network to locate “the goods.”
5. Payload. Malware encrypts the key files and demands the ransom.

Ransomware is also being seen more broadly. “There really isn’t a vertical that attackers aren’t going after,” said Kanarellis. Hackers are going after volume, and e-crime has become a business venture in and of itself. According to the 2021 Crowdstrike Services Cyber Front Lines Report, 63% of incidents involved financially motivated threat actors, and 40% of virus detection failed to identify the threat.

How CPA Firms Can Help Clients

CPA firms with strong cybersecurity teams can help their clients discover and manage these cybersecurity risks. The support that firms offer clients can range from simple risk assessments to full ethical hacking engagements.

Some examples of advanced ethical hacking services include:

• Application penetration testing. This goes beyond a brute force attack using actual user credentials to see if there are some weaknesses within the app once a user is logged in.
• Ransomware simulation. This involves dropping ransomware within the network to see if its protections can detect lateral movement. It also determines whether protections can detect and stop the rapid encryption activity that is the hallmark of ransomware.

Wolf & Company created an advanced security assessment to offer its clients. Their advanced security assessment includes:

• Threat modeling. Identifying what a realistic attack against the client looks like.
• Defining objectives. Specifying the goal of the assessment.
• Mapping tactics, techniques, and procedures (TTPs). Using the MITRE ATT&CK framework to choose real-world attacks to create a playbook based on the threat model and goals previously discussed.
• Executing the playbook. Emulating of the chosen TTPs.

To ensure the effectiveness of advanced security services, CPA firms need to employ cybersecurity professionals. Kanarellis shared that Wolf & Company originally utilized IT auditors to staff cybersecurity services. They found that while auditors were good at risk assessment, they weren’t always creative enough to hack into systems. So Wolf & Company changed its staffing strategy to include more advanced credentials dedicated to cybersecurity. For example, Sarkisian holds the Offensive Security Certified Professional (OSCP) credential, which is an ethical hacking certification that requires hacking a number of boxes within a 24-hour period. He shared that this credential actually has a fairly high failure rate compared to other credentials, indicating someone who has both theoretical and practical expertise.

Cyber Services Can Be Lucrative for CPA Firms 

CPA firms with strong cybersecurity teams can help their clients discover and manage these cybersecurity risks. The support that firms offer clients can range from simple risk assessments to full ethical hacking engagements.

Some examples of advanced ethical hacking services include:

• Application penetration testing. This goes beyond a brute force attack using actual user credentials to see if there are some weaknesses within the app once a user is logged in.
• Ransomware simulation. This involves dropping ransomware within the network to see if its protections can detect lateral movement. It also determines whether protections can detect and stop the rapid encryption activity that is the hallmark of ransomware.

Wolf & Company created an advanced security assessment to offer its clients. Their advanced security assessment includes:

• Threat modeling. Identifying what a realistic attack against the client looks like.
• Defining objectives. Specifying the goal of the assessment.
• Mapping tactics, techniques, and procedures (TTPs). Using the MITRE ATT&CK framework to choose real-world attacks to create a playbook based on the threat model and goals previously discussed.
• Executing the playbook. Emulating of the chosen TTPs.

To ensure the effectiveness of advanced security services, CPA firms need to employ cybersecurity professionals. Kanarellis shared that Wolf & Company originally utilized IT auditors to staff cybersecurity services. They found that while auditors were good at risk assessment, they weren’t always creative enough to hack into systems. So Wolf & Company changed its staffing strategy to include more advanced credentials dedicated to cybersecurity. For example, Sarkisian holds the Offensive Security Certified Professional (OSCP) credential, which is an ethical hacking certification that requires hacking a number of boxes within a 24-hour period. He shared that this credential actually has a fairly high failure rate compared to other credentials, indicating someone who has both theoretical and practical expertise.