Trustwave Blog

Colonial Pipeline Attack Spotlights the Importance of Ransomware Preparedness | Trustwave

Written by | May 11, 2021

We’re sure you’ve seen the news on the latest ransomware attack on Colonial Pipeline.

Colonial Pipeline moves about 45 percent of the U.S. East Coast’s fuel and is one of the largest pipeline operators in the nation – transporting over 100 million gallons of fuel daily across routes spanning from Texas to New York.

In one of the most high-profile attacks on critical infrastructure in recent years, operations at the company were shut down on May 7 after a hacker group, now identified as DarkSide by the FBI, launched a ransomware attack against the organization in an attempt to extort millions of dollars.

Colonial Pipeline said that they “proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of [their] IT systems."

Bloomberg has reported that over 100GB in corporate data was stolen in just two hours.

As a result of the incident, the White House has issued an emergency declaration, allowing regulations to be lifted on select U.S. drivers, allowing them to drive between fuel distributors and local gas stations on more overtime hours and less sleep than federal restrictions normally allow. 

It's clear that the real-world effects of ransomware – on not only business – but on safety and lives – are very real.

This incident and the recent mass surge in ransomware – a 62 percent increase in ransomware globally and a 158 percent spike in North America over the past year – highlights the critical need for ransomware preparedness.

How to Be Prepared for Ransomware

Ransomware requires a robust layered security approach. The concept behind a layered security strategy is “Defense in Depth”, which aims to have fallback protections if a particular control fails. Defenses must address People, Process and Technology in order to be effective. Below is a quick high-level overview to help you prepare for this new surge of ransomware attacks.

People

Ransomware often requires human action to be successful, which makes people the critical part of a ransomware attack. It has been found that many ransomware attacks use phishing techniques combined with exploit kits. As a significant number of attacks use this method, it is critical for organizations of all sizes to educate their employees on cybersecurity hygiene, particularly how to recognize and avoid suspicious links and attachments. Doing so has been shown to help reduce the number of successful attacks.

1. Security Awareness Training

Targeted security awareness training is something that all employees can benefit from. It is the best way to build cybersecurity awareness in the organization and help employees understand the threats faced and the security policies of the organization and why they exist. The training should be carried out on an ongoing basis, informing employees on the latest security trends and how to respond in the case of ransomware attacks. Highlighting the following two key messages will help protect them and the organization against ransomware:

  • Don’t click on any attachments or links in emails that appear suspicious, you weren’t expecting, or otherwise reply.
  • Report potential phishing attacks to the Information Security team for support.

Process

Technology alone cannot form a security defense strategy. Supporting processes are the key to optimizing the benefits of the technologies in place.

1. Security Policies

How employees practice security will directly impact the effectiveness of security controls in the organization. Security policies and standards provide a roadmap and a guideline to employees describing how to interact in day-to-day business operations securely. The policies will include a detailed guide on the use of various types of email, web, collaboration technologies, social media, and other tools that have been deployed, including guidance on the use of personal devices.

Policies can be useful in defining and limiting the tools that are used to access sensitive data. These limitations can be helpful in reducing the number of ingress points for ransomware, other forms of malware, phishing attempts, and other content that could pose a security risk to the organization.

2. Logging and Monitoring

Ransomware may hide in networks undiscovered for days, months, and years. It may even contaminate backup data, tempting organizations to pay the ransom to retrieve the data. A logging and monitoring process in place that analyses the logs regularly and uses well-defined methodologies to uncover anomalies can help identify any unusual activities in the network and detect potential attacks as early as possible.

  • Logs that are collected in logging servers and related software must be continuously analyzed and reviewed for anomalous or suspicious activities
  • A definition of the events to be logged must be prepared and then communicated.
  • Logs must be securely retained in a centralized location.

3. Patching and Vulnerability Management

Cybercriminals look for any known weakness in systems or software and exploit them as a way starting point to deliver malicious code. For example, the WannaCry ransomware targeted unpatched PCs exploiting the “EternalBlue” vulnerability one month after it was leaked. Patching systems, applications and devices promptly is an essential part of an effective approach to cybersecurity. It ensures that known problems and vulnerabilities that could be exploited by cyber attackers and which may impact the availability, integrity, and confidentiality of our information assets are remediated promptly.

4. Data Backup Process

A useful method for recovering from a ransomware attack, as well as from other types of malware infections, is to restore from a known, good backup taken as close as possible to the point before the infection occurred. Using a recent backup, an endpoint can be reimaged and its data restored to a known, good state with as little data loss as possible. While this strategy will likely result in some level of data loss because there will normally be a gap between the most recent backup and the time of reimaging, recent backups will minimize data loss if no other remedy can be found.

5. Incident Response Process

Having an incident response process in place can provide the organization with a clear and guided process to be followed when a cyber-attack occurs. In the case of a ransomware attack, isolating the infected device should be the first step to contain the damage. Backup is the “go-to” solution to remediate and recover. If possible, ransom should never be paid because you would not get your full set of data back in most cases.

Technology

Ransomware often infects computers via malicious emails and pop-up windows that encourage the users to click or download “authentic” applications. Specifically, targeting the following technologies in the organization will assist in protecting against ransomware:

1. Email Security

As the primary delivery vector, email security should be the first and foremost thing to be considered in terms of protecting the organization from ransomware. Email security solutions such as Trustwave MailMarshal, provide a layered approach to email security against phishing, ransomware, and other email-based threats. These technologies often perform deep analysis of inbound email traffic in real time to detect and block malicious content, while scrutinizing outbound email traffic to safeguard sensitive data and information. In addition, establishing the following principles within the organization will help:

  • Limit the use of company emails or email addresses for personal purposes.
  • Be cautious of email asking you to open files, click links, or otherwise release information.
  • Do not use company email for any business activities unrelated to the job role.
  • Regularly change email passwords

2. Endpoint Security and Testing

Proactive security testing on endpoints can help the organization understand where risks and vulnerabilities reside, enabling it to better prevent, detect and respond to security incidents and continuously improve overall security posture. Even though phishing is the major attack vector in ransomware, a comprehensive testing program can address attacks from multiple sources. Testing can confirm the following capabilities exist at the endpoint:

  • Ability to detect and prevent malware, encryptors, and the execution of malicious code, documents, and files.
  • Ability to filter content, preventing users from going to known malicious websites or plugging in uncontrolled devices (such as USB drives) to the endpoints. Ability to prevent the exploitation of known and unknown vulnerabilities in applications, operating systems on the endpoints.

Forensic-state analysis can help the organization determine the current standing of the endpoints. This approach can in identify ongoing and past intrusions and enable the organization respond effectively to future incidents.

3. Network Security

Ransomware attacks usually involve three steps:

  1. Infection
  2. Data encryption
  3. Establishment of Command-and-Control (C&C) communication.

Establishing C&C communication is a critical step for cybercriminals to either transmit the stolen/encrypted data or prepare for later attacks within the victim’s network. An intrusion Detection/Prevention System (IDPS) can identify abnormalities of network flow, alert the security personnel, and block the ransomware attacks, backed by integrated threat intelligence.

Another aspect of network security is appropriate network segmentation. Ransomware aims to spread and to infect as many machines as possible. Network segmentation can greatly limit the spread and contain the damage if a ransomware attack does happen.

4. Identity and Access Management

Robust identity systems can restrict access to vital systems and data to a limited and known number of users and systems. Restricting access reduces the risk by ensuring that those with access to the most sensitive systems and data can receive targeted and continual training covering all aspects of security risks the organization is subject to.

Are you currently affected by ransomware? Contact us now and learn how we can help.