As we approach the one-year anniversary of the Colonial Pipeline ransomware attack, it is an excellent time to reflect upon what took place and how that incident can serve as a teaching point for any organization interested in preventing a ransomware attack.
First, here is a quick refresher on what transpired.
Detailing the Colonial Pipeline Attack
On May 6, 2021, an affiliate group associated with the REvil and Darkside ransomware-as-a-service gangs attacked Colonial Pipeline Co., forcing the company to halt operations, effectively blocking the flow of fuel, gasoline and other petroleum products throughout large portions of the eastern U.S. for several days. The attacker used an exposed password from an unused VPN account that did not require multifactor authentication.
Once inside the network, the attacker's first move was to steal 100GB of data, including the PII of some employees, and then infect the Colonial Pipeline IT network with ransomware. The gang demanded and was paid a $4.4 million ransom, although a portion of this was recouped with the help of the FBI.
The attack also grabbed headlines nationwide and spurred the federal government to take action.
President Biden and Congress React
These measures included having President Joe Biden raise the issue of ransomware with Russian President Vladimir Putin during a summit in June 2021. In addition, in the weeks following the attack, Congress passed two bills, the Pipeline Security Act and the CISA Cyber Exercise Act. The former helps protect the nation's critical infrastructure, and the latter gives CISA the power to evaluate the National Cyber Incident Response Plan and related plans and strategies.
Strengthening the Public-Private Partnership
The attack also highlighted the need to reinforce the still-nascent partnerships that security firms and government agencies are building.
Not only should agencies be leveraging the latest endpoint detection and response technologies, but they should also be seeking support from high-level security experts who have intimate knowledge of how attackers bypass perimeter defenses and move through networks undetected — and how to stop them.
Finally, the attack on the fuel supplier brought into focus the need to better secure the nation's critical infrastructure, operational technology (OT) and the general need for ransomware preparedness by all organizations. Additionally, it again showed that any organization that ignores basic cybersecurity principles leaves itself open to attack.
What the Colonial Pipeline Attack Taught Us
The most important takeaway from the event was that the company failed to maintain good cybersecurity hygiene. The most glaring oversight was that it was unaware of an open VPN account which let the threat actors in the back door.
To ensure this mistake is not repeated, here are a few essential anti-ransomware tips:
- Logging and Monitoring – An organization must have a logging and monitoring process in place that analyses the logs regularly and uses well-defined methodologies to uncover anomalies can help identify any unusual activities in the network and detect potential attacks as early as possible.
- Email Security – Limit the use of company emails or email addresses for personal purposes, be cautious of emails asking you to open files, click links, or otherwise release information, do not use company email for any business activities unrelated to the job role and most importantly regularly change email passwords.
- Patching and Vulnerability Management - Cybercriminals look for any known weakness in systems or software and exploit them as a way starting point to deliver malicious code. Therefore, patching systems, applications, and devices promptly is an essential part of an effective approach to cybersecurity. It ensures that known problems and vulnerabilities that could be exploited by cyber attackers and which may impact the availability, integrity, and confidentiality of our information assets are remediated promptly.
- Data Backup Process - A useful method for recovering from a ransomware attack and other types of malware infections is to restore from a known, good backup taken as close as possible to the point before the infection occurred.
- Incident Response Process - Having an incident response process in place can provide an organization with a clear and guided process to be followed when a cyberattack occurs. In the case of a ransomware attack, isolating the infected device should be the first step to contain the damage. If possible, the victim should never pay the ransom demand because there is no reason to believe the attacker will release the encrypted data. Also, the possibility remains that the attacker will come back and ask for another payment.
How Trustwave Can Help
Organizations that lack the in-house ability to handle these tasks required to maintain security should consider partnering with a company with such expertise. A Managed Security Service (MSS) provider like Trustwave with our Managed Detection and Response (MDR) solution may provide the answer.
While technologies like extended detection and response (XDR) and security information and event management (SIEM) can correlate data from various sources and help detect threats and facilitate investigations, they miss some of the proactive security elements needed to stay secure in today's advanced threat landscape.
Without the right expertise, organizations won't get the value out of these technologies that they desire. Likewise, a traditionally managed security service provider (MSSP) that focuses on monitoring logs and alerts is missing a large part of the picture and can generate many false positives and low-value work for their customers.