Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Trustwave Blog

One Year Later: What We Have Learned from the Colonial Pipeline Attack

As we approach the one-year anniversary of the Colonial Pipeline ransomware attack, it is an excellent time to reflect upon what took place and how that incident can serve as a teaching point for any organization interested in preventing a ransomware attack.

First, here is a quick refresher on what transpired.

Detailing the Colonial Pipeline Attack

On May 6, 2021, an affiliate group associated with the REvil and Darkside ransomware-as-a-service gangs attacked Colonial Pipeline Co., forcing the company to halt operations, effectively blocking the flow of fuel, gasoline and other petroleum products throughout large portions of the eastern U.S. for several days. The attacker used an exposed password from an unused VPN account that did not require multifactor authentication. 

Once inside the network, the attacker's first move was to steal 100GB of data, including the PII of some employees, and then infect the Colonial Pipeline IT network with ransomware. The gang demanded and was paid a $4.4 million ransom, although a portion of this was recouped with the help of the FBI.

The attack also grabbed headlines nationwide and spurred the federal government to take action. 

President Biden and Congress React

These measures included having President Joe Biden raise the issue of ransomware with Russian President Vladimir Putin during a summit in June 2021. In addition, in the weeks following the attack, Congress passed two bills, the Pipeline Security Act and the CISA Cyber Exercise Act. The former helps protect the nation's critical infrastructure, and the latter gives CISA the power to evaluate the National Cyber Incident Response Plan and related plans and strategies.

Strengthening the Public-Private Partnership

The attack also highlighted the need to reinforce the still-nascent partnerships that security firms and government agencies are building. 

Not only should agencies be leveraging the latest endpoint detection and response technologies, but they should also be seeking support from high-level security experts who have intimate knowledge of how attackers bypass perimeter defenses and move through networks undetected — and how to stop them. 

Finally, the attack on the fuel supplier brought into focus the need to better secure the nation's critical infrastructure, operational technology (OT) and the general need for ransomware preparedness by all organizations. Additionally, it again showed that any organization that ignores basic cybersecurity principles leaves itself open to attack.

What the Colonial Pipeline Attack Taught Us

The most important takeaway from the event was that the company failed to maintain good cybersecurity hygiene. The most glaring oversight was that it was unaware of an open VPN account which let the threat actors in the back door.

To ensure this mistake is not repeated, here are a few essential anti-ransomware tips:

  • Logging and Monitoring – An organization must have a logging and monitoring process in place that analyses the logs regularly and uses well-defined methodologies to uncover anomalies can help identify any unusual activities in the network and detect potential attacks as early as possible.
  • Email Security – Limit the use of company emails or email addresses for personal purposes, be cautious of emails asking you to open files, click links, or otherwise release information, do not use company email for any business activities unrelated to the job role and most importantly regularly change email passwords.
  • Patching and Vulnerability Management - Cybercriminals look for any known weakness in systems or software and exploit them as a way starting point to deliver malicious code. Therefore, patching systems, applications, and devices promptly is an essential part of an effective approach to cybersecurity. It ensures that known problems and vulnerabilities that could be exploited by cyber attackers and which may impact the availability, integrity, and confidentiality of our information assets are remediated promptly.
  • Data Backup Process - A useful method for recovering from a ransomware attack and other types of malware infections is to restore from a known, good backup taken as close as possible to the point before the infection occurred.
  • Incident Response Process - Having an incident response process in place can provide an organization with a clear and guided process to be followed when a cyberattack occurs. In the case of a ransomware attack, isolating the infected device should be the first step to contain the damage. If possible, the victim should never pay the ransom demand because there is no reason to believe the attacker will release the encrypted data. Also, the possibility remains that the attacker will come back and ask for another payment.

6 Tips for Supply Chain Risk Management in 2022

How Trustwave Can Help

Organizations that lack the in-house ability to handle these tasks required to maintain security should consider partnering with a company with such expertise. A Managed Security Service (MSS) provider like Trustwave with our Managed Detection and Response (MDR) solution may provide the answer. 

While technologies like extended detection and response (XDR) and security information and event management (SIEM) can correlate data from various sources and help detect threats and facilitate investigations, they miss some of the proactive security elements needed to stay secure in today's advanced threat landscape.  

Without the right expertise, organizations won't get the value out of these technologies that they desire. Likewise, a traditionally managed security service provider (MSSP) that focuses on monitoring logs and alerts is missing a large part of the picture and can generate many false positives and low-value work for their customers.

Latest Trustwave Blogs

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More