What IT security teams can learn from the Colonial Pipeline ransomware attack

In May, news broke of a DarkSide ransomware attack on Colonial Pipeline, a major US fuel pipeline that supplies about 45% of the East Coast’s diesel, gasoline, and jet fuel. In response to the attack, the company shut down its pipeline for several days, causing massive disruption in America.

Colonial Pipeline CEO Joseph Blount’s testimony at a House Homeland Security Committee hearing on June 9-10 includes several interesting revelations about the attack, offering important advice to those who may one day find themselves in a similar situation.

The need to prioritize security

While the testimony did not specifically address the lack of dedicated cybersecurity leadership within the company, this is an area that cannot be overlooked, especially in a company as large and important as Colonial. Pipeline.

A Chief Information Security Officer (CISO) is a critical role, responsible for ensuring companies have a comprehensive security program, a strategic view of cybersecurity, and a seat at the table. company decision-making.

Colonial Pipeline’s testimony revealed that about $200 million had been invested in IT over the past five years, but it was unclear how much of that was allocated to cybersecurity. Being able to set cybersecurity priorities for the organization, having the budget to implement them, and the authority to enforce those priorities are key elements of securing an organization.

Companies should at least invest and commit to having a cybersecurity program and incident response plan in place. These should encompass everything from implementing the right tools, to creating a culture of safety, to knowing what steps to take if something goes wrong.

Defaults Matter

During testimony, it was confirmed that the initial entry point into the Colonial Pipeline network was a single stolen password.

In this case, as in many others, remote services were to blame. Specifically, the attackers used the stolen password to access a VPN service that did not have multi-factor authentication (MFA) enabled. It looks like Colonial Pipeline thought this VPN profile was not being used. This is where a strong safety culture can help.

Having employees aware of how they use their credentials can mitigate the effects of third-party security breaches. While you’re at it, you can help them out by providing a password manager that can be used for both their work and personal accounts.

It’s also useful to set a policy that MFA is “enabled” by default and can only be disabled by a documented exception. Although the lack of MFA on this VPN could simply be due to misconfiguration, it is still a missed security opportunity.

Prevention is ideal but detection is a must

According to investigators, the earliest indicator that the attackers were in the network was April 29, 2021. This means the attackers were in the Colonial Pipeline network for at least eight days prior to the May 7, 2021 ransomware attack. The ransomware is often the first sign that alerts victims that an attack has taken place.

It is by design. Many current ransomware operators prefer to operate in stealth until it is time to release their final payload. They’ve hacked into your network, established persistence, elevated privileges, exfiltrated your data, and only then are they deploying the ransomware. It can take hours, days or months to unfold. In fact, according to Sophos’s Active Adversary Playbook 2021, the average dwell time is 11 days, with some companies having attackers in their network for six months or more.

The fact that Colonial Pipeline did not have the visibility necessary to understand how deeply it had been penetrated is unfortunately a common problem for many companies.

Cybersecurity programs are essential, but so are the tools to enable them. Endpoint Detection and Response (EDR) tools are invaluable, not only for preventing attacks, but also for enabling your organization to hunt down latent threats.

Remember that just because your security software has detected and blocked a threat doesn’t mean the job is done. There could be a bigger problem hidden in your network.

Plan in case of failure

As a major critical infrastructure company, Colonial Pipeline is no stranger to emergency response plans. There is no doubt that he has comprehensive plans for physical failures of all kinds, from pipeline ruptures to physical security intrusions. However, the company’s position appears less solid when asked about cybersecurity incident response plans.

Organizations of all sizes need to perform some sort of external assessment of their security controls. Among the risks of relying solely on internal audits is myopia about your abilities and your tolerance for compromise, because “it’s the way it’s always been.”

Following your assessments, you will need to develop plans to a) improve the areas where you are weakest, b) prepare a plan in case something goes wrong, and c) test your defenses against the improvements and the response plan.

Sharing is caring

Another interesting question that was raised during the hearings is whether Colonial Pipeline participates in an Information Sharing and Analysis Center (ISAC). The company said yes.

ISACs are made up of companies operating in the same industry that support each other by sharing important and relevant threat information. Although ISACs tend to focus primarily on critical infrastructure, that doesn’t mean you can’t participate (or create your own) equivalent group. The goal is to increase resilience against attacks, by providing better protection through collective information sharing.

Businesses can also take advantage of guidance published by government agencies that have developed guidelines based on years of protecting highly sensitive information, such as CISA, NCSC, and ASD.

The bottom line is that our best chance of defeating cybercriminals is through an informed and collective effort.

It rarely pays to pay the ransom

Whether or not to pay the ransom is a complicated question to answer.

Colonial Pipeline said it paid the ransom to help the company recover as quickly as possible. Unfortunately, many companies find themselves in this scenario and the decision to pay or not to pay is often dictated by many factors, such as the lack of backups, the time and cost of recovery, or to avoid the exfiltrated data is not exposed publicly.

As the cost of ransomware continues to rise year over year, it is increasingly important to have a disaster recovery plan in place.

According to Sophos’s 2021 State of Ransomware Report, only 8% of organizations managed to recover all of their data, and 29% recovered less than half of it. Additionally, you still need to do the remediation work to address the damage and disruption caused by the attack and ensure it doesn’t happen again.

The decision to pay or not is at the discretion of the victim, but prevention and preparation can make this decision much clearer.

A path to enhanced security

It shouldn’t take an attack for your organization to establish a stronger security posture. Take the time now to assess your position on the security maturity spectrum and take immediate action to improve where you can. On a global level, it is important to ensure that everyone within the organization understands their role in maintaining security, while providing the security team itself with authority and budget. appropriate to achieve its objectives.

Beyond that, using a “secure by default mode” in all deployments and operations, as well as ensuring full visibility so that problems can be identified quickly, should help increase resilience to attacks. . And while it will hopefully never happen, planning for such a situation in advance can help to both shorten the time and reduce recovery costs in the event of such an attack.

John Shier, Senior Security Advisor, Sophos (opens in a new tab)

Comments are closed.