Expert Advice On Colonial Pipeline Ransomware Attack Anniversary

By   ISBuzz Team
Writer , Information Security Buzz | May 06, 2022 12:24 pm PST

This week is the anniversary of the Colonial Pipelines attack, which saw one of the biggest pipelines in the US temporarily shut down, following a ransomware attack by DarkSide, a ransomware-as-a-service group that is believed to be linked to Russia. Not only did the attack affect millions but heralded a new era of cybercrime. In a world where critical infrastructure relies on an ever-increasing amount of technology, it’s caused real momentum as the cybersecurity sector looks to make software supply chain security a top priority.

Notify of
7 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Alon Schwartz
Alon Schwartz , Security Researcher
May 6, 2022 8:24 pm

Rather than dissipating, it’s clear that the threat to Critical National Infrastructure (CNI) post the Colonial Pipeline attack has never been greater. Ransomware has become the weapon of choice for financially and politically motivated threat actors. It ticks all the boxes, providing them with the means to solicit funds, carry out denial of service, espionage and sabotage, and to achieve notoriety. CNI such as power grid and telecoms companies have been targeted in the Ukraine conflict, for example, predominantly with Wiper ransomware.

Colonial Pipeline paid but then partially recovered the ransom through the FBI. Indications are that over half of businesses pay the ransom, fuelling further growth, because of their desperation to resume BAU. The rise of ransomware will be inexorable while these ransoms continue to be paid.

Lessons learned from Colonial Pipeline attack include the need for proper monitoring of IT & OT infrastructure without which the organisation is rendered blind. Visibility is a game changer, especially in the preliminary stage, and can be the difference between mitigating or falling victim to an attack. SIEM detection rules can alert the team to suspicious behaviour while those deploying UEBA or NTA (Network Traffic Analysis) can benefit from machine learning and AI to pick-up on sophisticated attack patterns such as lateral movement or data extraction.

Last edited 1 year ago by Alon Schwartz
Saket Modi
Saket Modi , CEO
May 6, 2022 8:16 pm

In today’s hyper connected digital world, cybersecurity is the number one worry for Boards, business and security leaders globally. Throughout the last 3-5 years, we have seen both sophisticated and relatively basic cyberattacks bring large global businesses to their knees. Colonial Pipeline, the largest fuel pipeline in the U.S had to shut operations due to a cyberattack, and its tremors were felt across the US and other global economies.

Over the last year, through investigations and testimonies, we have more information on the root causes of the attack. The attack occurred due to the absence of multifactor authentication on a VPN (virtual private network). An employee\’s password, used on a different digital platform, was available on the dark web, and the attackers used the password to enter protected network systems. This highlights the importance of why one should not repeat passwords across platforms, and of using multifactor authentication.

The role of a CISO and the security team is becoming complex as the digital attack surface continues to grow.  Ensuring cyber hygiene is followed across the attack surface continuously, preparing a business continuity plan, managing and understanding cyber hygiene of employees, cannot be performed through a siloed, reactive and product-driven approach alone. This is where Cyber Risk Quantification and Management (CRQM) can be a game changer. It helps the CISO and their team get a single view of their attack surface across the organization, quantify cyber risk posture and take proactive steps to mitigate the biggest threats in real-time. Such platforms are a great tool to accurately represent and communicate cyber risk to the Board, which is witnessing a significant global regulatory traction.

In the modern digital-first era, security & business leaders need to take a proactive approach to managing cyber risks and need solutions that aggregate cybersecurity signals across people, process, technology and third parties to provide easily digestible information.  This enables quicker and more accurate decision-making, efficient communication of cyber risk and better justification of the ROI of cybersecurity initiatives, and creates a culture of cyber resilience.

Last edited 1 year ago by Saket Modi
Mark Harman
Mark Harman , Senior Security Systems Engineer
May 6, 2022 8:05 pm

It was a year ago that a single factor VPN credential that may have been years old was the weak point in the Colonial Pipeline cyber attack and was exploited to great effect.
Cybercriminals will generally look for anything of value, especially the ‘unguarded’, and exploit the opportunity. It is unsurprisingly very similar to how criminals operate in the physical world. Awareness of cybersecurity had grown since this event, but a major problem is that people and organizations in the cybersecurity business understand this risk and most others do not.   That is until they have an experience like the one at Colonial Pipeline.  The tuition is high when learning through an experience such as this. Much of the population of the East Coast in the US is now aware of the chaos, expense, and hassle that a cybersecurity failure may cause, but it is likely that many have not changed their behaviours.
It is on the cybersecurity community and technologists to teach, explain and converse with those not ‘in-the-know’ about cybersecurity and help those who need it understand the risks.

In today’s hyper connected digital world, cybersecurity is the number one worry for Boards, business and security leaders globally. Throughout the last 3-5 years, we have seen both sophisticated and relatively basic cyberattacks bring large global businesses to their knees. Colonial Pipeline, the largest fuel pipeline in the U.S had to shut operations due to a cyberattack, and its tremors were felt across the US and other global economies.

Last edited 1 year ago by Mark Harman
Kurt Glazemakers
May 6, 2022 7:50 pm

The Colonial Pipeline attack was a wake-up call to organisations and individuals around the world, highlighting the risks posed by threat actors and the importance for businesses across all sectors to secure their networks. The attack also proved to be a catalyst in changing the attitudes of international governments towards security.

Since the attack, there have been numerous advisories and memos stressing the importance of securing our critical infrastructure. President Biden, for example, released an executive order about the need for critical infrastructure organisations to improve their cybersecurity policies and pointed out Zero Trust as the solution. The US government then took this one step further with the Pentagon launching a Zero Trust office and releasing a memo on how organisations can implement Zero Trust policies.

To many security experts, the Colonial Pipeline attack was seen as the final nail in the coffin for legacy VPNs. However, we are still finding that they are being used within organisations. It is particularly concerning when companies adopt VPNs without multi-factor authentication, which can allow threat actors to use stolen credentials to access the network. It is also problematic when organizations use a VPN without segmenting the network; when an attacker finds a way in, they can easily move laterally across the network. This is exactly what happened with the Colonial Pipeline incident, where old legacy VPN software without multi-factor authentication was abused.

Organisations must take immediate action to ensure legacy software is updated and that internal networks cannot be accessed using outdated credentials. Once these steps are taken, organisations can then start moving toward a comprehensive Zero Trust framework, which will authenticate users and devices based on unified policies, only grant access to the resources a user is authorized to see, and segments the network to prevent lateral movement in case of a breach.

Since the Colonial Pipeline incident, we have come a long way in recognising the importance of Zero Trust which works on the principle of ‘least privilege’ by assuming that all connections can be compromised. By implementing Zero Trust, organisations will be able to profile any device trying to connect to the network, use multi-factor authentication to ensure credentials are not compromised, segment networks creating isolated perimeters, and only provide access to what a user or a system needs to do their job.

Last edited 1 year ago by Kurt Glazemakers
Gary De Mercurio
Gary De Mercurio , VP, Global SpiderLabs Practice Lead
May 6, 2022 7:48 pm

There\’s been a perception change at the organization leadership level that hackers will use technologies for unintended, malicious purposes — and that hacks happen to everyone, even giants. The only way to truly mitigate the risk is to do the cyber fundamentals really well. Even then, expect attackers to get in if you\’re a high-value target – and be prepared to respond to the worst case scenario. We should also no longer be remotely surprised if a worse case security scenario has real-world consequences (gas shortages, supply chain strain, critical care unavailable, water shortage, etc.).

Last edited 1 year ago by Gary De Mercurio

Recent Posts

Would love your thoughts, please comment.x