Expert Advice On Colonial Pipeline Ransomware Attack Anniversary

This week is the anniversary of the Colonial Pipelines attack, which saw one of the biggest pipelines in the US temporarily shut down, following a ransomware attack by DarkSide, a ransomware-as-a-service group that is believed to be linked to Russia. Not only did the attack affect millions but heralded a new era of cybercrime. In a world where critical infrastructure relies on an ever-increasing amount of technology, it’s caused real momentum as the cybersecurity sector looks to make software supply chain security a top priority.

Experts Comments

May 06, 2022
Mark Harman
Senior Security Systems Engineer
Versa Networks

It was a year ago that a single factor VPN credential that may have been years old was the weak point in the Colonial Pipeline cyber attack and was exploited to great effect.
 
Cybercriminals will generally look for anything of value, especially the ‘unguarded’, and exploit the opportunity. It is unsurprisingly very similar to how criminals operate in the physical world. Awareness of cybersecurity had grown since this event, but a major problem is that people and organizations in the

.....Read More

It was a year ago that a single factor VPN credential that may have been years old was the weak point in the Colonial Pipeline cyber attack and was exploited to great effect.
 
Cybercriminals will generally look for anything of value, especially the ‘unguarded’, and exploit the opportunity. It is unsurprisingly very similar to how criminals operate in the physical world. Awareness of cybersecurity had grown since this event, but a major problem is that people and organizations in the cybersecurity business understand this risk and most others do not.   That is until they have an experience like the one at Colonial Pipeline.  The tuition is high when learning through an experience such as this. Much of the population of the East Coast in the US is now aware of the chaos, expense, and hassle that a cybersecurity failure may cause, but it is likely that many have not changed their behaviours.
 
It is on the cybersecurity community and technologists to teach, explain and converse with those not ‘in-the-know’ about cybersecurity and help those who need it understand the risks.

In today’s hyper connected digital world, cybersecurity is the number one worry for Boards, business and security leaders globally. Throughout the last 3-5 years, we have seen both sophisticated and relatively basic cyberattacks bring large global businesses to their knees. Colonial Pipeline, the largest fuel pipeline in the U.S had to shut operations due to a cyberattack, and its tremors were felt across the US and other global economies.

  Read Less
May 06, 2022
Alon Schwartz
Security Researcher
Logpoint Global Services

Rather than dissipating, it’s clear that the threat to Critical National Infrastructure (CNI) post the Colonial Pipeline attack has never been greater. Ransomware has become the weapon of choice for financially and politically motivated threat actors. It ticks all the boxes, providing them with the means to solicit funds, carry out denial of service, espionage and sabotage, and to achieve notoriety. CNI such as power grid and telecoms companies have been targeted in the Ukraine conflict, for

.....Read More

Rather than dissipating, it’s clear that the threat to Critical National Infrastructure (CNI) post the Colonial Pipeline attack has never been greater. Ransomware has become the weapon of choice for financially and politically motivated threat actors. It ticks all the boxes, providing them with the means to solicit funds, carry out denial of service, espionage and sabotage, and to achieve notoriety. CNI such as power grid and telecoms companies have been targeted in the Ukraine conflict, for example, predominantly with Wiper ransomware.

Colonial Pipeline paid but then partially recovered the ransom through the FBI. Indications are that over half of businesses pay the ransom, fuelling further growth, because of their desperation to resume BAU. The rise of ransomware will be inexorable while these ransoms continue to be paid.

Lessons learned from Colonial Pipeline attack include the need for proper monitoring of IT & OT infrastructure without which the organisation is rendered blind. Visibility is a game changer, especially in the preliminary stage, and can be the difference between mitigating or falling victim to an attack. SIEM detection rules can alert the team to suspicious behaviour while those deploying UEBA or NTA (Network Traffic Analysis) can benefit from machine learning and AI to pick-up on sophisticated attack patterns such as lateral movement or data extraction.

  Read Less
May 06, 2022
Saket Modi
CEO
Safe Security

In today’s hyper connected digital world, cybersecurity is the number one worry for Boards, business and security leaders globally. Throughout the last 3-5 years, we have seen both sophisticated and relatively basic cyberattacks bring large global businesses to their knees. Colonial Pipeline, the largest fuel pipeline in the U.S had to shut operations due to a cyberattack, and its tremors were felt across the US and other global economies.

Over the last year, through investigations and

.....Read More

In today’s hyper connected digital world, cybersecurity is the number one worry for Boards, business and security leaders globally. Throughout the last 3-5 years, we have seen both sophisticated and relatively basic cyberattacks bring large global businesses to their knees. Colonial Pipeline, the largest fuel pipeline in the U.S had to shut operations due to a cyberattack, and its tremors were felt across the US and other global economies.

Over the last year, through investigations and testimonies, we have more information on the root causes of the attack. The attack occurred due to the absence of multifactor authentication on a VPN (virtual private network). An employee's password, used on a different digital platform, was available on the dark web, and the attackers used the password to enter protected network systems. This highlights the importance of why one should not repeat passwords across platforms, and of using multifactor authentication.

The role of a CISO and the security team is becoming complex as the digital attack surface continues to grow.  Ensuring cyber hygiene is followed across the attack surface continuously, preparing a business continuity plan, managing and understanding cyber hygiene of employees, cannot be performed through a siloed, reactive and product-driven approach alone. This is where Cyber Risk Quantification and Management (CRQM) can be a game changer. It helps the CISO and their team get a single view of their attack surface across the organization, quantify cyber risk posture and take proactive steps to mitigate the biggest threats in real-time. Such platforms are a great tool to accurately represent and communicate cyber risk to the Board, which is witnessing a significant global regulatory traction.

In the modern digital-first era, security & business leaders need to take a proactive approach to managing cyber risks and need solutions that aggregate cybersecurity signals across people, process, technology and third parties to provide easily digestible information.  This enables quicker and more accurate decision-making, efficient communication of cyber risk and better justification of the ROI of cybersecurity initiatives, and creates a culture of cyber resilience.

  Read Less
May 06, 2022
Kurt Glazemakers
CTO
Appgate

The Colonial Pipeline attack was a wake-up call to organisations and individuals around the world, highlighting the risks posed by threat actors and the importance for businesses across all sectors to secure their networks. The attack also proved to be a catalyst in changing the attitudes of international governments towards security.

Since the attack, there have been numerous advisories and memos stressing the importance of securing our critical infrastructure. President Biden, for example,

.....Read More

The Colonial Pipeline attack was a wake-up call to organisations and individuals around the world, highlighting the risks posed by threat actors and the importance for businesses across all sectors to secure their networks. The attack also proved to be a catalyst in changing the attitudes of international governments towards security.

Since the attack, there have been numerous advisories and memos stressing the importance of securing our critical infrastructure. President Biden, for example, released an executive order about the need for critical infrastructure organisations to improve their cybersecurity policies and pointed out Zero Trust as the solution. The US government then took this one step further with the Pentagon launching a Zero Trust office and releasing a memo on how organisations can implement Zero Trust policies.

To many security experts, the Colonial Pipeline attack was seen as the final nail in the coffin for legacy VPNs. However, we are still finding that they are being used within organisations. It is particularly concerning when companies adopt VPNs without multi-factor authentication, which can allow threat actors to use stolen credentials to access the network. It is also problematic when organizations use a VPN without segmenting the network; when an attacker finds a way in, they can easily move laterally across the network. This is exactly what happened with the Colonial Pipeline incident, where old legacy VPN software without multi-factor authentication was abused.

Organisations must take immediate action to ensure legacy software is updated and that internal networks cannot be accessed using outdated credentials. Once these steps are taken, organisations can then start moving toward a comprehensive Zero Trust framework, which will authenticate users and devices based on unified policies, only grant access to the resources a user is authorized to see, and segments the network to prevent lateral movement in case of a breach.

Since the Colonial Pipeline incident, we have come a long way in recognising the importance of Zero Trust which works on the principle of ‘least privilege’ by assuming that all connections can be compromised. By implementing Zero Trust, organisations will be able to profile any device trying to connect to the network, use multi-factor authentication to ensure credentials are not compromised, segment networks creating isolated perimeters, and only provide access to what a user or a system needs to do their job.

  Read Less
May 06, 2022
Gary De Mercurio
VP, Global SpiderLabs Practice Lead
Trustwave SpiderLabs

There's been a perception change at the organization leadership level that hackers will use technologies for unintended, malicious purposes -- and that hacks happen to everyone, even giants. The only way to truly mitigate the risk is to do the cyber fundamentals really well. Even then, expect attackers to get in if you're a high-value target - and be prepared to respond to the worst case scenario. We should also no longer be remotely surprised if a worse case security scenario has real-world

.....Read More

There's been a perception change at the organization leadership level that hackers will use technologies for unintended, malicious purposes -- and that hacks happen to everyone, even giants. The only way to truly mitigate the risk is to do the cyber fundamentals really well. Even then, expect attackers to get in if you're a high-value target - and be prepared to respond to the worst case scenario. We should also no longer be remotely surprised if a worse case security scenario has real-world consequences (gas shortages, supply chain strain, critical care unavailable, water shortage, etc.).

  Read Less
May 06, 2022
Jen Ellis
Vice President of Community and Public Affairs
Rapid7

The Colonial Pipeline attack was significant in that it put cybercrime front and centre of the evening news and we saw President Biden not only talking about the subject, but also raising it directly as a priority with Russia's President Putin. In the weeks that followed the attack, we saw the G7 talk about ransomware at their annual summit and make commitments to work together to tackle the issue. The US government has since taken a number of steps to advance public-private collaboration to

.....Read More

The Colonial Pipeline attack was significant in that it put cybercrime front and centre of the evening news and we saw President Biden not only talking about the subject, but also raising it directly as a priority with Russia's President Putin. In the weeks that followed the attack, we saw the G7 talk about ransomware at their annual summit and make commitments to work together to tackle the issue. The US government has since taken a number of steps to advance public-private collaboration to disrupt attacks in the wild, improve its response to attacks, aid companies in preparing for attacks, and introduce sanctions against specific ransomware groups and cryptocurrency exchanges. It has also introduced new requirements for incident reporting and for cyber hygiene for pipeline operators. While the level of focus from the government is positive, commentators point out that some of these measures were long overdue, will far take too long to come into effect, or have not been applied broadly enough. In other words, there is still more to be done and governments and the private sector must continue to collaborate to develop measures that deter and disrupt ransomware.  

This is borne out by the volume of attacks reported, which was higher in 2021 than in the year prior, and 2022 looks set to continue that upward trend. This could be because reporting of incidents is on the rise, rather than the number of attacks themselves increasing, but either way, we are certainly not seeing any indications of a decline in ransomware activity. In fact, many predict that we will see cybercrime rates rise due to the current economic and political climate. A great deal of ransomware activity has long originated from former Soviet Union nations, and the current Russia/Ukraine conflict is likely to exacerbate this as sanctions, withdrawal of Western businesses, and the other economic effects of continuing warfare force people to seek new opportunities to make a living.

  Read Less
May 06, 2022
Sitaram Iyer
Global Security Architect
Jetstack

In many ways, Colonial Pipeline gave the US government the nudge it needed to start taking cybersecurity in critical infrastructure seriously. The hack was so severe that it was deemed a national security threat, forcing President Biden to declare a national state of emergency. Significant steps were taken by the Biden administration in the wake of the Colonial Pipeline hack, most notably, the introduction of a Software Bill of Materials – SBOMs – to declare the provenance of software,

.....Read More

In many ways, Colonial Pipeline gave the US government the nudge it needed to start taking cybersecurity in critical infrastructure seriously. The hack was so severe that it was deemed a national security threat, forcing President Biden to declare a national state of emergency. Significant steps were taken by the Biden administration in the wake of the Colonial Pipeline hack, most notably, the introduction of a Software Bill of Materials – SBOMs – to declare the provenance of software, describing where all the different elements have come from.

While SBOMs are useful step in the right direction, they are not a complete solution to software supply chain security. Research shows that 92% of applications contain open source components – it makes the world go round. Yet simply listing these components in an SBOM will not necessarily mean that all of the other components of the software supply chain can be trusted. Even if every company were producing an SBOM for every piece of software they build today there are many other pieces of the software development and build processes that need to be secured.

In an ideal world, companies would be deploying a zero-trust policies and auditing the third party software they use. They would also be looking the composition of the software they are using and also evaluate provenance, how the software is built and deployed.  This is an enormously complex set of challenges for every company.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.