As we approach the one-year anniversary of the Colonial Pipeline ransomware attack, it is an excellent time to reflect upon what took place and how that incident can serve as a teaching point for any organization interested in preventing a ransomware attack.
First, here is a quick refresher on what transpired.
On May 6, 2021, an affiliate group associated with the REvil and Darkside ransomware-as-a-service gangs attacked Colonial Pipeline Co., forcing the company to halt operations, effectively blocking the flow of fuel, gasoline and other petroleum products throughout large portions of the eastern U.S. for several days. The attacker used an exposed password from an unused VPN account that did not require multifactor authentication, reported DataBreachToday.
Once inside the network, the attacker's first move was to steal 100GB of data, including the PII of some employees, and then infect the Colonial Pipeline IT network with ransomware, reported TechTarget. The gang demanded and was paid a $4.4 million ransom, although a portion of this was recouped with the help of the FBI.
The attack also grabbed headlines nationwide and spurred the federal government to take action.
There's been a perception change at the organization leadership level that hackers will use technologies for unintended, malicious purposes -- and that hacks happen to everyone, even giants. The only way to truly mitigate the risk is to do the cyber fundamentals really well. Even then, expect attackers to get in if you're a high-value target - and be prepared to respond to the worst case scenario. We should also no longer be remotely surprised if a worse case security scenario has real-world consequences (gas shortages, supply chain strain, critical care unavailable, water shortage, etc.).
These measures included having President Joe Biden raise the issue of ransomware with Russian President Vladimir Putin during a summit in June 2021. In addition, in the weeks following the attack, Congress passed two bills, the Pipeline Security Act and the CISA Cyber Exercise Act. The former helps protect the nation's critical infrastructure, and the latter gives CISA the power to evaluate the National Cyber Incident Response Plan and related plans and strategies.
The attack also highlighted the need to reinforce the still-nascent partnerships that security firms and government agencies are building.
Not only should agencies be leveraging the latest endpoint detection and response technologies, but they should also be seeking support from high-level security experts who have intimate knowledge of how attackers bypass perimeter defenses and move through networks undetected — and how to stop them.
Finally, the attack on the fuel supplier brought into focus the need to better secure the nation's critical infrastructure, operational technology and the general need for ransomware preparedness by all organizations. Additionally, it again showed that any organization that ignores basic cybersecurity principles leaves itself open to attack.
The most important takeaway from the event was that the company failed to maintain good cybersecurity hygiene. The most glaring oversight was that it was unaware of an open VPN account which let the threat actors in the back door.
To ensure this mistake is not repeated, here are a few essential anti-ransomware tips:
How Trustwave Can Help
Organizations that lack the in-house ability to handle these tasks required to maintain security should consider partnering with a company with such expertise. A Managed Security Service (MSS) provider like Trustwave with our Managed Detection and Response (MDR) solution may provide the answer.
While technologies like extended detection and response (XDR) and security information and event management (SIEM) can correlate data from various sources and help detect threats and facilitate investigations, they miss some of the proactive security elements needed to stay secure in today's advanced threat landscape.
Without the right expertise, organizations won't get the value out of these technologies that they desire. Likewise, a traditionally managed security service provider (MSSP) that focuses on monitoring logs and alerts is missing a large part of the picture and can generate many false positives and low-value work for their customers.