What companies can learn from the Colonial Pipeline ransomware attack

July 26, 2021

It's been a few months, now. What later lessons have we learned?

A ransomware attack led to the shutdown of the top fuel pipeline in the US this spring. Threat actors accessed the Colonial Pipeline network using a compromised VPN password. The company paid nearly $4.5 million in ransom because its leaders were unsure how badly the cyberattack had breached its systems, and how long it would take to bring the pipeline back. However, federal authorities said that they recovered more than $2 million of it in early June.

You might think that a breach of this magnitude would be easy to detect. But, in fact, Colonial Pipeline was unaware that it had been breached until the company got DarkSide’s ransom demand. Leaders at Colonial Pipeline, whose pipeline delivers nearly half of the transport fuels for the Atlantic Coast, also were put in the difficult position of having to decide whether to pay the ransom.

Other questions companies typically face with a breach of this nature include: 

  • What else did the threat actors do during their time inside the company’s network?
  • Did the threat actors install a backdoor or other malware during the attack?
  • Did they figure out how to remotely control key portions of the company’s infrastructure with the ultimate goal of disrupting operations?
  • Do we know the means of initial access so that we can lock the threat actor out of the network in the future?

Clearly, in the case of the Colonial Pipeline ransomware attack, the company assumed a worst-case scenario and shut down its pipeline to purge its systems.

Understand that monitoring is key for detection and response

Colonial Pipeline is not unique in being the target of threat actors. Every business is at risk.

Traditionally, businesses try to protect themselves from attacks by using point solutions around the IT perimeter. But focusing solely on creating an impenetrable perimeter may leave enterprises unable to identify a breach before it creates catastrophic damage. That’s why a Managed Detection and Response (MDR) capability is absolutely vital in today’s IT environment.

The reality is that the best way to minimize risk is assume you are in a constant state of breach. The only way to verify if you are breached, is to perform continuous monitoring of potential attack surfaces looking for threats that have bypassed existing security controls. The threat monitoring and detection should serve as a feedback loop to the preventive controls so you are continually strengthening your security posture.

Use automation and predefined playbooks to move fast

While early detection is vital, it’s meaningless if you can’t move quickly to contain threats. To prepare for the inevitable, create an incident-response plan and embrace automation. Use security orchestration, automation and response (SOAR) to support this approach. SOAR orchestrates containment across multiple IT systems, which is important because it can be challenging to move fast when you have many locations; multiple departments; thousands or tens of thousands of users; and a variety of IT endpoints and systems.

If you and your partners can detect cyberthreats early enough, you can contain breaches. Early containment can minimize the impact of breaches—or even entirely prevent damage.

Implement employee-security awareness training and reporting practices

A VPN was the entry point for DarkSide in the Colonial Pipeline attack. But how threat actors gain a foothold into a network is not always known. Phishing is one means by which it occurs. The FBI IC3 Internet Crime Report indicates that phishing was among the biggest crimes reported to the FBI in 2020, along with non-payment scams and extortion.

Make employees aware of the phishing threat with regular security-awareness training. Establish a process of reporting suspected phishing emails to internal IT teams to minimize risk.

Address IT complexity by partnering with experts

IT environments and cyberthreats are increasingly complex, which makes it difficult to minimize your overall risk with do-it-yourself cybersecurity. Engage with a managed service provider specializing in cybersecurity, one that has the intelligent automation and experts onboard to provide effective MDR services that deliver outcomes, not alerts.

Rely on your expert MDR provider to monitor your IT environment for threats. Work with your MDR service-provider to establish an incident-response plan. In this way, your MDR service-provider can move fast to both identify and contain threats as they arise...and you can focus on your core business.

Dave Martin is vice president, extended detection and response at Open Systems