In May, news broke of a DarkSide ransomware attack on Colonial Pipeline, a major U.S. fuel pipeline that supplies roughly 45 percent of the East Coast’s diesel, gasoline and jet fuel. In response to the attack, the company shut down its pipeline for several days, causing mass disruption in America.
Colonial Pipeline CEO Joseph Blount’s testimony at a House Homeland Security Committee hearing on June 9 and 10 includes several interesting revelations about the attack, offering important guidance for those that might someday find themselves in a similar situation.
The need to prioritize security
While the testimony did not expressly address the lack of dedicated cybersecurity leadership at the company, this is one area that cannot be overlooked, especially in a company as large and important as Colonial Pipeline.
A chief information security officer (CISO) is a critical role, responsible for ensuring that companies have a comprehensive security program, a strategic vision for cybersecurity, and a seat at the business’s decision-making table.
Colonial Pipeline’s testimony revealed that around $200 million had been invested in IT in the last five years, but it was unclear how much of that had been allocated to cybersecurity. Being able to set cybersecurity priorities for the organization, having a sufficient budget to implement them and the necessary authority to enforce those priorities are a key part of securing an organization.
Companies need to at least invest in, and commit to, having a cybersecurity program and an incident response plan in place. These should encompass everything from implementing the right tools and creating a security culture, to knowing the steps to follow in the event something goes wrong.
Defaults matter
During the testimony, it was confirmed that the initial entry point into the Colonial Pipeline network was a single stolen password.
In this instance, as in many others, remote services were to blame. Specifically, the attackers used the stolen password to gain access to a VPN service that did not have multi-factor authentication (MFA) enabled. It appears Colonial Pipeline believed this VPN profile was not in use. This is where a robust security culture can help.
Having employees who are mindful of how they use their credentials can mitigate the effects of third-party security failures. While you’re at it, you can help them out by providing them with a password manager that can be used for both their work and personal accounts.
It is also worth setting a policy that MFA is ‘on’ by default and can only be disabled by a documented exception. While the lack of MFA on this VPN may simply be down to a misconfiguration, it remains a missed security opportunity.
Prevention is ideal but detection is a must
According to the investigators, the earliest indicator that the attackers were in the network was April 29, 2021. This means the attackers were in the Colonial Pipeline network for at least eight days prior to the ransomware attack on May 7, 2021. Ransomware is often the first sign that alerts victims to the fact that an attack has occurred.
This is by design. Many of today’s ransomware operators prefer to operate in complete stealth until it’s time to release their final payload. They’ve breached your network, established persistence, elevated privilege, exfiltrated your data, and only then do they deploy the ransomware. This can take hours, days, or months to unfold. In fact, according to Sophos’ Active Adversary Playbook 2021, the average dwell time is 11 days, with some companies having attackers in their network for six months or more.
The fact that Colonial Pipeline didn’t have the visibility it needed to understand how badly it had been penetrated is, unfortunately, a common problem for many companies.
Cybersecurity programs are essential, but so are tools to enable them. Endpoint Detection and Response (EDR) tools are invaluable, not only for preventing attacks, but also for enabling your organization to hunt for latent threats.
Remember, just because your security software detected and blocked a threat, that doesn’t mean the job is done. There might be a bigger problem lurking undiscovered in your network.
Plan on failure
Being a large, critical infrastructure company, Colonial Pipeline is no stranger to emergency response plans. There’s little doubt it has comprehensive plans for physical failures of all kinds, from pipeline ruptures to physical security intrusions. However, the company’s position seems less robust when asked about response plans for cybersecurity incidents.
Organizations of all sizes should perform some sort of external assessment of their security controls. Among the risks of relying solely on internal audits is myopia about your capabilities and tolerance for compromise because “that’s just how it’s always been.”
Following your evaluations, you will need to work up plans to a) improve the areas where you are weakest, b) prepare a plan for when things will go wrong, and c) test your defenses against the improvements and response plan.
Sharing is caring
Another interesting question that came up during the hearings is whether Colonial Pipeline participates in an Information Sharing and Analysis Center (ISAC). The company said it does.
ISACs are composed of companies operating in the same sector that support each other by sharing important and relevant threat information. While ISACs tend to be mainly focused on critical infrastructure, it doesn’t mean you cannot participate in (or start your own) equivalent group. The goal is to increase resilience against attack, by providing better protection through a collective sharing of information.
Companies can also leverage advice published by government agencies that have developed guidance based on years of protecting highly sensitive information, like CISA, NCSC and ASD.
The bottom line is that our best prospect at defeating cybercriminals is through an informed and collective effort.
It rarely pays to pay the ransom
Whether or not to pay the ransom is a complicated question to answer.
Colonial Pipeline said it paid the ransom to help the business recover as fast as possible. Unfortunately, many companies find themselves in this scenario and the decision to pay or not to pay is often dictated by many factors, such as not having backups, time and cost of recovery, or to avoid exfiltrated data being publicly exposed.
As the cost of ransomware continues to escalate year over year, it’s increasingly important to have an incident recovery plan in place.
According to Sophos’ 2021 State of Ransomware report, only 8 percent of companies managed to recover all their data, and 29 percent recovered less than half. What’s more, you still have to do the remediation work to address the damage and disruption caused by the attack and ensure this doesn’t happen again.
The decision to pay or not is at the victim’s discretion, but prevention and preparedness can make that decision much clearer.
A path to stronger security
It shouldn’t take an attack for your organization to establish a stronger security posture. Take the time now to assess your position on the security maturity spectrum and act immediately to improve where you can. At an overarching level it is important to ensure everybody within the organization understands their role in maintaining security, while also providing the security team itself with the appropriate authority and budget to achieve its goals.
Beyond this though, employing a “secure by default mode” across all deployments and operations, as well as ensuring full visibility in order to be able to identify problems early, should help to increase resilience to attack. And while it of course hopefully never happens, planning in advance for such a situation can help to both shorten the time and lower the costs of recovery in the event of such an attack.
John Shier, senior security advisor, Sophos