It’s now been a full year since the Colonial Pipeline experienced a cyberattack, which was followed by a deluge of official responses from government agencies, including tough new cybersecurity requirements for pipeline companies, one of which was from the TSA. According to many officials, we were only witnessing the first steps in a multi-pronged effort to avoid a repeat of the devastating Colonial Pipeline ransomware attack from happening again.
We need to reflect on such anniversaries, if only to help prevent repeating history. Taking into consideration the impact of such a breach and the directives that resulted from this attack, let’s dive into some lessons learned and what organizations should focus on next as the threat surface only expands.
All companies are vulnerable
Among further reflection of the Colonial Pipeline cyberattack, we learned that all companies are vulnerable to the ransomware threat. Many ransomware groups work in the affiliate model and have a set of rules around who affiliates can and cannot target. DarkSide, responsible for the Colonial Pipeline attack, had such a set of rules, but a rogue affiliate still hit the Colonial Pipeline anyway.
Since then, other groups like Hive have regularly targeted hospitals and other organizations that were historically avoided by ransomware operators. In fact, since the wake of DarkSide and the Colonial Pipeline attack, we have seen many more ransomware operators emerge, including BlackMatter, NightSky, LokiLocker, and BlackCat. As long as attackers can reap ROI on relatively easy-to-hit targets that are willing to pay, we’ll still have to face continued threats from ransomware.
Cyber criminals have learned that hitting high-value targets gets them high-profile attention. In the Colonial Pipeline case, the U.S. Justice Department seized $2.3 million worth of cryptocurrency from the group and offered up a $10 million reward for information. In Russia, the FSB arrested some of the individuals responsible for the attack. DarkSide itself shut down operations shortly after. In other words, cyber criminals learned more about the line they should walk to continue to make money while avoiding the scrutiny of authorities.
Backups are crucial
Unfortunately, we also learned that paying the ransom does not guarantee a positive outcome. In the case of the attack on the Colonial Pipeline, there was so much encrypted data that the recovery process was painfully slow. Rather than use the decryptor, much of the recovery was performed from backups. It’s important to invest in backups for this reason, especially making sure that the company can quickly and easily recover critical systems from backups and that the backups are not tainted or destroyed by attackers.
A good backup strategy can help expedite recovery not only from ransomware, but from all types of data loss events. At an organizational level, we can invest in cybersecurity and backups, as many companies do today. But at the government and law-enforcement level, we need international cooperation to disrupt other ransomware operators to increase their cost of doing business, as we saw in the case of DarkSide.
Focus on the future
It’s encouraging to see how the Biden administration elevated cybersecurity to a national priority as evidenced by the executive orders and additional directives announced within the past 12 months. The federal government has a responsibility to keep its data and systems, and by extension, the country and its citizens safe and secure — and government entities need to stay aware of the issues to defend against them.
The rapid digital transformation organizations continue to experience has resulted in more data than ever being shared, stored, and interacted with — so updated policies around how we communicate vulnerabilities and keep data safe, particularly for federally-sensitive data, are warranted and essential moving forward. With that said, companies need to make data central to the strategy for protecting core digital assets. Ultimately, any proposal on a national stage also has to be measurable and manageable by companies.
It’s unfortunate that it took an event like the Colonial Pipeline to give security the attention it requires. Companies should always make security a priority, and the conversation shouldn’t end with pipeline infrastructure. The security industry as a whole needs to further establish a precedent for other critical infrastructure and critical services, not just a year later, but continuously in the years ahead.
Ray Canzanese, director, Netskope Threat Labs