Ransomware, Threat Intelligence

What IT security teams can learn from the Colonial Pipeline ransomware attack

Joseph Blount, Jr., president and CEO of Colonial Pipeline, testifies before the Senate Homeland Security and Governmental Affairs Committee on June 8, 2021. Today’s columnist, John Shier of Sophos, offers eight tips for security teams in the wake of the Colonial Pipeline case and other such attacks. (Photo by Andrew Caballero-Reynolds-Pool/Getty I...

News broke in early May of a DarkSide ransomware attack on Colonial Pipeline, a major U.S. fuel pipeline that supplies roughly 45% of the East Coast’s diesel, gasoline and jet fuel. In response to the attack, the company shut down its pipeline for several days.

Colonial Pipeline CEO Joseph Blount was invited to testify at a House Homeland Security Committee hearing a month later. The combined four-hour long official Senate and House testimony includes several interesting details about the attack, as well as some important guidance for other companies that might someday find themselves in a similar situation.

Here’s a look at some of the important security lessons highlighted by this attack that defenders can take away:

  • Prioritize security.

While the testimony did not expressly address the lack of dedicated cybersecurity leadership at the company, we cannot overlook this area, especially in a company as large and important as Colonial Pipeline. The company’s testimony to the Senate disclosed that around $200 million had been invested in IT in the last five years, but it was not clear how much of that had been allocated to cybersecurity.

Being able to set cybersecurity priorities for the organization, having sufficient budget to implement them and the necessary authority to enforce those priorities are a key part of securing an organization. That means companies need to at least invest in, and commit to, having a cybersecurity program and an incident response plan in place. These should encompass everything from implementing the right tools and creating a security culture, to knowing the steps to follow in the event something goes wrong.

  • Educate the staff – and use password managers.

During the testimony, it was confirmed that the initial entry point into the Colonial Pipeline network was a single stolen password. In this instance, remote services were to blame. Specifically, the attackers used the stolen password to gain access to a VPN service that did not have multi-factor authentication (MFA) enabled. It appears that Colonial Pipeline believed this VPN profile was not in use. We’ve also seen this situation before.

Here’s where a robust security culture can help. Having employees who are mindful of how they use their credentials can mitigate the effects of third-party security failures. Companies can help the team out by providing them with a password manager they can use for both their work and personal accounts. CISOs or equivalent security leadership can set policies that enable the organization to do the right thing by default.

  • Focus on detection, not just prevention.

According to the investigators, the earliest indicator that the attackers were in the network was April 29, 2021. This means the attackers were in the Colonial Pipeline network for at least eight days prior to the ransomware attack on May 7.

Ransomware is often the first sign that alerts victims to the fact that an attack has occurred. Many of today’s ransomware operators prefer to operate in complete stealth until it’s time to release their final payload. This can take hours, days, or months to unfold. In fact, according to the Active Adversary Playbook 2021, the observed median attacker dwell time is 11 days, with some companies having attackers in their network for six months or more.

The fact that Colonial Pipeline didn’t have the visibility it needed to understand how badly it had been penetrated has become a common problem for many companies. Remember, just because the company’s security software detected and blocked a threat, that doesn’t mean it’s a finished job. There’s often a bigger problem lurking undiscovered in the network.

  • Make every effort not to pay the ransom.

We’re often asked whether it’s okay for companies to pay the ransom and how we can stop this scourge. The short answer: it’s complicated.

Colonial Pipeline has said it paid the ransom to help the business recover as fast as possible. Unfortunately, many companies find themselves in this scenario and base the decision to pay or not to pay by the state of backup files, the overall cost of recovery, or threats from the attackers to publicly expose data.

According to our 2021 State of Ransomware report, companies that paid the ransom recovered, on average, only 65% of their data. Only 8% of companies managed to recover all their data, and 29% recovered less than half. What’s more, security teams still have to do the remediation work to address the damage and disruption caused by the attack and ensure this doesn’t happen again.

That said, each victim has to decide to pay or not pay the ransom, but prevention and preparedness can make that decision much clearer.

The path to stronger security

It shouldn’t take an attack for an organization to establish a stronger security posture. Take the time now to assess the company’s position on the security maturity spectrum and act immediately to improve where possible.

In summary, the path to better security starts with the following:

  • Prioritize security so that everyone in the organization understands their role in maintaining a secure organization.
  • Give the security team the authority and a reasonable budget to achieve its goals.
  • Employ “secure by default” modes for all deployments and operations.
  • Ensure that the company has visibility into every facet of the organization so that it can spot problems before they become full-blown emergencies.
  • Plan for when the company needs to recover from a serious malware attack. Not only will it make the organization more resilient, it will also shorten the time and lower the cost of recovery.
  • Participate in the security community by sharing the company’s successes and failures. The company benefit, and it will also help others along the way.
  • If the company gets victimized, focus on recovery and remediation rather than enriching cybercriminals.
  • Don’t hesitate to ask for help before the company needs it.

In the end, the FBI recovered some of the bitcoins they paid to DarkSide. While it’s great news, it still doesn't fully fix the network or undo the damage done. Companies really need to focus in because the threat landscape will only grow worse.

John Shier, senior security advisor, Sophos

John Shier

John Shier is a Field CTO, Threat Intelligence at Sophos with more than two decades of cybersecurity experience. He’s passionate about protecting consumers and organizations from advanced threats, and has researched everything from costly ransomware to illicit dark web activity, uncovering insights needed to strengthen proactive cybersecurity defenses.

John is often consulted by press, and has been quoted in publications like Reuters, WIRED, Fortune, CNN, The Hill, Fast Co, Yahoo, and more. He’s also a frequent speaker at industry events like RSA Conference, Infosec, Cebit, Gitex, and more.

Based in Toronto, John is available on Twitter (@john_shier) and can be reached via email at [email protected].

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.