One Year Later: Lessons from the Colonial Pipeline Ransomware Attack
A year has passed since the Colonial Pipeline Ransomware attack that caused Colonial Pipeline to stop service for five days. This attack created a huge fuel shortage for eastern and southern states, and forced Colonial Pipeline to pay a hefty $4.4 million ransom.
Ransomware attacks have continued unabated since then, with the most recent ones including LAPSUS$ and ONYX. (These not only encrypt the file, but also threaten to destroy the whole system.) Black Kite has released its 2022 Third-Party Breach Report, highlighting that Ransomware became the most common attack method of third-party attacks in 2021. All it takes is one hole: one stolen password, one open port (even just for a short period of time for testing), or one software vulnerability such as Log4j to leave the Ransomware door open.
Here are some lessons we have learned from the Colonial Pipeline attack and what organizations should do to protect themselves:
1: Raise security awareness and enforce security policies, for example:
- Use Multi-Factor Authentication (MFA) to make it much harder for attackers to break in. Colonial Pipeline’s VPN account was compromised because the password was found on the dark web. Enabling MFA would make it much harder to attack than simply obtaining a password.
- Backup systems regularly. After the ransom was paid, the decryption tool provided was so slow that the company’s business continuity planning tools were more effective in bringing back operational capacity.
2: A Detection and Response system is mandatory
After the ransom message was received, Colonial Pipeline had to shut down production because they didn’t know how it happened and how far it has progressed. It took them several days to conclusively determine that the attack was fully contained. Having a detection and response system could have avoided the shutdown. A detection and response system should:
- Detect early signs of an attack and stop it quickly before it progresses to minimize damage. In the Colonial Pipeline case, data exfiltration happened before the ransomware attack. A detection and response system could have triggered an exfiltration alert, which would have prompted an investigation and response to stop the attack from progressing to a ransomware attack.
- Detect any suspicious behaviors in addition to having coverage on MITRE ATT&CK techniques and tactics. Attackers may simply buy credentials from the dark web and login as a legitimate user. They will not trigger detections based on MITRE ATT&CK tactics and techniques. However, after they got in, they will most certainly exhibit suspicious behaviors.
- Show a clear picture of how the attack happened, to conclusively show that the attack has been contained. Colonial Pipeline hired Mandiant to perform an exhaustive search of their environment to determine that there was no other related activity before the attacker gained access to the network on April 29 using the VPN account. However, a good detection system would have shown this in real-time without days of manual tracing and sweeping.
- Show how far the attack has gone and understand the impact. Has it reached critical assets? This helps to determine the impact to the business to avoid unnecessary disruption. The primary target of the attack was the billing infrastructure of the company. The actual oil pumping systems were still able to work. However, it was not clear to Colonial Pipeline whether the attacker had compromised their operational technology network — the system of computers that control the actual flow of gasoline, until days later after Mandiant swept and traced their whole network. A detection system should clearly show how far the attack has progressed and what are the impacted assets to determine the corresponding actions.
- Show any new follow up attacks that are going on. During the investigation, Mandiant installed detection tools to monitor any follow-up attacks. A solid detection and response system will monitor 24/7 no matter when (or if) an attack is happening.
The main lesson here is to use a unified detection and response system that monitors the entire security infrastructure 24X7, detects early signs of an attack, correlates different signals to show how the attack happened and how far it has progressed. That is exactly what Stellar Cyber’s Open XDR platform provides.